Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. 
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate). 
However, the way things work people still have a pretty good chance of
hitting HTTP or FTP mirror instead.

Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS
mirrors for the group in question, we remove all HTTP and FTP
alternatives.  This way, if mirror:// is actually utilized, people won't
unnecessarily use unsecured connections.

I believe this falls in line with the generic policy of preferring HTTPS

Why is it useful?  In my opinion, the most important point is that it
stops third parties from sniffing what the Gentoo hosts are fetching
and using this information against them.


Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to