On Sun 15 Aug 2021 at 20:24:54 +0100, Brian Potkin wrote: > On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote: > > > It seems to be "http" by default (at least it's ony my newly installed > > system). I've switched to https and everything still works. > > Works for me too. But that wasn't what I was puzzled about. > > > "https" prevents someone from tempering with the users connection (e.g. > > man in the middle attack). However as the packages are singed anyway so > > https is "just" an additonal level of security. But why not use it if > > it comes without addtional "costs"? > > Once it is said that all the packages are signed, everything has > been said. A man in the middle attack would alter the signing. If > it doesn't, packages from a regular archive would be at risk. But > the installer uses http for the lines it puts in sources.list. > > Why are the Release Notes out of step? Are its authors more aware > of security?
doesn't -> does
