On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
> 
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
> 
> Just make sure that HTTPS mirrors are listed first.

This sounds like you're wrongly assuming that the package managers are
going to consult mirrors in order.  This isn't true.

> From security point of view, we don't get anything from HTTPS because we
> maintain and validate checksums for distfiles and thirdpartymirrors file
> is only used for distfiles.
> 

I'm really glad you've ignored the entire point I made in my original
post.

-- 
Best regards,
Michał Górny