| 1 |
On 2/13/21 8:16 PM, Thomas Deutschmann wrote: |
| 2 |
> |
| 3 |
> So I would ask differently: What's the motivation behind removing HTTP |
| 4 |
> URLs? From security POV (file integrity) it doesn't matter for Gentoo |
| 5 |
> because of Manifests. Regarding privacy improvement we would have to |
| 6 |
> require TLS 1.3 mirrors only which will not gonna happen. |
| 7 |
> |
| 8 |
> Unless there are reasons I am not aware of I would keep status quo. |
| 9 |
> Keep in mind: There are still use cases where you need HTTP (broken |
| 10 |
> TLS stack for example). Uncommon but they exist. |
| 11 |
|
| 12 |
Hey, |
| 13 |
|
| 14 |
I just saw something that made me wonder, and decided to ask from people |
| 15 |
wiser than me. I guess my rationale was promoting https where available, |
| 16 |
and remove "duplication". The whole web seems to be moving towards |
| 17 |
secured connections. |
| 18 |
|
| 19 |
Anyway I'm not pursuing this one way or another, but I would've been |
| 20 |
willing to do the cleaning if there was an agreement for it. |
| 21 |
|
| 22 |
> |
| 23 |
> We maybe should promote HTTPS mirrors, update tooling |
| 24 |
> (app-portage/mirrorselect) to prefer HTTPS mirrors at all but I |
| 25 |
> wouldn't remove/hide them (maybe we will end up promoting |
| 26 |
> distfiles.gentoo.org only in future since it became a CDN mirror like |
| 27 |
> cdn-fastly.deb.debian.org). |
| 28 |
> |
| 29 |
> |
| 30 |
This sounds good. |
| 31 |
|
| 32 |
-- juippis |
Archives