Open kislyuk opened 5 years ago
This site merely represents the status quo as it was >1y ago as it was a (tedious...) FAQ question at the time. It does not officially represent my personal, not that of Debian's. I'd be very happy to review a patch with any changes you feel are necessary, please go ahead, otherwise.....
The site being up, and not including information about the current state of events and the vulnerability, paints an incomplete and unbalanced picture of the situation.
Even with the current header?
If you do not wish to maintain the site, then perhaps it is better to take it down.
Maybe the energy spent creating it would have been better spent getting agreement on a plan to migrate APT to HTTPS.
It sounds like you have that energy - good luck!
-- Chris Lamb chris-lamb.co.uk / @lolamby
Maybe just replace/update it like this? :smile:
Why does Apt not use HTTPS? We are considering adding HTTPS, because we noticed it does not make sense, not to use it. Follow us at XY to keep getting updates.
Also, BTW, also >1 year ago this was already misguided, but well… we now have a good example of what a vulnerability that could have been prevented.
So I think it's debatable this would have prevented it AFAICT but this is the wrong forum for such a discussion.
we noticed … follow us
Hm? This is a totally independent site. As the header says, it doesn't even speak for /me/!
So it speaks for no-one? Or what?
Seriously, it's essentially just a rehash of various SO answers. Please, create PRs!
https://justi.cz/security/2019/01/22/apt-rce.html
(I think excusing the lack of HTTPS is misguided. It's better to provide a recipe for users to pin their mirrors to use HTTPS only, and formulate a technical roadmap to achieving HTTPS-only communications. But if you insist on providing information that includes excuses for non-HTTPS transport, then I would suggest updating your site with a discussion of this recent vulnerability.)