Comment 15 for bug 1812353

@Christoph:
You can put HTTPS URLs into your "sources.list", many mirrors support it. The package "apt-transport-https" is not required, that is outdated information. APT supports HTTPS out of the box for a while now, it is just not the default.
Packets will still be validated using the Debian release OpenPGP key, regardless of which method of transport you use.

> an attacker could have used this long ago to basically do everything
That is the case for any kind of security vulnerability. But the risk is much higher after the bug is published.

> But is there a chance to e.g. get full audits of apt done by security experts?
Bugs happen, audits don't find all bugs. APT has been around for a while and as a core infrastructure was reviewed by many people.