Way to make assumptions, Trent. I can't control the fact that some repositories are SSL only. That's out of my control. Choosing not to use software just because the authors believe in SSL-everywhere would be ridiculous. Even though I agree, it's not adding any actual security. -Toby On Thu, 18 Jun 2015 at 11:36 Trent W. Buck <trentbuck@gmail.com> wrote:
Toby Corkindale <toby@dryft.net> writes:
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Probably not helpful, but:
Just don't use TLS for apt repos?
What's the threat model that you're trying to address by using apt-transport-https ?
apt's "is this package haxxed?" relies entirely on the Release file being signed by a GPG key in apt-key's keyring (plus a chain of md5/sha1/sha2-sums). So AFAICT the only gain from TLS is the ability to conceal (from your ISP) which packages you've downloaded. What am I missing?