I have implemented parts of all three. I doubt you have.
> Adding TLS in front of HTTP when talking to an untrusted third-party server, can only ever increase your attack surface.
No, against a MITM it instantly subtracts the surface inside the TLS from the equation. Which is the entire point.
> [...] that's why we have file signatures in the first place.
You still don't understand that even before the cryptographic operations done in order to verify the signatures you have all those other layers. Layers that are complex to implement, easy to misinterpret and repeatedly to this day found flawed. PGP is so terrible no serious cryptographer even bothers looking at it this day and age.
I start getting the feeling that you're involved in keeping the package repositories stuck in the past. I can't wait for yet another Apt bug where some MITM causes problems yet again.
This entire discussion has been about MITM attacks but you keep making arguments that are irrelevant in this context. A compromised web server that's serving malicious data is not a MITM attack.
Do you acknowledge this disconnect? Is there a good reason why you keep responding to discussion about MITM with ridicule and the type of responses I'd expect from someone who's severely confused what constitutes a MITM attack and what doesn't?
> Adding TLS in front of HTTP when talking to an untrusted third-party server, can only ever increase your attack surface.
No, against a MITM it instantly subtracts the surface inside the TLS from the equation. Which is the entire point.
> [...] that's why we have file signatures in the first place.
You still don't understand that even before the cryptographic operations done in order to verify the signatures you have all those other layers. Layers that are complex to implement, easy to misinterpret and repeatedly to this day found flawed. PGP is so terrible no serious cryptographer even bothers looking at it this day and age.
I start getting the feeling that you're involved in keeping the package repositories stuck in the past. I can't wait for yet another Apt bug where some MITM causes problems yet again.