I wasn't aware that plain http was what made that attack practical, that's good to know. And while not disagreeing with your point, I meant that it isn't supposed to be interceptable despite being plain text, due to the integrity check, so it isn't inherently insecure, just (significantly?) less hardened than if it would use https only.
For the 'which software is installed' argument (confidentiality in addition to integrity), I agreed but your first link actually argues this:
> the privacy gains [of using https] are minimal, because the sizes of packages are well-known
For the 'which software is installed' argument (confidentiality in addition to integrity), I agreed but your first link actually argues this:
> the privacy gains [of using https] are minimal, because the sizes of packages are well-known