I feel that you're significantly understating the potential of what sophisticated network-level attackers can do here. It's annoying... I fundamentally disagree that there's "little point" to this.
First of all, most folks are only signing the Release file. The majority aren't doing debsign/debsigs or dpkg-sig. Okay, some packages ship with some md5sums. Not all. I'm not too worried about tampering or integrity of .deb contents.
How do I know I can trust the Debian archive signing key is in safe hands? For that matter, what about the many third-party repositories and keys that are trusted by my system? Not long ago, Ubuntu was trusting a 1024-bit DSA key. All I need to do is steal or brute-force one of these, and combine it with techniques available to state-level or network adversaries (think of NSA's QUANTUM-insert). Maybe some DNS poisoning or hijacking. Now when you ask for a package you need, I'm giving you my malicious repository instead.
Hostname validation is an important property. Let's say I have a large-scale network where I control the main DNS server, and I can modify records that come from more authoritative sources. I point deb.debian.org and security.debian.org to some other boxes and now no one is getting package updates. Now I have everyone in a more vulnerable state, from which I can figure out more ways to compromise them.
What about the individual package maintainers, can I trust them? Nevermind a distribution like Debian which probably has formal security review. What's to stop one unscrupulous person from being paid to insert a temporary backdoor? Well, that's not so much related to TLS.
> HTTPS does not provide meaningful privacy for obtaining packages.
False.
As mentioned by other commenters, fingerprinting and profiling of the machine — which versions of which packages are installed in the environment — is a real risk which has been demonstrated in practice by researchers. As you mention, the transfer sizes are a mild indicator; not a strong one. But the bar is orders of magnitude higher to identify what's running on a server with apt-transport-https.
Deep packet inspection and Narus is a thing. You're assuming HTTPS is not valuable because the average end user isn't at risk — advanced attackers aren't in their threat model. But when you have machines that both need to be kept highly secure and run a highly specific set of packages, it's absolutely necessary. Imagine I'm an intelligence agency and I'm in that advantaged position where I can see every HTTP GET in plaintext before it hits the official repository, from every client globally. I'm looking for a needle in a haystack: a set or series of packages installed in a certain order. It's trivial now to find my target and learn its IP address.
You're the current project leader... is this page the official stance of Debian?
"If one of the curl project members with git push rights would get her account hacked and her SSH key password brute-forced, a very skilled hacker could possibly sneak in something, short-term. Although my hopes are that as we review and comment each others’ code to a very high degree, that would be really hard."
Nip this entire discussion in the bud; just use a deterministic build process for any binaries you release. Like Gitian: https://gitian.org
First of all, most folks are only signing the Release file. The majority aren't doing debsign/debsigs or dpkg-sig. Okay, some packages ship with some md5sums. Not all. I'm not too worried about tampering or integrity of .deb contents.
How do I know I can trust the Debian archive signing key is in safe hands? For that matter, what about the many third-party repositories and keys that are trusted by my system? Not long ago, Ubuntu was trusting a 1024-bit DSA key. All I need to do is steal or brute-force one of these, and combine it with techniques available to state-level or network adversaries (think of NSA's QUANTUM-insert). Maybe some DNS poisoning or hijacking. Now when you ask for a package you need, I'm giving you my malicious repository instead.
Hostname validation is an important property. Let's say I have a large-scale network where I control the main DNS server, and I can modify records that come from more authoritative sources. I point deb.debian.org and security.debian.org to some other boxes and now no one is getting package updates. Now I have everyone in a more vulnerable state, from which I can figure out more ways to compromise them.
What about the individual package maintainers, can I trust them? Nevermind a distribution like Debian which probably has formal security review. What's to stop one unscrupulous person from being paid to insert a temporary backdoor? Well, that's not so much related to TLS.
> HTTPS does not provide meaningful privacy for obtaining packages.
False.
As mentioned by other commenters, fingerprinting and profiling of the machine — which versions of which packages are installed in the environment — is a real risk which has been demonstrated in practice by researchers. As you mention, the transfer sizes are a mild indicator; not a strong one. But the bar is orders of magnitude higher to identify what's running on a server with apt-transport-https.
Deep packet inspection and Narus is a thing. You're assuming HTTPS is not valuable because the average end user isn't at risk — advanced attackers aren't in their threat model. But when you have machines that both need to be kept highly secure and run a highly specific set of packages, it's absolutely necessary. Imagine I'm an intelligence agency and I'm in that advantaged position where I can see every HTTP GET in plaintext before it hits the official repository, from every client globally. I'm looking for a needle in a haystack: a set or series of packages installed in a certain order. It's trivial now to find my target and learn its IP address.
You're the current project leader... is this page the official stance of Debian?