2 files changed, 49 insertions, 18 deletions

diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent
index b555c5de5..be599d393 100644
--- a/doc/apt-verbatim.ent
+++ b/doc/apt-verbatim.ent
@@ -15,6 +15,12 @@
   </citerefentry>"
 >
 
+<!ENTITY apt-authconf "<citerefentry>
+    <refentrytitle><filename>apt_auth.conf</filename></refentrytitle>
+    <manvolnum>5</manvolnum>
+  </citerefentry>"
+>
+
 <!ENTITY apt-get "<citerefentry>
     <refentrytitle><command>apt-get</command></refentrytitle>
     <manvolnum>8</manvolnum>
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index dd057eb32..c4df9aa58 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -350,6 +350,40 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
 
     <para>The currently recognized URI types are:
    <variablelist>
+    <varlistentry><term><command>http</command></term>
+    <listitem><para>
+    The http scheme specifies an HTTP server for an archive and is the most
+    commonly used method, with many options in the
+    <literal>Acquire::http</literal> scope detailed in &apt-conf;. The URI can
+    directly include login information if the archive requires it, but the use
+    of &apt-authconf; should be preferred. The method also supports SOCKS5 and
+    HTTP(S) proxies either configured via apt-specific configuration or
+    specified by the environment variable <envar>http_proxy</envar> in the
+    format (assuming an HTTP proxy requiring authentication)
+    <replaceable>http://user:pass@server:port/</replaceable>.
+    The authentication details for proxies can also be supplied via
+    &apt-authconf;.</para>
+    <para>Note that these forms of authentication are insecure as the whole
+    communication with the remote server (or proxy) is not encrypted so a
+    sufficiently capable attacker can observe and record login as well as all
+    other interactions. The attacker can <emphasis>not</emphasis> modify the
+    communication through as APTs data security model is independent of the
+    chosen transport method. See &apt-secure; for details.</para></listitem>
+    </varlistentry>
+
+    <varlistentry><term><command>https</command></term>
+    <listitem><para>
+    The https scheme specifies an HTTPS server for an archive and is very
+    similar in use and available options to the http scheme. The main
+    difference is that the communication between apt and server (or proxy) is
+    encrypted. Note that the encryption does not prevent an attacker from
+    knowing which server (or proxy) apt is communicating with and deeper
+    analyses can potentially still reveal which data was downloaded. If this is
+    a concern the Tor-based schemes mentioned further below might be a suitable
+    alternative.</para></listitem>
+    </varlistentry>
+
+
     <varlistentry><term><command>file</command></term>
     <listitem><para>
     The file scheme allows an arbitrary directory in the file system to be
@@ -359,27 +393,19 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
     
     <varlistentry><term><command>cdrom</command></term>
     <listitem><para>
-    The cdrom scheme allows APT to use a local CD-ROM drive with media
+    The cdrom scheme allows APT to use a local CD-ROM, DVD or USB drive with media
     swapping. Use the &apt-cdrom; program to create cdrom entries in the
     source list.</para></listitem>
     </varlistentry>
 
-    <varlistentry><term><command>http</command></term>
-    <listitem><para>
-    The http scheme specifies an HTTP server for the archive. If an environment
-    variable <envar>http_proxy</envar> is set with the format 
-    http://server:port/, the proxy server specified in
-    <envar>http_proxy</envar> will be used. Users of authenticated
-    HTTP/1.1 proxies may use a string of the format
-    http://user:pass@server:port/.
-    Note that this is an insecure method of authentication.</para></listitem>
-    </varlistentry>
-
     <varlistentry><term><command>ftp</command></term>
     <listitem><para>
-    The ftp scheme specifies an FTP server for the archive. APT's FTP behavior
-    is highly configurable; for more information see the
-    &apt-conf; manual page. Please note that an FTP proxy can be specified
+    The ftp scheme specifies an FTP server for an archive. Use of FTP is on the
+    decline in favour of <literal>http</literal> and <literal>https</literal>
+    and many archives either never offered or are retiring FTP access. If you
+    still need this method many configuration options for it are available in
+    the <literal>Acquire::ftp</literal> scope and detailed in &apt-conf;.</para>
+    <para>Please note that an FTP proxy can be specified
     by using the <envar>ftp_proxy</envar> environment variable. It is possible
     to specify an HTTP proxy (HTTP proxy servers often understand FTP URLs)
     using this environment variable and <emphasis>only</emphasis> this
@@ -407,9 +433,8 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
     <listitem><para>
     APT can be extended with more methods shipped in other optional packages, which should
     follow the naming scheme <package>apt-transport-<replaceable>method</replaceable></package>.
-    For instance, the APT team also maintains the package <package>apt-transport-https</package>,
-    which provides access methods for HTTPS URIs with features similar to the http method.
-    Methods for using e.g. debtorrent are also available - see &apt-transport-debtorrent;.
+    For instance, the APT team also maintains the package <package>apt-transport-tor</package>,
+    which provides access methods for HTTP and HTTPS URIs routed via the Tor network.
     </para></listitem>
     </varlistentry>
   </variablelist>