On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful?  In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against them.
> 
> It won't hide the fact that a connection was established. Also, the
> transferred data are public, and we verify them on the client side by
> a checksum. So the advantage of https is very limited here.
> 

Many 'FTP' hosts belong to different tiers.  There's a major difference
between knowing that a user is fetching *something* from big mirror of
everything, and knowing the exact precise thing being fetched.  It may
mean knowing that the user is fetching vulnerable package (for whatever
reason).

-- 
Best regards,
Michał Górny