1 |
Hi, |
2 |
|
3 |
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. |
4 |
I've been putting some effort into switching to HTTPS whenever possible |
5 |
(i.e. when the server's running HTTPS and has a valid certificate). |
6 |
However, the way things work people still have a pretty good chance of |
7 |
hitting HTTP or FTP mirror instead. |
8 |
|
9 |
Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS |
10 |
mirrors for the group in question, we remove all HTTP and FTP |
11 |
alternatives. This way, if mirror:// is actually utilized, people won't |
12 |
unnecessarily use unsecured connections. |
13 |
|
14 |
I believe this falls in line with the generic policy of preferring HTTPS |
15 |
over HTTP/FTP URIs. |
16 |
|
17 |
Why is it useful? In my opinion, the most important point is that it |
18 |
stops third parties from sniffing what the Gentoo hosts are fetching |
19 |
and using this information against them. |
20 |
|
21 |
WDYT? |
22 |
|
23 |
-- |
24 |
Best regards, |
25 |
Michał Górny |