Hi,
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP.
I've been putting some effort into switching to HTTPS whenever possible
(i.e. when the server's running HTTPS and has a valid certificate).
However, the way things work people still have a pretty good chance of
hitting HT
Hi,
On 29/09/2019 11.56, Michał Górny wrote:
> WDYT?
You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board
with that.
Ideally, we would switch all of Gentoo resources to HTTPS too. I had a
short discussion about it in #-infra where I was looking for distfiles
and stage3 snapshots
Hi,
while I invested some time in the past updating thirdpartymirrors to add
HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
Just make sure that HTTPS mirrors are listed first.
From security point of view, we don't get anything from HTTPS because we
maintain and validate
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote:
> Hi,
>
> while I invested some time in the past updating thirdpartymirrors to add
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors:
>
> Just make sure that HTTPS mirrors are listed first.
This sounds like you'r
20190919-19:32 juippis
44cd7a445d7
acct-user/mosquitto 20190926-18:24 mattst88
c560cd0ab92
acct-user/vpopmail20190926-20:26 juippis
d54b80d6ec6
dev-perl/go-perl 20190929-11:40 pacho
> On Sun, 29 Sep 2019, Michał Górny wrote:
> Why is it useful? In my opinion, the most important point is that it
> stops third parties from sniffing what the Gentoo hosts are fetching
> and using this information against them.
It won't hide the fact that a connection was established. Also,
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote:
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote:
> > Why is it useful? In my opinion, the most important point is that it
> > stops third parties from sniffing what the Gentoo hosts are fetching
> > and using this information against the