Hi, Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. I've been putting some effort into switching to HTTPS whenever possible (i.e. when the server's running HTTPS and has a valid certificate). However, the way things work people still have a pretty good chance of hitting HTTP or FTP mirror instead.
Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS mirrors for the group in question, we remove all HTTP and FTP alternatives. This way, if mirror:// is actually utilized, people won't unnecessarily use unsecured connections. I believe this falls in line with the generic policy of preferring HTTPS over HTTP/FTP URIs. Why is it useful? In my opinion, the most important point is that it stops third parties from sniffing what the Gentoo hosts are fetching and using this information against them. WDYT? -- Best regards, Michał Górny
Description: This is a digitally signed message part