| ▲ | duufuvkfmc 14 hours ago | |
Debian’s apt do not use SSL as far as I know and I am not aware of any serious security disaster. Their packages are signed and content is not considered confidental. | ||
| ▲ | crote 13 hours ago | parent | next [-] | |
If I'm not mistaken, apt repositories have very similar failure modes - just using PGP certs instead of SSL certs. The repository signing key can still expire or get revoked, and you'll have an even harder time getting every client to install a new one... | ||
| ▲ | tuetuopay 13 hours ago | parent | prev | next [-] | |
Debian 13 uses https://deb.debian.org by default. Even the upgrade docs from 12 to 13 mention the https variant. They were quite hostile for a while to https, but now it seems they bit the bullet. | ||
| ▲ | gmuslera 12 hours ago | parent | prev | next [-] | |
Debian have multiple mirrors, and some distributions even promote to have local mirrors, the model is different, as you say the packages are signed so you know who made them, wherever you got them from. And I said above, SSL is more than about encryption, but also knowing that you are connecting to the right party. Maybe for a repository with multiple mirrors, dns aliases and a layer of "knowing from whom this come from" is not that essential, but for most the rest, even if the information is public, knowing that it comes from the authoritative source or really from who you think it comes from is important. | ||
| ▲ | direwolf20 14 hours ago | parent | prev [-] | |
The selection of packages installed on a server should be treated as confidential, but you could probably infer it from file sizes. | ||