1 |
On Sun, 2019-09-29 at 16:54 +0200, Thomas Deutschmann wrote: |
2 |
> Hi, |
3 |
> |
4 |
> while I invested some time in the past updating thirdpartymirrors to add |
5 |
> HTTPS where possible too, I see no point in dropping non-HTTPS mirrors: |
6 |
> |
7 |
> Just make sure that HTTPS mirrors are listed first. |
8 |
|
9 |
This sounds like you're wrongly assuming that the package managers are |
10 |
going to consult mirrors in order. This isn't true. |
11 |
|
12 |
> From security point of view, we don't get anything from HTTPS because we |
13 |
> maintain and validate checksums for distfiles and thirdpartymirrors file |
14 |
> is only used for distfiles. |
15 |
> |
16 |
|
17 |
I'm really glad you've ignored the entire point I made in my original |
18 |
post. |
19 |
|
20 |
-- |
21 |
Best regards, |
22 |
Michał Górny |