galeforcewinds on Hacker News

Ask HN: Why aren't distro updates delivered https?

Why don't CentOS/Fedora/Ubuntu deliver all package updates over https, and encourage third-party package providers to do the same?

I understand SSL/TLS reduces the risk of data tampering and reduces the risk of snooping what data is downloaded.

Though risk data tampering may also be reduced through the validation of cryptographically signed packages as many distros do, it would seem there remains a residual risk of exposing to the network which updates a system has downloaded. Is there reason this isn't of concern?

3galeforcewinds7y ago3

galeforcewinds

Recent submissions

Ask HN: Why aren't distro updates delivered https?

Kobe Steel reports on improper quality controls of metal products [pdf] (opens in new tab)

Recent submissions

Ask HN: Why aren't distro updates delivered https?

Kobe Steel reports on improper quality controls of metal products [pdf] (opens in new tab)