| 1 |
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: |
| 2 |
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: |
| 3 |
> > Why is it useful? In my opinion, the most important point is that it |
| 4 |
> > stops third parties from sniffing what the Gentoo hosts are fetching |
| 5 |
> > and using this information against them. |
| 6 |
> |
| 7 |
> It won't hide the fact that a connection was established. Also, the |
| 8 |
> transferred data are public, and we verify them on the client side by |
| 9 |
> a checksum. So the advantage of https is very limited here. |
| 10 |
> |
| 11 |
|
| 12 |
Many 'FTP' hosts belong to different tiers. There's a major difference |
| 13 |
between knowing that a user is fetching *something* from big mirror of |
| 14 |
everything, and knowing the exact precise thing being fetched. It may |
| 15 |
mean knowing that the user is fetching vulnerable package (for whatever |
| 16 |
reason). |
| 17 |
|
| 18 |
-- |
| 19 |
Best regards, |
| 20 |
Michał Górny |
Archives