Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful?  In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against them.
> 
> It won't hide the fact that a connection was established. Also, the
> transferred data are public, and we verify them on the client side by
> a checksum. So the advantage of https is very limited here.
> 

Many 'FTP' hosts belong to different tiers.  There's a major difference
between knowing that a user is fetching *something* from big mirror of
everything, and knowing the exact precise thing being fetched.  It may
mean knowing that the user is fetching vulnerable package (for whatever
reason).

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part


Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Ulrich Mueller
> On Sun, 29 Sep 2019, Michał Górny wrote:

> Why is it useful?  In my opinion, the most important point is that it
> stops third parties from sniffing what the Gentoo hosts are fetching
> and using this information against them.

It won't hide the fact that a connection was established. Also, the
transferred data are public, and we verify them on the client side by
a checksum. So the advantage of https is very limited here.

Ulrich


signature.asc
Description: PGP signature


[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2019-09-29 23:59 UTC

2019-09-29 Thread Robin H. Johnson
The attached list notes all of the packages that were added or removed
from the tree, for the week ending 2019-09-29 23:59 UTC.

Removals:
app-admin/webmin  20190923-07:16 mgorny   
b64fe9b6ee3
app-crypt/af_alg  20190926-14:47 mgorny   
251ea7f493d
app-emacs/identica-mode   20190924-14:14 ulm  
e65ca145443
app-emacs/thumbs  20190924-14:13 ulm  
4dfc76a5315
dev-cpp/threadpool20190928-11:30 mgorny   
ce8e182b10b
dev-embedded/scratchbox   20190927-06:07 mgorny   
14ea1f1ee57
dev-embedded/scratchbox-devkit-apt-https  20190927-06:07 mgorny   
30ca3164f5d
dev-embedded/scratchbox-devkit-cputransp  20190927-06:07 mgorny   
9c8be95d28f
dev-embedded/scratchbox-devkit-debian 20190927-06:06 mgorny   
4be25c19e2f
dev-embedded/scratchbox-devkit-debian-squeeze 20190927-06:06 mgorny   
c3fd6a61cfc
dev-embedded/scratchbox-devkit-doctools   20190927-06:05 mgorny   
afcb45e0ed4
dev-embedded/scratchbox-devkit-git20190927-06:05 mgorny   
e6e53b2d9da
dev-embedded/scratchbox-devkit-maemo3 20190927-06:05 mgorny   
e707b5034eb
dev-embedded/scratchbox-devkit-perl   20190927-06:04 mgorny   
78ab8c461f0
dev-embedded/scratchbox-devkit-qemu   20190927-06:04 mgorny   
768f03710ed
dev-embedded/scratchbox-devkit-svn20190927-06:04 mgorny   
0069fbba386
dev-tcltk/tkTheme 20190926-14:46 mgorny   
b987ba86aff
games-rpg/eternal-lands-bloodsucker   20190928-11:29 mgorny   
97ebcb4274d
games-rpg/eternal-lands-data  20190928-11:30 mgorny   
73eec1bc4df
mail-filter/sid-milter20190926-14:48 mgorny   
8edfb67b10e
net-misc/libss7   20190928-11:30 mgorny   
d00b5b21bf5
net-misc/tokyotyrant  20190926-14:45 mgorny   
b58d61c1d8d
sci-electronics/gplcver   20190928-11:31 mgorny   
face36e528a
sci-libs/grib_api 20190926-14:46 mgorny   
92bc800b268
sys-cluster/open-mx   20190925-10:29 mgorny   
4ed0d5fa1bb
virtual/libmysqlclient20190925-10:30 mgorny   
3ff6d775553
www-apps/groupoffice  20190923-07:20 mgorny   
a27fa653bc1
www-apps/phpwebsite   20190923-07:19 mgorny   
2f8ff094876
www-apps/sitebar  20190923-07:19 mgorny   
9b8852294e2

Additions:
acct-group/bitcoin20190925-16:52 mattst88 
12e4c031c4f
acct-group/ipfs   20190919-19:29 juippis  
caab62ba7d7
acct-group/mosquitto  20190926-18:21 mattst88 
101bd70aab1
acct-group/vpopmail   20190924-15:30 juippis  
9dbfc4954b1
acct-user/bitcoin 20190925-16:56 mattst88 
87268ad0a74
acct-user/ipfs20190919-19:32 juippis  
44cd7a445d7
acct-user/mosquitto   20190926-18:24 mattst88 
c560cd0ab92
acct-user/vpopmail20190926-20:26 juippis  
d54b80d6ec6
dev-perl/go-perl  20190929-11:40 pacho
f42961251d4
games-action/crimsonland  20190928-15:13 chewi
f6322880c50
games-roguelike/neon-chrome   20190928-14:48 chewi
3f1b957df27
games-strategy/satellite-reign20190924-22:28 chewi
8c65509598b
media-fonts/cascadia-code 20190922-15:52 juippis  
b0df00387e1

--
Robin Hugh Johnson
Gentoo Linux Developer
E-Mail : robb...@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Removed Packages:
sci-electronics/gplcver,removed,mgorny,20190928-11:31,face36e528a
dev-cpp/threadpool,removed,mgorny,20190928-11:30,ce8e182b10b
net-misc/libss7,removed,mgorny,20190928-11:30,d00b5b21bf5
games-rpg/eternal-lands-data,removed,mgorny,20190928-11:30,73eec1bc4df
games-rpg/eternal-lands-bloodsucker,removed,mgorny,20190928-11:29,97ebcb4274d
dev-embedded/scratchbox,removed,mgorny,20190927-06:07,14ea1f1ee57
dev-embedded/scratchbox-devkit-apt-https,removed,mgorny,20190927-06:07,30ca3164f5d
dev-embedded/scratchbox-devkit-cputransp,removed,mgorny,20190927-06:07,9c8be95d28f
dev-embedded/scratchbox-devkit-debian,removed,mgorny,20190927-06:06,4be25c19e2f
dev-embedded/scratchbox-devkit-debian-squeeze,removed,mgorny,20190927-06:06,c3fd6a61cfc
dev-embedded/scratchbox-devkit-doctools,removed,mgorny,20190927-06:05,afcb45e0ed4
dev-embedded/scratchbox-devkit-git,removed,mgorny,20190927-06:05,e6e53b2d9da
dev-embedded/scratchbox-devkit-maemo3,removed,mgorny,20190927-06:05,e707b5034eb
dev-embedded/scratchbox-devkit-perl,removed,mgorny,20190927-06:04,78ab8c461f0
dev-embedded/scratchbox-devkit-qemu,removed,mgorny,20190927-06:04,768f03710ed
dev-embedded/scratchbox-devkit-svn,removed,mgorny,20190927-06

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
> 
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
> 
> Just make sure that HTTPS mirrors are listed first.

This sounds like you're wrongly assuming that the package managers are
going to consult mirrors in order.  This isn't true.

> From security point of view, we don't get anything from HTTPS because we
> maintain and validate checksums for distfiles and thirdpartymirrors file
> is only used for distfiles.
> 

I'm really glad you've ignored the entire point I made in my original
post.

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part


Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Thomas Deutschmann
Hi,

while I invested some time in the past updating thirdpartymirrors to add
HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:

Just make sure that HTTPS mirrors are listed first.

From security point of view, we don't get anything from HTTPS because we
maintain and validate checksums for distfiles and thirdpartymirrors file
is only used for distfiles.


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Piotr Karbowski
Hi,

On 29/09/2019 11.56, Michał Górny wrote:
> WDYT?

You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board
with that.

Ideally, we would switch all of Gentoo resources to HTTPS too. I had a
short discussion about it in #-infra where I was looking for distfiles
and stage3 snapshots mirror roundrobin that is https enabled, this of
course require a huge changes and it unlikely come anytime soon, but for
what's it worth, I think no official Gentoo resource should default to
non encrypted HTTP, and the only http enabled traffic should be a 301
HTTP redirect to https address.

-- Piotr.



signature.asc
Description: OpenPGP digital signature


[gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
Hi,

Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. 
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate). 
However, the way things work people still have a pretty good chance of
hitting HTTP or FTP mirror instead.

Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS
mirrors for the group in question, we remove all HTTP and FTP
alternatives.  This way, if mirror:// is actually utilized, people won't
unnecessarily use unsecured connections.

I believe this falls in line with the generic policy of preferring HTTPS
over HTTP/FTP URIs.

Why is it useful?  In my opinion, the most important point is that it
stops third parties from sniffing what the Gentoo hosts are fetching
and using this information against them.

WDYT?

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part