Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-30 Thread Chí-Thanh Christopher Nguyễn
Michał Górny schrieb: > Many 'FTP' hosts belong to different tiers. There's a major difference > between knowing that a user is fetching *something* from big mirror of > everything, and knowing the exact precise thing being fetched. It may > mean knowing that the user is fetching vulnerable

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: > > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: > > Why is it useful? In my opinion, the most important point is that it > > stops third parties from sniffing what the Gentoo hosts are fetching > > and using this information against

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Ulrich Mueller
> On Sun, 29 Sep 2019, Michał Górny wrote: > Why is it useful? In my opinion, the most important point is that it > stops third parties from sniffing what the Gentoo hosts are fetching > and using this information against them. It won't hide the fact that a connection was established. Also,

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Michał Górny
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote: > Hi, > > while I invested some time in the past updating thirdpartymirrors to add > HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: > > Just make sure that HTTPS mirrors are listed first. This sounds like

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Thomas Deutschmann
Hi, while I invested some time in the past updating thirdpartymirrors to add HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: Just make sure that HTTPS mirrors are listed first. From security point of view, we don't get anything from HTTPS because we maintain and validate

Re: [gentoo-dev] [RFC] Using HTTPS mirrors only in thirdpartymirrors (when possible)

2019-09-29 Thread Piotr Karbowski
Hi, On 29/09/2019 11.56, Michał Górny wrote: > WDYT? You mean using HTTPS-only mirrors in 3rdparty mirrors? I am on board with that. Ideally, we would switch all of Gentoo resources to HTTPS too. I had a short discussion about it in #-infra where I was looking for distfiles and stage3 snapshots