On Thu, Apr 28, 2022 at 07:41:56AM -0400, Kevin A. McGrail wrote: > By default, the data is cryptographically verified. An admin has to > specifically turn off that feature. > > There's little benefits of using HTTPS in this specific setting and it's > just an extra requirement on our volunteer mirrors. It will add time, CPU > load, and even a small amount of bandwidth increase. All to achieve nothing. > > >From a security analysis, this is public data so it's a very low risk with > no data toxicity. > > I just don't see the benefit. As a security expert, I also make sure to > focus my time where it's best utilized. So I am recommending that you and > I can spend our time elsewhere as well as our mirror volunteers :-)
I spent few hours to prove that it works and simple to activate, making things more future proof. No one is forcing mirrors to migrate (sad to say I'm not a dictator), but I'd suggest everyone does. Even my Intel Atom server handles all the SSL with few percent CPU load - talking about the CPU/bandwidth wastes more time..