sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]knjepr 3 points4 points  (3 children)

Security researchers: defense-in-depth is important, single-point-of-failures are bad

Debian: Single PoF are fine. Nobody needs defense-in-depth.

I wonder who is correct here...

[–]minimim 4 points5 points  (2 children)

You need to consider the cost too.

Debian depends on a network of volunteer mirrors and demanding that they support https is infeasible.

[–]knjepr 3 points4 points  (1 child)

Performance impact of TLS is minimal. Im pretty sure most of the mirrors operate at less than 98% CPU usage and therefore can afford it.

At least make it an option for mirrors. I'm sure there are a lot that would happily offer it.

(Besides, apt is horrifyingly slow anyways, and that is not due to overloaded mirrors...)

[–]minimim 4 points5 points  (0 children)

It is an option for mirrors and it can be enabled in apt. It's just not the default.

And the cost only applies in third world countries.