1 |
On 2/13/21 8:16 PM, Thomas Deutschmann wrote: |
2 |
> |
3 |
> So I would ask differently: What's the motivation behind removing HTTP |
4 |
> URLs? From security POV (file integrity) it doesn't matter for Gentoo |
5 |
> because of Manifests. Regarding privacy improvement we would have to |
6 |
> require TLS 1.3 mirrors only which will not gonna happen. |
7 |
> |
8 |
> Unless there are reasons I am not aware of I would keep status quo. |
9 |
> Keep in mind: There are still use cases where you need HTTP (broken |
10 |
> TLS stack for example). Uncommon but they exist. |
11 |
|
12 |
Hey, |
13 |
|
14 |
I just saw something that made me wonder, and decided to ask from people |
15 |
wiser than me. I guess my rationale was promoting https where available, |
16 |
and remove "duplication". The whole web seems to be moving towards |
17 |
secured connections. |
18 |
|
19 |
Anyway I'm not pursuing this one way or another, but I would've been |
20 |
willing to do the cleaning if there was an agreement for it. |
21 |
|
22 |
> |
23 |
> We maybe should promote HTTPS mirrors, update tooling |
24 |
> (app-portage/mirrorselect) to prefer HTTPS mirrors at all but I |
25 |
> wouldn't remove/hide them (maybe we will end up promoting |
26 |
> distfiles.gentoo.org only in future since it became a CDN mirror like |
27 |
> cdn-fastly.deb.debian.org). |
28 |
> |
29 |
> |
30 |
This sounds good. |
31 |
|
32 |
-- juippis |