[15:55] <tomreyn> i'm following bug 1464064, which changed status to 'fix released' today. i understand this as "future releases will default to HTTPS for all default apt archives", and, as a dependency of this, availability of all default apt repositories supporting HTTPS. that's awesome. :)
[15:55] -ubottu:#ubuntu-security- Bug 1464064 in Ubuntu "Ubuntu apt repos are not available via HTTPS" [Undecided, Fix Released] https://launchpad.net/bugs/1464064
[15:58] <tomreyn> i have a questions baout this, however. so far i understood that security.ubuntu.com served as a special archive mirror in that it provides faster access to security fixes than the main archive mirrors do. now when i compare https://archive.ubuntu.com/ubuntu/dists/plucky-security/ to https://security.ubuntu.com/ubuntu/dists/plucky-security/ they seem to provide exactly the same. so i'm wondering: does security.ubuntu.com still provide 
[15:58] <tomreyn> security updates faster than the normal archive mirrors, or are security updates now provided by normal archive mirrors at the same time?
[15:59] <tomreyn> (or is it something else?)
[15:59] <mdeslaur> I don't have any details on why that bug was closed, but I assume it's only for the main archive and the security. repo, but not for mirrors, which means it's unlikely to be https in a default install
[16:00] <mdeslaur> security.u.c comes preconfigured so that a mirror that has a delay in syncing doesn't prevent someone from getting important security updates
[16:00] <mdeslaur> security.u.c is directly hosted on canonical infrastructure
[16:01] <mdeslaur> in theory, a mirror that is syncing properly will get all the security updates in a timely fashion
[16:02] <tomreyn> security.ubuntu.com and archive.ubuntu.com resolve to the same ip addresses for me. i'm not sure whether or not this contradicts your statement "security.u.c is directly hosted on canonical infrastructure"
[16:04] <mdeslaur> archive.ubuntu.com is also hosted by canonical
[16:04] <mdeslaur> the mirrors are subdomains of that, for example ca.archive.ubuntu.com
[16:05] <mdeslaur> looks like ca.archive.ubuntu is a bad example :)
[16:05] <mdeslaur> but it.archive.ubuntu.com is an example
[16:05] <tomreyn> i know what you mean, though, some of the country mirrors will point to non canonical maintained mirror servers.
[16:05] <sdeziel> tomreyn: Last I checked `archive.ubuntu.com` was pointed at the UK primary mirror but it was also redirected to the US one (those are 2 primary mirrors I know of) a while back when the UK had issues.
[16:07] <sdeziel> from past experiences, `security.ubuntu.com` get fixes a tad earlier than `us.archive.ubuntu.com` does
[16:08] <mdeslaur> sdeziel: they both resolve to the same ips now, so that's probably not the case anymore
[16:09] <mdeslaur> oh wait, I read that wrong
[16:09] <mdeslaur> yes, it's plausible that security.u.c gets updates a bit faster
[16:10] <mdeslaur> hrm
[16:10] <sdeziel> could it be that security fixes first land in -security and then are copied to -updates?
[16:11] <sdeziel> as for the DNS, it seems that `security.ubuntu.com` now resolves to both set of IPs so UK/GB and US, that's probably more resilient now :)
[16:11] <mdeslaur> so it does look like security.u.c and archive.u.c do resolve to the same ips now
[16:12] <mdeslaur> in a default install, a country-specific mirror is usually configured, along with security.u.c
[16:12] <sdeziel> hmm, from here, `security.ubuntu.com` resolves to the superset of `gb.archive.ubuntu.com` and `us.archive.ubuntu.com` so 6 IPs total
[16:12] <mdeslaur> country specific mirrors may or may not be canonical hosted and the same as archive.u.c
[16:13] <mdeslaur> so in cases where the country specific mirror isn't canonical hosted, security.u.c is important so that security updates are obtained even if the mirror is behind in syncing
[16:13] <sdeziel> yep
[16:13] <mdeslaur> sdeziel: yeah, same here, s.u.c and a.u.c have 6 ips, 3 from us. and 3 from uk
[16:14] <sdeziel> I am quite happy with the change as-is, even if that may or may not be something enabled by default in the future
[16:14] <mdeslaur> yes, at least it's easy now to opt-in to it
[16:15] <mdeslaur> the mirrors were always the major issue
[17:09] <tomreyn> thanks for the discussion, mdeslaur and sdeziel. so i think what remains to be understood is: why was bug 1464064 marked as "fix released" when the bug is about (my, much simplified, interpretation - open to discussion) "new installations should always use apt repositories using httpS and still get fast security updates"
[17:09] -ubottu:#ubuntu-security- Bug 1464064 in Ubuntu "Ubuntu apt repos are not available via HTTPS" [Undecided, Fix Released] https://launchpad.net/bugs/1464064
[17:11] <tomreyn> i guess another way to read the bug report is "apt archive mirrors us.archive.ubuntu.com and security.ubuntu.com should support HTTPS", which is a very different interpretation, and - i think - not what the original report (nor most of the contributors) seemed to intend.
[17:12] <tomreyn> i think the first interpretation is what is the revolution that people are seeking, and the second interpretation is maybe what the current state is.
[17:13] <tomreyn> (and, to explain this as well, i'm discussing this here for the potential time-to-patch security impact)
[17:29] <tomreyn> I just posted this to the bug report as well (spelling out potential interpretation 1 more).
[17:47] <mdeslaur> yeah, I think commenting in the bug is the best thing to do, thanks
[17:58] <oerheks> apt-transport-https  is optional, and one needs ca-certificates too to make it work
[17:59] <tomreyn> apt-transport-https is a transitional package because this functionality (HTTPS support) has been implemented in core apt years ago.
[18:00] <oerheks> oh oke, the ca-certificates is the culprit?
[18:04] <tomreyn> i don't think ca-certificates is an issue. ca-certificates is a core package, installed by default since forever.