On Thu, Oct 23, 2025 at 01:20:51PM +0200, Bernard Rosset wrote:
> Just to be clear (and I realise I never specified that), I was merely
> talking about the "files" mirror, aka the CD/DVD ones.
>
> I was *not* discussing the packages ones, for which, as I stated from the
> very start, the APT protocol ensures integrity/authentication with help from
> GPG.
> This has been repeated several times by different people in various ways.
>
> Hence, talking about the installation media, even if people manually verify
> signatures (no added security if server is compromised), at least HTTPS
> would ensure channel protection. Some could also argue privacy relative to
> URL paths.
>
> Anyone on this?

All ISOs are authenticated via their "shasum" (or SHA256SUM), and that
file in itself is verified by means of gpg signing. There is nothing
essential to gain by TLS/SSL/HTTPS for those.

Of course, if you are worried or hesitant about using an HTTP server
then indeed you could well restrict yourself to an HTTPS server.

Or, since HTTPS is no cure against the risk of using a compromised
server, you may want to pick duplicates of pieces from multiple
servers, to firstly make sure they all provide the same pieces, before
running the manual verification process.

Ralph.