* [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
@ 2019-09-29 9:56 99% Michał Górny
0 siblings, 0 replies; 1+ results
From: Michał Górny @ 2019-09-29 9:56 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
Hi,
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate).
However, the way things work people still have a pretty good chance of
hitting HTTP or FTP mirror instead.
Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS
mirrors for the group in question, we remove all HTTP and FTP
alternatives. This way, if mirror:// is actually utilized, people won't
unnecessarily use unsecured connections.
I believe this falls in line with the generic policy of preferring HTTPS
over HTTP/FTP URIs.
Why is it useful? In my opinion, the most important point is that it
stops third parties from sniffing what the Gentoo hosts are fetching
and using this information against them.
WDYT?
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2019-09-29 9:56 99% [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible) Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox