| 1 |
Hi, |
| 2 |
|
| 3 |
Historically, the majority of our 'thirdpartymirrors' use HTTP or FTP. |
| 4 |
I've been putting some effort into switching to HTTPS whenever possible |
| 5 |
(i.e. when the server's running HTTPS and has a valid certificate). |
| 6 |
However, the way things work people still have a pretty good chance of |
| 7 |
hitting HTTP or FTP mirror instead. |
| 8 |
|
| 9 |
Hence, I'd like to propose that whenever thirdpartymirrors contain HTTPS |
| 10 |
mirrors for the group in question, we remove all HTTP and FTP |
| 11 |
alternatives. This way, if mirror:// is actually utilized, people won't |
| 12 |
unnecessarily use unsecured connections. |
| 13 |
|
| 14 |
I believe this falls in line with the generic policy of preferring HTTPS |
| 15 |
over HTTP/FTP URIs. |
| 16 |
|
| 17 |
Why is it useful? In my opinion, the most important point is that it |
| 18 |
stops third parties from sniffing what the Gentoo hosts are fetching |
| 19 |
and using this information against them. |
| 20 |
|
| 21 |
WDYT? |
| 22 |
|
| 23 |
-- |
| 24 |
Best regards, |
| 25 |
Michał Górny |
Archives