1 |
On Fri, Nov 12, 2004 at 05:16:24PM +0100, Klaus Wagner wrote: |
2 |
> ps. are there any plans for having a https site for gentoo, or |
3 |
> the webservers, where the snapshots are put onto? |
4 |
|
5 |
While I'm not opposed to ssl/ssh links in any way, I think this would be |
6 |
more work to install than the signature method that already has a patch. |
7 |
|
8 |
Consider: |
9 |
|
10 |
Patch method: |
11 |
- no mirror needs to be updated |
12 |
- users can continue to use any available mirrors for |
13 |
the webrsync tar (do they exist?) |
14 |
- the main gentoo server only has to serve the signature |
15 |
(this could be put on a single mirror too, point being |
16 |
that the signature doesn't have to be on every mirror |
17 |
to be effective) |
18 |
|
19 |
SSL/SSH method: |
20 |
- either every mirror needs to support it |
21 |
- or anyone who is concerned, suddenly stops using mirrors |
22 |
and switches to the main server |
23 |
- doesn't detect cases where a mirror is compromised |
24 |
|
25 |
Just points to be aware of when considering SSL/SSH. |
26 |
|
27 |
- Chris |
28 |
|
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |