Description
Debian-based and RHEL-based distributions use their own security layer via PGP on top of HTTP. Forcing everyone to use HTTP over TLS may not be necessary.
Summary
Clients who require some proof of authenticity may be perfectly happy with only this built-in, distribution-specific layer of security. If you force them to download package repository content via TLS, it may create unnecessary bloat on their side. For example, official Debian container images have not got openssl nor ca-certificates packages installed, but you cannot access New Relic repository on apt.newrelic.com without them.
Moreover, your own documentation uses plaintext HTTP URLs to reference package repositories which sends the wrong signal.
Desired Behavior
- Remove HSTS header
- Disable redirect from HTTP to HTTPS
- Allow HTTPS for those who want it or need it
Additional context
We build distroless images, so there are loads of intermediate steps. We care about every additional step, especially because PHP applications are so hard to distribute this way. Every step has a visible cost not just when we run a single build but also over time as more steps mean more places where change can occur later which invalidates caches. So, even though we already use additional package repositories, and we thought this one might be a simple addition to the code already in place, it required slightly more work, which then required some refactoring, etc. In the end, it’s not a big deal in our case. Obviously, there are alternatives, but repositories are simply convenient…
However, I can easily see how this seemingly small annoyance creeps over very large number of teams, since you are in a unique place in the value chain.