From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BBDB0138334 for ; Mon, 30 Sep 2019 05:04:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CEDD6E0883; Mon, 30 Sep 2019 05:04:34 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ECC10E082B for ; Mon, 30 Sep 2019 05:04:33 +0000 (UTC) Received: from a1i15 (host2092.kph.uni-mainz.de [134.93.134.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ulm) by smtp.gentoo.org (Postfix) with ESMTPSA id C77D134B6EA; Mon, 30 Sep 2019 05:04:30 +0000 (UTC) From: Ulrich Mueller To: =?utf-8?B?TWljaGHFgiBHw7Nybnk=?= Cc: gentoo-dev Subject: Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible) References: Date: Mon, 30 Sep 2019 07:04:20 +0200 In-Reply-To: (=?utf-8?Q?=22Micha=C5=82_G=C3=B3rny=22's?= message of "Sun, 29 Sep 2019 11:56:19 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Archives-Salt: 6f507c39-1376-4424-abed-405f3090d106 X-Archives-Hash: b92fd5c1884aed073f0f6460e0ac3fcc --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable >>>>> On Sun, 29 Sep 2019, Micha=C5=82 G=C3=B3rny wrote: > Why is it useful? In my opinion, the most important point is that it > stops third parties from sniffing what the Gentoo hosts are fetching > and using this information against them. It won't hide the fact that a connection was established. Also, the transferred data are public, and we verify them on the client side by a checksum. So the advantage of https is very limited here. Ulrich --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEZlHkP3TnuTbxrN0HwwkGhRxhwnMFAl2RjNQACgkQwwkGhRxh wnPeNAf+MfATDNo8soxUDihl6mPm6vBd2guyfOKMuIMZhQ02aYTmWKvRTrxREL3a ZJnMSlF+ynz+Zxl2vr7hFYZTENAuaGrhu10rCbL2wdCUumYahEuC29NPCeMEMRLM q5ZJ+Ev+fDBTtpoGJHbusx/uWxXcfweFlVOVe2OBdki6oS1Yvzci/6z3FBxRMWjx qUpXMEGd28jwYhDsCmKsN3yiWcbYfe2T2hW+KVYrAI3o09SDTUWj8FBq7YpLQRVB 3JIJutKGl5ed8WR1lnZwb3iebzpSVtxMsAopxE30WT5IFEchlWAa1Gx797paipSr jDSHtiL77ehmxo2bn0yoKIDa8hrUqQ== =Eq+1 -----END PGP SIGNATURE----- --=-=-=--