[tor-dev] Tor Browser Launcher

adrelanos adrelanos at riseup.net
Tue Feb 19 07:06:43 UTC 2013

Leo Unglaub:
> Hey,
> On 2013-02-18 18:33, adrelanos wrote:
>> Right, for such users it wouldn't work anyway, because downloading
>> Tor Browser Launcher from the repository is unencrypted (but
>> signed) anyway.
> thats not 100% correct. You can use transport encryption (HTTPS) for
> the repository servers. You simply need to change your source.list to
> use https.

Just checked again. Even if apt-transport-https is installed.

# working
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb http://ftp.us.debian.org/debian wheezy main contrib non-free

# not working
deb https://security.debian.org/ wheezy/updates main contrib non-free
deb https://ftp.us.debian.org/debian wheezy main contrib non-free

After the package managers have adapted to the TUF threat model,
motivation is low for providing https mirrors. According the the older
TUF papers only commercial linux distribution have SSL repositories.
With known filesizes, the motivation could be running your own
repository with proprietary software or distributing test/unsigned
packages for testing on your distant test servers or such use cases.
Debian / Ubuntu folks don't seem to be interested in https mirrors.

More information about the tor-dev mailing list