Hi Jaap,
On Tue, Apr 17, 2018 at 10:03:10AM +0200, Jaap Buurman wrote:
> Hello all,
>
> Today I discovered that pulling packages from the feeds is done over
> http by default instead of https. I understand it is always going to
> be a trade-off between space requirements and features/security.
>
Dear Sven,
I wasn't aware of signature checking and hence I agree with yours and
Jo-Philipp's sentiment that this would be a bad idea. Please disregard
my suggestion. Thank you very much for teaching me about the signature
verification system.
Yours sincerely,
Jaap Buurman
On Tue, Apr 17, 2018
On Dienstag, 17. April 2018 10:03:10 CEST Jaap Buurman wrote:
> Hello all,
>
> Today I discovered that pulling packages from the feeds is done over
> http by default instead of https. I understand it is always going to
> be a trade-off between space requirements and features/security.
> However, p
Hello,
> Today I discovered that pulling packages from the feeds is done over
> http by default instead of https. I understand it is always going to
> be a trade-off between space requirements and features/security.
> However, pulling in packages over an unencrypted connection will
> allow for
Dear Alberto Bursi,
I did not know about signature verification. I agree that there are no
secrets to hide and hence signature verification should be sufficient
to avoid tampering. Thank you very much for your reassurance.
Yours sincerely,
Jaap Buurman
On Tue, Apr 17, 2018 at 10:13 AM, Alberto
