Gentoo Archives: gentoo-project

From: Joonas Niilola <juippis@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] RFC: Removing http:// mirror URLs where https:// is available
Date: Mon, 15 Feb 2021 08:19:21
In Reply to: Re: [gentoo-project] RFC: Removing http:// mirror URLs where https:// is available by Thomas Deutschmann
1 On 2/13/21 8:16 PM, Thomas Deutschmann wrote:
2 >
3 > So I would ask differently: What's the motivation behind removing HTTP
4 > URLs? From security POV (file integrity) it doesn't matter for Gentoo
5 > because of Manifests. Regarding privacy improvement we would have to
6 > require TLS 1.3 mirrors only which will not gonna happen.
7 >
8 > Unless there are reasons I am not aware of I would keep status quo.
9 > Keep in mind: There are still use cases where you need HTTP (broken
10 > TLS stack for example). Uncommon but they exist.
12 Hey,
14 I just saw something that made me wonder, and decided to ask from people
15 wiser than me. I guess my rationale was promoting https where available,
16 and remove "duplication". The whole web seems to be moving towards
17 secured connections.
19 Anyway I'm not pursuing this one way or another, but I would've been
20 willing to do the cleaning if there was an agreement for it.
22 >
23 > We maybe should promote HTTPS mirrors, update tooling
24 > (app-portage/mirrorselect) to prefer HTTPS mirrors at all but I
25 > wouldn't remove/hide them (maybe we will end up promoting
26 > only in future since it became a CDN mirror like
27 >
28 >
29 >
30 This sounds good.
32 -- juippis


File name MIME type
OpenPGP_signature.asc application/pgp-signature