1 |
On Mon, 30 Mar 2015 11:57:45 +0300 |
2 |
Andrew Savchenko <bircoph@g.o> wrote: |
3 |
|
4 |
> The Gentoo tree is not verified anyway: mirrors distribute it via |
5 |
> http, rsync and ftp. And using https for that will create a |
6 |
> tremendous stress on mirror's CPUs, so this is a bad approach. |
7 |
> Not to mention that https itself is very hapless protocol with tons |
8 |
> of vulnerabilities (all SSL versions are affected and most TLS |
9 |
> implementations). |
10 |
> |
11 |
> A proper solution will be to use cryptographic verification of |
12 |
> downloaded files. |
13 |
|
14 |
We should probably distinguish security of reading from Gentoo mirror |
15 |
and writing to it. But for paranoid ones we probably should add the |
16 |
option to read from https:// or other secured protocols too. |