On Thu, Dec 10, 2020 at 10:24:27PM -0000, Stuart Henderson wrote: > > Please use https. Some ISP's insert crap into http. > > Sounds a good reason to use a better ISP :) >
You're right about that and the CPU waste. I had an ISP a few years ago at home that tampered with http. Once burned, twice shy. Chris > Packages packing-lists are verified using signify signatures, and files > inside the package using sha256 from the (signed) plist, so it will be > very obvious if those files are changed. > > And because pkg_add doesn't use persistent connections, https really > slows it down as it has to make a new TLS handshake for every package > you have installed (even if no update is needed). > > > Certs are free, why doesn't a trusted source not have one? > > Some mirror servers are not on especially new hardware and may not have > loads of cpu to spare to encrypt everything. Also some may consider it a > waste of cpu time if the files are signed anyway. (For file distribution > where signature checks are not done automatically, I have a feeling > that seeing something fetched over https might suggest to the user that > things are safe and they don't need to bother to do a check manually - > this is of course not the case as https does nothing to help if a server > has been compromised, it only deals with the transport layer). > > > IMHO, you really should run stable. Although you might look at the > > Or -current :-) > > > patches and decide not to. packages-stable may or may not have security > > fixes you need. syspatch often, but not always, needs a reboot. > > > > But it's your system, do as you please. A security patch might not be > > relevant to you. > > > > Chris Bennett > > > > > > >