From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4BF2B138334 for ; Mon, 30 Sep 2019 05:35:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DFFD9E089A; Mon, 30 Sep 2019 05:35:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 98CB0E0885 for ; Mon, 30 Sep 2019 05:35:45 +0000 (UTC) Received: from pomiot (c134-66.icpnet.pl [85.221.134.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 6C93C34B6EB; Mon, 30 Sep 2019 05:35:43 +0000 (UTC) Message-ID: <36f599c2d7ada8d9ff20ea506e459a17a009d13a.camel@gentoo.org> Subject: Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible) From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Mon, 30 Sep 2019 07:35:39 +0200 In-Reply-To: References: Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-DIkpQKz/o/kh5BkQ6SMR" User-Agent: Evolution 3.32.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: b0fc6d07-9ced-4b14-b83e-22287eb5a0ed X-Archives-Hash: 325b66d76b8c9a10940d9a46926b1b42 --=-DIkpQKz/o/kh5BkQ6SMR Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: > > > > > > On Sun, 29 Sep 2019, Micha=C5=82 G=C3=B3rny wrote: > > Why is it useful? In my opinion, the most important point is that it > > stops third parties from sniffing what the Gentoo hosts are fetching > > and using this information against them. >=20 > It won't hide the fact that a connection was established. Also, the > transferred data are public, and we verify them on the client side by > a checksum. So the advantage of https is very limited here. >=20 Many 'FTP' hosts belong to different tiers. There's a major difference between knowing that a user is fetching *something* from big mirror of everything, and knowing the exact precise thing being fetched. It may mean knowing that the user is fetching vulnerable package (for whatever reason). --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-DIkpQKz/o/kh5BkQ6SMR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl2RlCtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA7hxgf/dKPDnvlqWHjSwaXToDL7bEomMqeJGvNOt3gLl/ndkpcmMFPGwfXxNytd Y4FAbDPFO5In5+vwpZNInNZkQlTUUt6t4s57mWRwP3zYhoAzPm5I2G1ZlQAvVuGI RRzeSNIlNIswX60uISriXpc0AMwRgYpr1zoeTOwXbsYDAdhFtk2wsPSrxQKpeMAZ Csa1E5P96bfiQ6W6s2JvUt7TQ4gE2rzHkJSBxrFzL8zL1l/jvA0TP9PfPsrxI7c1 ep4GaXzyKyEbcoWOcnl/hFsX+sZyuD+8Qn9W9i20zHbOvcUdhOXX6wBcSU5SETt0 RGo7GqyvznOYLZtkyIUSlPLW80tBMg== =1JRm -----END PGP SIGNATURE----- --=-DIkpQKz/o/kh5BkQ6SMR--