From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0806F138334 for ; Sun, 29 Sep 2019 15:48:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1AD99E0934; Sun, 29 Sep 2019 15:48:47 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A9F98E0908 for ; Sun, 29 Sep 2019 15:48:46 +0000 (UTC) Received: from pomiot (c134-66.icpnet.pl [85.221.134.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id B600034B6C5; Sun, 29 Sep 2019 15:48:44 +0000 (UTC) Message-ID: <3220ce25cc50d9735265288fd03c464eee7e4889.camel@gentoo.org> Subject: Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible) From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Sun, 29 Sep 2019 17:48:40 +0200 In-Reply-To: References: Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-ncI5fZbdWOJhlXMJyH+E" User-Agent: Evolution 3.32.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: f8fca257-5931-4162-a364-04a77130ff52 X-Archives-Hash: 7945b924ddb485dc7265cc474caa96bd --=-ncI5fZbdWOJhlXMJyH+E Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote: > Hi, >=20 > while I invested some time in the past updating thirdpartymirrors to add > HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: >=20 > Just make sure that HTTPS mirrors are listed first. This sounds like you're wrongly assuming that the package managers are going to consult mirrors in order. This isn't true. > From security point of view, we don't get anything from HTTPS because we > maintain and validate checksums for distfiles and thirdpartymirrors file > is only used for distfiles. >=20 I'm really glad you've ignored the entire point I made in my original post. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-ncI5fZbdWOJhlXMJyH+E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl2Q0lhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA59mggAizWUnI3MPD7ZwRhS3G5YmG3n94O5/QbHBBjaUtmnkYBSxD05eIQnfcqb 9SJ/qAAWeh9Ujb4i0sz8tKRa0v2tDGoC7Ff5a97st+fUSk3leTjwKiH0gx/mnbwG 88ac+FiXHS90g4mZ9hBrZFiwwccJPbaiAXdx9XrYn+2mq61fhB/+pCy9D0uzSqvW /hqMYx2E5niK9HjT8G91xdxm/dUjTLuIH0TAkD8kHURK3r6fPi9lIBAQ9tg7OBuI dzy4REcqKE2fc4Q2b05uybJLIE0lsF7JINbpeIUipl4gYTVc5p7xNAAa0V9k3axA zwy6nDtaCT8RRmdSCErCK5/KSD40cQ== =kDam -----END PGP SIGNATURE----- --=-ncI5fZbdWOJhlXMJyH+E--