Michał Górny schrieb:
> Many 'FTP' hosts belong to different tiers. There's a major difference
> between knowing that a user is fetching *something* from big mirror of
> everything, and knowing the exact precise thing being fetched. It may
> mean knowing that the user is fetching vulnerable
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful? In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against
> On Sun, 29 Sep 2019, Michał Górny wrote:
> Why is it useful? In my opinion, the most important point is that it
> stops third parties from sniffing what the Gentoo hosts are fetching
> and using this information against them.
It won't hide the fact that a connection was established. Also,
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
>
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
>
> Just make sure that HTTPS mirrors are listed first.
This sounds like
Hi,
while I invested some time in the past updating thirdpartymirrors to add
HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
Just make sure that HTTPS mirrors are listed first.
From security point of view, we don't get anything from HTTPS because we
maintain and validate
Hi,
On 29/09/2019 11.56, Michał Górny wrote:
> WDYT?
You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board
with that.
Ideally, we would switch all of Gentoo resources to HTTPS too. I had a
short discussion about it in #-infra where I was looking for distfiles
and stage3 snapshots
Hi,
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate).
However, the way things work people still have a pretty good chance of
hitting
