On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
> Just make sure that HTTPS mirrors are listed first.

This sounds like you're wrongly assuming that the package managers are
going to consult mirrors in order.  This isn't true.

> From security point of view, we don't get anything from HTTPS because we
> maintain and validate checksums for distfiles and thirdpartymirrors file
> is only used for distfiles.

I'm really glad you've ignored the entire point I made in my original

Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to