From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4B438138334 for ; Sun, 29 Sep 2019 09:56:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 08C71E0882; Sun, 29 Sep 2019 09:56:26 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ADAA9E0875 for ; Sun, 29 Sep 2019 09:56:25 +0000 (UTC) Received: from pomiot (c134-66.icpnet.pl [85.221.134.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id B4C6134B6BA; Sun, 29 Sep 2019 09:56:23 +0000 (UTC) Message-ID: Subject: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible) From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev Date: Sun, 29 Sep 2019 11:56:19 +0200 Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-bU0bGio3yjx6EqenYWyG" User-Agent: Evolution 3.32.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 02699dd1-1e5b-4049-b0ea-0bd03e71e206 X-Archives-Hash: 4515b70b2a273d1e76ef70d9021d034f --=-bU0bGio3yjx6EqenYWyG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.=20 I've been putting some effort into switching to HTTPS whenever possible (i.e. when the server's running HTTPS and has a valid certificate).=20 However, the way things work people still have a pretty good chance of hitting HTTP or FTP mirror instead. Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS mirrors for the group in question, we remove all HTTP and FTP alternatives. This way, if mirror:// is actually utilized, people won't unnecessarily use unsecured connections. I believe this falls in line with the generic policy of preferring HTTPS over HTTP/FTP URIs. Why is it useful? In my opinion, the most important point is that it stops third parties from sniffing what the Gentoo hosts are fetching and using this information against them. WDYT? --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-bU0bGio3yjx6EqenYWyG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl2Qf8NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA6YdQgAtaEqrG2QdMH/8Usj/B20QFUPsLzfUwhBVgJIWwPPXZIkcfuEgBdqFVog HszBXoyfyh+RJ5NBcRhnPjJ6oPHbBpa31VRm26oAYpgEBDR3oVPM9boCRZqU7Fgr CaukXroSPXBYjolZuuuOOwMEetLzzPlNHPntrOBPVxrFUXJf7dZQd/HTByTcHKP6 M39H6S+THYV7k1mU7wWDStCtSRrIkYURDCYccyps/OWDH4KiBN+sYVfe1jfV2At4 +H40KN3zukSXgNYZdPpQBKhKyH5uNf+VuuPsbnoe3v51PUZ+tLLMLQ7OZIH/blW1 fC/ZArtaNlvrqLyiKkPV1Au9M47VrA== =xp0m -----END PGP SIGNATURE----- --=-bU0bGio3yjx6EqenYWyG--