On Wed, Jul 3, 2013 at 9:23 AM, Martin Albisetti <[email protected]> wrote: > On Tue, Jul 2, 2013 at 8:40 PM, Alejandro J. Cura > <[email protected]> wrote: >> >> >>> HTTPS will be required for all requests, both for uploads and downloads. >>> HTTP >>> requests will be unconditionally redirected to HTTPS. [DONE] >> >> I can clearly understand why we are using HTTPS for private packages, >> but I don't understand why we can't use it for public packages (I'm >> assuming that we have some checksum received via HTTPS before >> downloading from HTTP, or a package signature, to avoid tampering). >> >> My naïve thinking is that allowing HTTP for public packages would >> results in improved download speeds due to ISP and perhaps CDN >> caching, hopefully freeing bandwidth in our datacenter for private >> packages, and perhaps some cost savings too. Am I way off? > > I think the savings nowadays are going to be pretty minimal in https > vs http, and any CDN usage will be of our own, so it won't make a > difference. We'll be doing caching within our own infrastructure to > make downloads cheap. > I'm not sure what client-side verification there's going to be, but I > think having some level of guarantee that packages can't be tampered > with at the transport level can only be a good thing. > Finally, we may need all downloads to be authenticated, so we may not > want the signed URL to be exposed anywhere else down the chain. > > Make sense?
It does, thanks! -- alecu -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
