[Ajedi32]

APT already supports HTTPS. Enforcing it by default wouldn't increase APT's attack surface significantly.

[loeg]

It would decrease the number/quantity/capacity of available mirrors. I don't know if that quantity would be significant.

[Ajedi32]

You would lose the ability to do transparent caching which I agree is rather annoying, but I think most environments where that sort of caching occurs (mostly corporate and school networks) also have the means to explicitly configure client machines to use an internal caching mirror.

[joombaga]

Those environments tend to MITM https traffic as well. At least the companies I've worked for can.

[opless]

Those companies really need to learn what privacy means.

[opless]

You could run a caching mirror for such things, such as artifactory for example.