Debian HTTPS mirrors
Drew Van Zandt
drew.vanzandt at gmail.com
Wed Dec 24 12:01:43 EST 2008
If it's absolutely necessary for some reason that you verify stuff at the
last step, run your own private mirror that does a normal download, then
verifies before it will serve to your clients.
--DTVZ
On Wed, Dec 24, 2008 at 11:57 AM, Ben Scott <dragonhawk at gmail.com> wrote:
> On Wed, Dec 24, 2008 at 11:41 AM, Thomas Charron <twaffle at gmail.com>
> wrote:
> > No luck finding any searching, anyone know if there are any debian
> > mirror sites which can serve over https?
>
> Given the computational expense involved in encrypting such a large
> payload, I would expect such to be rare and short-lived. It's
> generally seen as more efficient to verify at the end-point, rather
> than trying to keep the entire distribution chain secure. My
> understanding is that Debian packages include GPG signatures and MD5
> checksums, which APT checks. May I ask why that is not sufficient to
> verify integrity and authenticity?
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20081224/1389da00/attachment.html
More information about the gnhlug-discuss
mailing list