Dear APT maintainers, while discussing the package contents of Debian cloud instances, the question arose if it would make sense to install apt-https-transport on most Debian systems, by setting its priority to "Important".
What do you think about this ? I pasted below a summary of the discussion that happened on the debian-cloud mailing list. If there are inacccuracies or if you know other pros or cons, I would be very glad to hear them in any case. Have a nice day, Charles > In brief: > > For a Debian system to use encrypted transport when downloading packages from > an APT mirror that has been appropriately set up, the packages > apt-transport-https and its dependancies must be installed. Would it be a > good > service for our users to install this by default by setting this package's > priority to "Important" ? > > The question can be rephrased as "are the gains high enough compared to the > costs ?" > > Here are the gains: > > - Using HTTPS partially hides information about what a user installs on his > machine. > > - Having HTTPS support by default means that users can switch directly to > HTTPS > anytime they wish: the system is ready, there is nothing to learn (which > package > to install) or to do (get the packages with either APT over HTTP or with > other tools and then install them with dpkg). Note that the use of plain > HTTP > may be mandatory in some environments. > > - We send a message to our users and the world, that we give a high > importance to > the defense of people's privacy. > > Here are limitations to these gains. > > - APT over HTTPS does not fully protect from surveillance, because by > analysing metadata such as the size of the transfers, one may deduce which > packages are being downloaded. Thus, it has been proposed that APT > over HTTPS is not good enough and that APT over TOR should be proposed > instead. > > - Most mirrors are not providing HTTPS yet, thus it is prematurate to enable > HTTPS support by default. (By the way, will the content delivery network > debs.debian.org provide HTTPS support ?) > > - Opinions may widely differ on the impact and appropriateness of driving > technical > choices (installing packages that most people will not use in the short > term) > with political views (defense of privacy). > > And here are the costs. > > - On a system freshly created with debootstrap, installing > apt-transport-https > eats roughly 10 Mo of space. > > - The following other packages are installed: ca-certificates krb5-locales > libcurl3-gnutls > libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 > libldap-2.4-2 libnghttp2-14 > librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl. > This increases the system's complexity. > > Limitations to these costs: > > - Systems where disk space is crucial are or can be constructed by starting > from the > smaller subset of "Required" packages (supported in debootstrap by the > "minbase" option). > > - Systems where disk space costs (like cloud images) are not necessarly > billed at a > granularity where 10 Mo matters. For instance on the Amazon cloud, users > are billed > per Gigabyte, therefore installing apt-transport-https by default would > only cost in case it would cause images sizes to increase to the next > gigabyte. -- Charles Plessy Tsurumi, Kanagawa, Japan
