> This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection.
Akkor lehet, hogy mégse olyan jó ötlet alapesetben http-n keresztül tölteni az APT csomagokat?
Elvileg a 2 ok a https ellen:
> providing a huge worldwide mirror network available over SSL is not only a complicated engineering task (requiring the secure exchange and storage of private keys), it implies a misleading level of security and privacy to end-users as described above.
> A switch to HTTPS would also mean you could not take advantage of local proxy servers
Hát nemtudom, egyik se tűnik meggyőzőnek...
Mondjuk tény, hogy a https csatlakozást kezelő kódban is lehet hasonló jellegű hiba.