Are repository updates secure?
As a bear of little brain from the developer side, I cannot understand why the repository list is
http://security.ubuntu.com and the other
http(unsecured) sites listed in
/etc/apt/sources.list. Without a certificate chain match this appears as "ask any responder for a list of packages to update" instead of "ask the ubuntu.com site…"
Can any network choose to spoof the update sites, and is this a common practice to provide a locally cached and vetted copy?