Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: > > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: > > Why is it useful? In my opinion, the most important point is that it > > stops third parties from sniffing what the Gentoo hosts are fetching > > and using this information against them. > > It won't hide the fact that a connection was established. Also, the > transferred data are public, and we verify them on the client side by > a checksum. So the advantage of https is very limited here. > Many 'FTP' hosts belong to different tiers. There's a major difference between knowing that a user is fetching *something* from big mirror of everything, and knowing the exact precise thing being fetched. It may mean knowing that the user is fetching vulnerable package (for whatever reason). -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
> On Sun, 29 Sep 2019, Michał Górny wrote: > Why is it useful? In my opinion, the most important point is that it > stops third parties from sniffing what the Gentoo hosts are fetching > and using this information against them. It won't hide the fact that a connection was established. Also, the transferred data are public, and we verify them on the client side by a checksum. So the advantage of https is very limited here. Ulrich signature.asc Description: PGP signature
[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2019-09-29 23:59 UTC
The attached list notes all of the packages that were added or removed from the tree, for the week ending 2019-09-29 23:59 UTC. Removals: app-admin/webmin 20190923-07:16 mgorny b64fe9b6ee3 app-crypt/af_alg 20190926-14:47 mgorny 251ea7f493d app-emacs/identica-mode 20190924-14:14 ulm e65ca145443 app-emacs/thumbs 20190924-14:13 ulm 4dfc76a5315 dev-cpp/threadpool20190928-11:30 mgorny ce8e182b10b dev-embedded/scratchbox 20190927-06:07 mgorny 14ea1f1ee57 dev-embedded/scratchbox-devkit-apt-https 20190927-06:07 mgorny 30ca3164f5d dev-embedded/scratchbox-devkit-cputransp 20190927-06:07 mgorny 9c8be95d28f dev-embedded/scratchbox-devkit-debian 20190927-06:06 mgorny 4be25c19e2f dev-embedded/scratchbox-devkit-debian-squeeze 20190927-06:06 mgorny c3fd6a61cfc dev-embedded/scratchbox-devkit-doctools 20190927-06:05 mgorny afcb45e0ed4 dev-embedded/scratchbox-devkit-git20190927-06:05 mgorny e6e53b2d9da dev-embedded/scratchbox-devkit-maemo3 20190927-06:05 mgorny e707b5034eb dev-embedded/scratchbox-devkit-perl 20190927-06:04 mgorny 78ab8c461f0 dev-embedded/scratchbox-devkit-qemu 20190927-06:04 mgorny 768f03710ed dev-embedded/scratchbox-devkit-svn20190927-06:04 mgorny 0069fbba386 dev-tcltk/tkTheme 20190926-14:46 mgorny b987ba86aff games-rpg/eternal-lands-bloodsucker 20190928-11:29 mgorny 97ebcb4274d games-rpg/eternal-lands-data 20190928-11:30 mgorny 73eec1bc4df mail-filter/sid-milter20190926-14:48 mgorny 8edfb67b10e net-misc/libss7 20190928-11:30 mgorny d00b5b21bf5 net-misc/tokyotyrant 20190926-14:45 mgorny b58d61c1d8d sci-electronics/gplcver 20190928-11:31 mgorny face36e528a sci-libs/grib_api 20190926-14:46 mgorny 92bc800b268 sys-cluster/open-mx 20190925-10:29 mgorny 4ed0d5fa1bb virtual/libmysqlclient20190925-10:30 mgorny 3ff6d775553 www-apps/groupoffice 20190923-07:20 mgorny a27fa653bc1 www-apps/phpwebsite 20190923-07:19 mgorny 2f8ff094876 www-apps/sitebar 20190923-07:19 mgorny 9b8852294e2 Additions: acct-group/bitcoin20190925-16:52 mattst88 12e4c031c4f acct-group/ipfs 20190919-19:29 juippis caab62ba7d7 acct-group/mosquitto 20190926-18:21 mattst88 101bd70aab1 acct-group/vpopmail 20190924-15:30 juippis 9dbfc4954b1 acct-user/bitcoin 20190925-16:56 mattst88 87268ad0a74 acct-user/ipfs20190919-19:32 juippis 44cd7a445d7 acct-user/mosquitto 20190926-18:24 mattst88 c560cd0ab92 acct-user/vpopmail20190926-20:26 juippis d54b80d6ec6 dev-perl/go-perl 20190929-11:40 pacho f42961251d4 games-action/crimsonland 20190928-15:13 chewi f6322880c50 games-roguelike/neon-chrome 20190928-14:48 chewi 3f1b957df27 games-strategy/satellite-reign20190924-22:28 chewi 8c65509598b media-fonts/cascadia-code 20190922-15:52 juippis b0df00387e1 -- Robin Hugh Johnson Gentoo Linux Developer E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 Removed Packages: sci-electronics/gplcver,removed,mgorny,20190928-11:31,face36e528a dev-cpp/threadpool,removed,mgorny,20190928-11:30,ce8e182b10b net-misc/libss7,removed,mgorny,20190928-11:30,d00b5b21bf5 games-rpg/eternal-lands-data,removed,mgorny,20190928-11:30,73eec1bc4df games-rpg/eternal-lands-bloodsucker,removed,mgorny,20190928-11:29,97ebcb4274d dev-embedded/scratchbox,removed,mgorny,20190927-06:07,14ea1f1ee57 dev-embedded/scratchbox-devkit-apt-https,removed,mgorny,20190927-06:07,30ca3164f5d dev-embedded/scratchbox-devkit-cputransp,removed,mgorny,20190927-06:07,9c8be95d28f dev-embedded/scratchbox-devkit-debian,removed,mgorny,20190927-06:06,4be25c19e2f dev-embedded/scratchbox-devkit-debian-squeeze,removed,mgorny,20190927-06:06,c3fd6a61cfc dev-embedded/scratchbox-devkit-doctools,removed,mgorny,20190927-06:05,afcb45e0ed4 dev-embedded/scratchbox-devkit-git,removed,mgorny,20190927-06:05,e6e53b2d9da dev-embedded/scratchbox-devkit-maemo3,removed,mgorny,20190927-06:05,e707b5034eb dev-embedded/scratchbox-devkit-perl,removed,mgorny,20190927-06:04,78ab8c461f0 dev-embedded/scratchbox-devkit-qemu,removed,mgorny,20190927-06:04,768f03710ed dev-embedded/scratchbox-devkit-svn,removed,mgorny,20190927-06
Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote: > Hi, > > while I invested some time in the past updating thirdpartymirrors to add > HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: > > Just make sure that HTTPS mirrors are listed first. This sounds like you're wrongly assuming that the package managers are going to consult mirrors in order. This isn't true. > From security point of view, we don't get anything from HTTPS because we > maintain and validate checksums for distfiles and thirdpartymirrors file > is only used for distfiles. > I'm really glad you've ignored the entire point I made in my original post. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
Hi, while I invested some time in the past updating thirdpartymirrors to add HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: Just make sure that HTTPS mirrors are listed first. From security point of view, we don't get anything from HTTPS because we maintain and validate checksums for distfiles and thirdpartymirrors file is only used for distfiles. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
Hi, On 29/09/2019 11.56, Michał Górny wrote: > WDYT? You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board with that. Ideally, we would switch all of Gentoo resources to HTTPS too. I had a short discussion about it in #-infra where I was looking for distfiles and stage3 snapshots mirror roundrobin that is https enabled, this of course require a huge changes and it unlikely come anytime soon, but for what's it worth, I think no official Gentoo resource should default to non encrypted HTTP, and the only http enabled traffic should be a 301 HTTP redirect to https address. -- Piotr. signature.asc Description: OpenPGP digital signature
[gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)
Hi, Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. I've been putting some effort into switching to HTTPS whenever possible (i.e. when the server's running HTTPS and has a valid certificate). However, the way things work people still have a pretty good chance of hitting HTTP or FTP mirror instead. Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS mirrors for the group in question, we remove all HTTP and FTP alternatives. This way, if mirror:// is actually utilized, people won't unnecessarily use unsecured connections. I believe this falls in line with the generic policy of preferring HTTPS over HTTP/FTP URIs. Why is it useful? In my opinion, the most important point is that it stops third parties from sniffing what the Gentoo hosts are fetching and using this information against them. WDYT? -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part