Hmm. On further inspection, it appears that you're right. So I suppose my "bug" is that debian appears not to give a crap about people monitoring who is downloading which packages and isn't providing their repositories via https. Or ftps. Or, really, via *any* confidential mechanism. Signatures are a half-measure; they provide for integrity/ source authentication, but not for confidentiality. Anyway, as you say that's a different issue and shouldn't be confused with this same bug. Bear
Attachment:
signature.asc
Description: OpenPGP digital signature