| 1 |
On 2021-02-13 18:32, Alec Warner wrote: |
| 2 |
> So my recollection is that on the install media, openssl has |
| 3 |
> USE=bindist[0] set, which prevents installation of EC TLS support. I |
| 4 |
> expect this to be resolved ..hopefully this year. The impact is that |
| 5 |
> on the installation media, you may not be able to talk to servers that |
| 6 |
> *only* offer EC-based TLS, as the openssl on the installation media |
| 7 |
> does not support EC-based TLS. |
| 8 |
|
| 9 |
This was the reason why we added the hobble patch. |
| 10 |
|
| 11 |
I just booted current install and admin CD and had no problems to do |
| 12 |
|
| 13 |
> # wget -O /dev/null https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz |
| 14 |
> --2021-02-13 17:58:50-- https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz |
| 15 |
> Resolving bouncer.gentoo.org... 2001:470:ea4a:1:a800:ff:fe73:2f93, 140.211.166.176 |
| 16 |
> Connecting to bouncer.gentoo.org|2001:470:ea4a:1:a800:ff:fe73:2f93|:443... connected. |
| 17 |
> HTTP request sent, awaiting response... 302 Found |
| 18 |
> Location: https://mirror.init7.net/gentoo//releases/amd64/autobuilds/20210210T214503Z/stage3-amd64-20210210T214503Z.tar.xz [following] |
| 19 |
|
| 20 |
and |
| 21 |
|
| 22 |
> # wget -O /dev/null https://distfiles.gentoo.org/distfiles/2002a.tar.gz |
| 23 |
> --2021-02-13 18:00:04-- https://distfiles.gentoo.org/distfiles/2002a.tar.gz |
| 24 |
> Resolving distfiles.gentoo.org... 2a02:6ea0:c700::1, 2a02:6ea0:c700::3, 2a02:6ea0:c700::2, ... |
| 25 |
> Connecting to distfiles.gentoo.org|2a02:6ea0:c700::1|:443... connected. |
| 26 |
|
| 27 |
Even `curl https://www.gentoo.org/` works ;-) |
| 28 |
|
| 29 |
|
| 30 |
So I would ask differently: What's the motivation behind removing HTTP |
| 31 |
URLs? From security POV (file integrity) it doesn't matter for Gentoo |
| 32 |
because of Manifests. Regarding privacy improvement we would have to |
| 33 |
require TLS 1.3 mirrors only which will not gonna happen. |
| 34 |
|
| 35 |
Unless there are reasons I am not aware of I would keep status quo. Keep |
| 36 |
in mind: There are still use cases where you need HTTP (broken TLS stack |
| 37 |
for example). Uncommon but they exist. |
| 38 |
|
| 39 |
We maybe should promote HTTPS mirrors, update tooling |
| 40 |
(app-portage/mirrorselect) to prefer HTTPS mirrors at all but I wouldn't |
| 41 |
remove/hide them (maybe we will end up promoting distfiles.gentoo.org |
| 42 |
only in future since it became a CDN mirror like cdn-fastly.deb.debian.org). |
| 43 |
|
| 44 |
|
| 45 |
-- |
| 46 |
Regards, |
| 47 |
Thomas Deutschmann / Gentoo Linux Developer |
| 48 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives