You can't even download Ubuntu off Ubuntu.com via SSL. Only HTTP.
On 02/19/2013 01:06 AM, adrelanos wrote:
Leo Unglaub:
Hey,
On 2013-02-18 18:33, adrelanos wrote:
Right, for such users it wouldn't work anyway, because downloading Tor Browser Launcher from the repository is unencrypted (but signed) anyway.
thats not 100% correct. You can use transport encryption (HTTPS) for the repository servers. You simply need to change your source.list to use https.
Just checked again. Even if apt-transport-https is installed.
# working deb http://security.debian.org/ wheezy/updates main contrib non-free deb http://ftp.us.debian.org/debian wheezy main contrib non-free
# not working deb https://security.debian.org/ wheezy/updates main contrib non-free deb https://ftp.us.debian.org/debian wheezy main contrib non-free
After the package managers have adapted to the TUF threat model, motivation is low for providing https mirrors. According the the older TUF papers only commercial linux distribution have SSL repositories. With known filesizes, the motivation could be running your own repository with proprietary software or distributing test/unsigned packages for testing on your distant test servers or such use cases. Debian / Ubuntu folks don't seem to be interested in https mirrors. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev