[12:48] <hallyn> aw man the livestream talks sounded horribly interesting.  i had to go and sleep like a dullard
[18:07] <sarnold> hallyn: yeah, I only watched part of lamport's presentation, I liked it.. bummer about the usual au-rest-of-world-timing :)
[18:09] <hallyn> they should do a US-tz replay :)  (assuming they don't want recordings to be forever available)
[18:19] <sarnold> yeah, ideally they'd throw them on youtube, but .. I can kinda see why they might want to own them
[18:32] <Madars> how could one get https for security.ubuntu.com (like Debian has done for a while now)? it would be very nice as a defense-in-depth against bugs in apt (like https://www.debian.org/security/2016/dsa-3733 https://www.debian.org/security/2019/dsa-4371 both had HTTP MITM -> instant root)
[18:35] <sarnold> oh hey madars :)
[18:36] <Madars> hello sarnold ! :)
[18:37] <sarnold> adding https to the archives has been on the todo list for a while, I'm not sure what progress has been made or where that is so far.. the security server may or may not be part of those plans, I'll double-check
[18:38] <Madars> I recently looked at https://launchpad.net/ubuntu/+archivemirrors and was pleased to see that there are https mirrors in every geography now
[18:39] <Madars> except for the ubuntu-security pocket haha
[18:39] <mdeslaur> I wouldn't hold my breath, we'd have to get rid of the mirrors to be able to properly enable https
[18:40] <mdeslaur> I suggest you pick one from that list and use it directly
[18:40] <sarnold> mdeslaur: I think jsing had found a way to make it happen
[18:40] <sarnold> not holding your breath is a good ide athough
[18:40] <mdeslaur> oh?
[18:40] <sarnold> top tip :)
[18:41] <sarnold> yeah, but sadly it was hidden in a google doc
[18:41] <Madars> mdeslaur: hmm, why get rid of mirrors? I think Debian still has http-only mirrors, yet people who want HTTPS can enable those (e.g. Crostini in ChromeOS uses https://cdn-fastly.deb.debian.org/ for all pockets)
[18:42] <mdeslaur> Madars: because we'd have to hand out ssl certs to all of them?
[18:42] <Madars> ohhh, that's assuming you want them to keep https://security.ubuntu.com name (which the above deb.debian.org mirrors don't)
[18:43] <cipherboy> mdeslaur: If they already have the http namespaces, wouldn't they be able to claim a LE cert for that name via the wellknown/http dir challenge type? 
[18:43] <cipherboy> mdeslaur: https://letsencrypt.org/docs/challenge-types/ -- see HTTP-01 challenge type. 
[18:43] <mdeslaur> I don't know, I don't know how all of that magic works
[18:44] <mdeslaur> cipherboy: how would that enable them to get a cert for "archive.ubuntu.com"?
[18:44] <mdeslaur> we currently round-robin the mirrors under our own domain name
[18:45] <sarnold> I think the provided mirrors are only on country-specific names, eg de.archive.ubuntu.com
[18:45] <mdeslaur> yes, but multiple mirrors per country
[18:45] <sarnold> yeah
[18:45] <cipherboy> mdeslaur: Ah I thought it was down a domain (e.g., osuosl.mirrors.ubuntu.com) 
[18:45] <mdeslaur> no
[18:46] <cipherboy> mdeslaur: sarnold: You could set up RR via 302 redirect and then assign them subdomains. But otherwise, yeah, you'd need to hand out certs. :/  
[18:48] <mdeslaur> oh, hrm, apt apparently supports SRV records now
[18:49] <Madars> whoops, I think there are two different issues: a) having _a_ ubuntu-security pocket HTTPS mirror (even if that uses a different name, e.g. https://cdn-fastly.security.ubuntu.com/ubuntu-security ) for users who desire one; this is what Debian does ; b) having every security.ubuntu.com mirror be HTTPS and have it as default
[18:52] <Madars> I'm not aware of any practical way to do (b) without giving security.ubuntu.com cert to too many actors, however having something for (a) would be pretty cool :)
[18:53] <sarnold> security.ubuntu.com is only hosted in-house, no contributed stuff there; I don't know if those machines would be up for that kind of load though