Comment 31 for bug 1647467

> It allows for attacking a repository via MITM attacks, circumventing the signature of the InRelease file.

> ("deb http://192.168.0.2:1337/debian/ jessie-updates main" or so). [..] This simulates a MITM attack or compromised mirror.

That sounds like it matters, where that InRelease file comes from, right? When I look into my /etc/apt/sources.list, I only see deb/dev-src http://<tld>.archive.ubuntu.com/... entries.

I think it would be much better, if Canonical servers would require TLS 1.x encryption (STS preferred) and thusly identify themselves with a proper cert, so machines/users can make sure (nation-state actors not taken into account) who they're talking to.

I think that would definitely make MITM and MOTS attacks more difficult. I'm aware of the signatures, i.e. present package security, though. Nonetheless, they do not seem to address the problem of transport security.