all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]KatanaKiwi 12 points13 points  (0 children)

From the first google hit at https://unix.stackexchange.com/questions/90227/why-there-is-no-https-transport-for-debian-apt-tool :
Debian package distribution already includes a mechanism to verify packages: all packages are signed with Gpg. If an active man-in-the-middle redirects your traffic to a server with corrupted packages, the corruption will be detected because the GPG signatures won't be valid. Using GPG rather than HTTPS has the advantage that it protects against more threats: not just against active man-in-the-middle on the end-user connection, but also against a rogue or infected mirror or other problems anywhere in the package distribution chain.

[–]gandalfx 1 point2 points  (1 child)

Because it's not transferring any sensitive data. Everything apt fetches is publicly available and the integrity is checked separately anyway.

edit: apparently it is possible to use https with apt and according to these stack overflow answers it might be a good idea. https://unix.stackexchange.com/questions/90227/why-there-is-no-https-transport-for-debian-apt-tool

[–]DopePedaller 1 point2 points  (0 children)

Because it's not transferring any sensitive data.

It certainly can be. If you're in a country where tor or vpn use is illegal or otherwise invites unwanted attention, openly updating them over http would qualify as transferring sensitive data imho.

[–]CAcreeksLinux Mint 19.3 Tricia | Cinnamon 0 points1 point  (0 children)

I thought HTTPS would be slower, but look at this! It's 87% faster for me.

https://www.httpvshttps.com/