On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful? In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against
> On Sun, 29 Sep 2019, Michał Górny wrote:
> Why is it useful? In my opinion, the most important point is that it
> stops third parties from sniffing what the Gentoo hosts are fetching
> and using this information against them.
It won't hide the fact that a connection was established. Also,
20190919-19:32 juippis
44cd7a445d7
acct-user/mosquitto 20190926-18:24 mattst88
c560cd0ab92
acct-user/vpopmail20190926-20:26 juippis
d54b80d6ec6
dev-perl/go-perl 20190929-11:40 pacho
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
>
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
>
> Just make sure that HTTPS mirrors are listed first.
This sounds like
Hi,
while I invested some time in the past updating thirdpartymirrors to add
HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
Just make sure that HTTPS mirrors are listed first.
From security point of view, we don't get anything from HTTPS because we
maintain and validate
Hi,
On 29/09/2019 11.56, Michał Górny wrote:
> WDYT?
You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board
with that.
Ideally, we would switch all of Gentoo resources to HTTPS too. I had a
short discussion about it in #-infra where I was looking for distfiles
and stage3 snapshots
Hi,
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate).
However, the way things work people still have a pretty good chance of
hitting
