On Tue, Jul 2, 2013 at 8:40 PM, Alejandro J. Cura <[email protected]> wrote: > > >> HTTPS will be required for all requests, both for uploads and downloads. >> HTTP >> requests will be unconditionally redirected to HTTPS. [DONE] > > I can clearly understand why we are using HTTPS for private packages, > but I don't understand why we can't use it for public packages (I'm > assuming that we have some checksum received via HTTPS before > downloading from HTTP, or a package signature, to avoid tampering). > > My naïve thinking is that allowing HTTP for public packages would > results in improved download speeds due to ISP and perhaps CDN > caching, hopefully freeing bandwidth in our datacenter for private > packages, and perhaps some cost savings too. Am I way off?
I think the savings nowadays are going to be pretty minimal in https vs http, and any CDN usage will be of our own, so it won't make a difference. We'll be doing caching within our own infrastructure to make downloads cheap. I'm not sure what client-side verification there's going to be, but I think having some level of guarantee that packages can't be tampered with at the transport level can only be a good thing. Finally, we may need all downloads to be authenticated, so we may not want the signed URL to be exposed anywhere else down the chain. Make sense? -- Martin -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
