On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful?  In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against them.
> It won't hide the fact that a connection was established. Also, the
> transferred data are public, and we verify them on the client side by
> a checksum. So the advantage of https is very limited here.

Many 'FTP' hosts belong to different tiers.  There's a major difference
between knowing that a user is fetching *something* from big mirror of
everything, and knowing the exact precise thing being fetched.  It may
mean knowing that the user is fetching vulnerable package (for whatever

Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to