1 |
On 2021-02-13 18:32, Alec Warner wrote: |
2 |
> So my recollection is that on the install media, openssl has |
3 |
> USE=bindist[0] set, which prevents installation of EC TLS support. I |
4 |
> expect this to be resolved ..hopefully this year. The impact is that |
5 |
> on the installation media, you may not be able to talk to servers that |
6 |
> *only* offer EC-based TLS, as the openssl on the installation media |
7 |
> does not support EC-based TLS. |
8 |
|
9 |
This was the reason why we added the hobble patch. |
10 |
|
11 |
I just booted current install and admin CD and had no problems to do |
12 |
|
13 |
> # wget -O /dev/null https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz |
14 |
> --2021-02-13 17:58:50-- https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz |
15 |
> Resolving bouncer.gentoo.org... 2001:470:ea4a:1:a800:ff:fe73:2f93, 140.211.166.176 |
16 |
> Connecting to bouncer.gentoo.org|2001:470:ea4a:1:a800:ff:fe73:2f93|:443... connected. |
17 |
> HTTP request sent, awaiting response... 302 Found |
18 |
> Location: https://mirror.init7.net/gentoo//releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz [following] |
19 |
|
20 |
and |
21 |
|
22 |
> # wget -O /dev/null https://distfiles.gentoo.org/distfiles/2002a.tar.gz |
23 |
> --2021-02-13 18:00:04-- https://distfiles.gentoo.org/distfiles/2002a.tar.gz |
24 |
> Resolving distfiles.gentoo.org... 2a02:6ea0:c700::1, 2a02:6ea0:c700::3, 2a02:6ea0:c700::2, ... |
25 |
> Connecting to distfiles.gentoo.org|2a02:6ea0:c700::1|:443... connected. |
26 |
|
27 |
Even `curl https://www.gentoo.org/` works ;-) |
28 |
|
29 |
|
30 |
So I would ask differently: What's the motivation behind removing HTTP |
31 |
URLs? From security POV (file integrity) it doesn't matter for Gentoo |
32 |
because of Manifests. Regarding privacy improvement we would have to |
33 |
require TLS 1.3 mirrors only which will not gonna happen. |
34 |
|
35 |
Unless there are reasons I am not aware of I would keep status quo. Keep |
36 |
in mind: There are still use cases where you need HTTP (broken TLS stack |
37 |
for example). Uncommon but they exist. |
38 |
|
39 |
We maybe should promote HTTPS mirrors, update tooling |
40 |
(app-portage/mirrorselect) to prefer HTTPS mirrors at all but I wouldn't |
41 |
remove/hide them (maybe we will end up promoting distfiles.gentoo.org |
42 |
only in future since it became a CDN mirror like cdn-fastly.deb.debian.org). |
43 |
|
44 |
|
45 |
-- |
46 |
Regards, |
47 |
Thomas Deutschmann / Gentoo Linux Developer |
48 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |