Michał Górny schrieb:
> Many 'FTP' hosts belong to different tiers. There's a major difference
> between knowing that a user is fetching *something* from big mirror of
> everything, and knowing the exact precise thing being fetched. It may
> mean knowing that the user is fetching vulnerable pack
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful? In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against the
> On Sun, 29 Sep 2019, Michał Górny wrote:
> Why is it useful? In my opinion, the most important point is that it
> stops third parties from sniffing what the Gentoo hosts are fetching
> and using this information against them.
It won't hide the fact that a connection was established. Also,
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
>
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
>
> Just make sure that HTTPS mirrors are listed first.
This sounds like you'r
Hi,
while I invested some time in the past updating thirdpartymirrors to add
HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
Just make sure that HTTPS mirrors are listed first.
From security point of view, we don't get anything from HTTPS because we
maintain and validate
Hi,
On 29/09/2019 11.56, Michał Górny wrote:
> WDYT?
You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board
with that.
Ideally, we would switch all of Gentoo resources to HTTPS too. I had a
short discussion about it in #-infra where I was looking for distfiles
and stage3 snapshots