1 |
On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: |
2 |
> > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: |
3 |
> > Why is it useful? In my opinion, the most important point is that it |
4 |
> > stops third parties from sniffing what the Gentoo hosts are fetching |
5 |
> > and using this information against them. |
6 |
> |
7 |
> It won't hide the fact that a connection was established. Also, the |
8 |
> transferred data are public, and we verify them on the client side by |
9 |
> a checksum. So the advantage of https is very limited here. |
10 |
> |
11 |
|
12 |
Many 'FTP' hosts belong to different tiers. There's a major difference |
13 |
between knowing that a user is fetching *something* from big mirror of |
14 |
everything, and knowing the exact precise thing being fetched. It may |
15 |
mean knowing that the user is fetching vulnerable package (for whatever |
16 |
reason). |
17 |
|
18 |
-- |
19 |
Best regards, |
20 |
Michał Górny |