

Ask HN: why dont Debian serve apt packages over https? - marlin

Debian has the package apt-transport-https which would enable https-downloads from apt repositories.
However, the debian repositories are only accessible over http.<p>A privileged observer would easily know alot of system detail by inspecting my communication with the debian apt servers.<p>For example a large scale automatic penetration system would be able to automatically detect vunerable systems while they are downloading the required updates, and attack them before the update has been installed.<p>Debian implements checksums and gpg signatures in order to verify file content sent in the clear, see https:&#x2F;&#x2F;wiki.debian.org&#x2F;SecureApt<p>The same seems to apply to Ubuntu.
======
SamReidHughes
The sizes of packages would be leaked anyway and they're virtually unique
identifiers.

