Comment 37 for bug 1464064

Let's not get carried away with conspiracy theories.

I understand the argument in favor of HTTP because it permits transparent caching of APT traffic. I think that transparent proxies were once a valid approach to reducing redundant network traffic. However, the time for untrusted, untrustable HTTP has long since passed, even for signed content.

The threat of bad actors attacking systems through HTTP is widespread and well-documented. The possibility of a 0-day in APT itself being used to attack systems that use HTTP for updates is very real. Consider that HTTP could be used to deliver stale packages that are subject to known and patched vulnerabilities.

Even ignoring the security concerns, which nobody should, many "transparent" HTTP caches are not at all transparent.

Proxies, both caching and non-caching, can and do block APT updates, whether due to malfunction, misconfiguration, or malware scanning false-positives.

A user that encounters a broken proxy may have no idea why their updates are failing. If the proxy is silently delivering stale indexes, there may be no sign that anything is wrong.

I have experienced this firsthand. I switched from the default Ubuntu mirror to a HTTPS mirror because a corporate firewall was blocking package updates. Using HTTPS resolved my problem. If HTTPS was the default, there never would have been a problem in the first place.

Any organization that wishes to benefit from caching APT traffic can and should run its own caching APT proxy or full repository mirror, not a "transparent" HTTP cache. I have done this myself, and it works. There is no longer any excuse for APT mirrors to default to HTTP.