Debian HTTPS mirrors

Drew Van Zandt drew.vanzandt at gmail.com
Wed Dec 24 12:01:43 EST 2008


If it's absolutely necessary for some reason that you verify stuff at the
last step, run your own private mirror that does a normal download, then
verifies before it will serve to your clients.

--DTVZ

On Wed, Dec 24, 2008 at 11:57 AM, Ben Scott <dragonhawk at gmail.com> wrote:

> On Wed, Dec 24, 2008 at 11:41 AM, Thomas Charron <twaffle at gmail.com>
> wrote:
> >  No luck finding any searching, anyone know if there are any debian
> > mirror sites which can serve over https?
>
>  Given the computational expense involved in encrypting such a large
> payload, I would expect such to be rare and short-lived.  It's
> generally seen as more efficient to verify at the end-point, rather
> than trying to keep the entire distribution chain secure.  My
> understanding is that Debian packages include GPG signatures and MD5
> checksums, which APT checks.  May I ask why that is not sufficient to
> verify integrity and authenticity?
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20081224/1389da00/attachment.html 


More information about the gnhlug-discuss mailing list