Way to make assumptions, Trent.I can't control the fact that some repositories are SSL only. That's out of my control.
Choosing not to use software just because the authors believe in SSL-everywhere would be ridiculous. Even though I agree, it's not adding any actual security.
-Toby
Toby Corkindale <toby@dryft.net> writes:
> I know I can use acquire::http::proxy in apt.conf.d to set a proxy server,
> but this seems to make it used for both HTTPS and HTTP traffic -- however I
> only want to use it for HTTP traffic.
Probably not helpful, but:
Just don't use TLS for apt repos?
What's the threat model that you're trying to address by using
apt-transport-https ?
apt's "is this package haxxed?" relies entirely on the Release file
being signed by a GPG key in apt-key's keyring (plus a chain of
md5/sha1/sha2-sums). So AFAICT the only gain from TLS is the ability to
conceal (from your ISP) which packages you've downloaded.
What am I missing?