use https for apt.syncthing.net as well

[anarcat]

while the release key is hosted on https://syncthing.net/release-key.txt (which is behind HTTPS), it's probably a little ackward to have that key in a different location (i personnally was surprised at first).

so it would be useful to encrypt traffic to apt.syncthing.net. With let's encrypt now public, it's pretty easy and free to get certificates for any number of domains...

low priority, probably.

[calmh]

apt.syncthing.net is actually fully functional on HTTPS, the links just haven't been updated (and it provides no extra security for the actual APT repo as I understand it).

I don't personally see anything awkward with having our key on syncthing.net. Remember that this key signs the Github releases as well and predates the apt.syncthing.net setup by a long while.

[anarcat]

On 2016-03-18 04:36:14, Jakob Borg wrote:

apt.syncthing.net is actually fully functional on HTTPS, the links just haven't been updated (and it provides no extra security for the actual APT repo as I understand it).

well, it provide a little more security: an eavesdropper will not know
what you download (although that's easy to guess because syncthing is
probably the only thing on this http server ;)

also, it is more consistent to host the APT key there, and that (apt key
authentication) is important extra security.

a.

From the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!
- Winston Smith, 1984