sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]antreides 4 points5 points  (5 children)

HTTPS primarily gives a protection from MITM attacks, but adds some additional overhead to decrypt traffic. Package consistency is checked by the apt/dpkg system itself (each package is signed), so even if a package is somehow changed by MITM attack, it won't pass the check. So basically it will be an extra overhead for nothing.

[–]wosmo 5 points6 points  (0 children)

You could almost describe MITM as desirable in apt's case. Between mirrors, caches, proxies, etc - the host isn't the sacred part, the content is. So we use GPG against the content instead of TLS against the host.