IMO APT should be using HTTPS, I don’t see much reason to keep using HTTP. With HTTPS you can use HTTP/2 for better pipelining and more efficient bandwidth use (atm the HTTPS backend for APT uses a new connection for every package by design). You could also mask the packages and their versions from most passive attackers and you wouldn’t have to worry as much about replay attacks. Plus if for some reason your package signing goes into failure (key leaked, signature broken) then you can rely on HTTPS for minimal security guarantees…
IMO APT should be using HTTPS, I don’t see much reason to keep using HTTP. With HTTPS you can use HTTP/2 for better pipelining and more efficient bandwidth use (atm the HTTPS backend for APT uses a new connection for every package by design). You could also mask the packages and their versions from most passive attackers and you wouldn’t have to worry as much about replay attacks. Plus if for some reason your package signing goes into failure (key leaked, signature broken) then you can rely on HTTPS for minimal security guarantees…
So, are you volunteering?
What is there to volunteer? Make HTTPS default, it already supports a HTTPS backend.