Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote: > Hi, > > while I invested some time in the past updating thirdpartymirrors to add > HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: > > Just make sure that HTTPS mirrors are listed first. This sounds like

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Piotr Karbowski
Hi, On 29/09/2019 11.56, Michał Górny wrote: > WDYT? You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board with that. Ideally, we would switch all of Gentoo resources to HTTPS too. I had a short discussion about it in #-infra where I was looking for distfiles and stage3 snapshots

[gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
Hi, Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. I've been putting some effort into switching to HTTPS whenever possible (i.e. when the server's running HTTPS and has a valid certificate). However, the way things work people still have a pretty good chance of hitting

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Thomas Deutschmann
Hi, while I invested some time in the past updating thirdpartymirrors to add HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: Just make sure that HTTPS mirrors are listed first. From security point of view, we don't get anything from HTTPS because we maintain and validate

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Ulrich Mueller
> On Sun, 29 Sep 2019, Michał Górny wrote: > Why is it useful? In my opinion, the most important point is that it > stops third parties from sniffing what the Gentoo hosts are fetching > and using this information against them. It won't hide the fact that a connection was established. Also,

[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2019-09-29 23:59 UTC

2019-09-29 Thread Robin H. Johnson
20190919-19:32 juippis 44cd7a445d7 acct-user/mosquitto 20190926-18:24 mattst88 c560cd0ab92 acct-user/vpopmail20190926-20:26 juippis d54b80d6ec6 dev-perl/go-perl 20190929-11:40 pacho

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: > > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: > > Why is it useful? In my opinion, the most important point is that it > > stops third parties from sniffing what the Gentoo hosts are fetching > > and using this information against