On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote: > It seems to be "http" by default (at least it's ony my newly installed > system). I've switched to https and everything still works.
Works for me too. But that wasn't what I was puzzled about. > "https" prevents someone from tempering with the users connection (e.g. > man in the middle attack). However as the packages are singed anyway so > https is "just" an additonal level of security. But why not use it if > it comes without addtional "costs"? Once it is said that all the packages are signed, everything has been said. A man in the middle attack would alter the signing. If it doesn't, packages from a regular archive would be at risk. But the installer uses http for the lines it puts in sources.list. Why are the Release Notes out of step? Are its authors more aware of security? Cheers, Brian.
