* Paul Wise <p...@debian.org> [2018-03-26 15:52:45 CEST]: > On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote: > > * Martin Monperrus: > >> Would it make sense to keep track of valid https support for the > >> secondary mirrors? > > > > Actually the issue still holds: The mirror team needs to repoint > > mirrors to other servers at times and thus the certificate there > > wouldn't include those redirected mirrors. > > The mirror team don't control the DNS for secondary mirrors. The > individual mirror admins could be doing that, but it seems unlikely to > me.
Right, but DNS for the primary ones, and pointing them towards a server that isn't under their control would mean that they'd have to carry a *.debian.org wildcard certificate. Which won't happen for non-DSA operated infrastructure. > > I am aware that there is a privacy concern involved, like what packages > > get downloaded, but appart from that that's the only knowledge to gain > > from unencrypted http traffic. > > https doesn't provide protection against correlation of download size > to packages downloaded, so it doesn't have much advantage over http > for package download privacy. Ah, right, forgot about that point. So even that point is moot. Thanks for pointing that out. :) Enjoy, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los |
