Ideally repoman would check to ensure that the URL is reachable via HTTPS before displaying that warning.

The use of encryption for downloading files also has the benefit of hiding the fact that a particular file is being downloaded from a remote server. This may not matter too much for files hosted on individual project-specific domains/servers, but is more useful when considering the hundreds of projects hosted on common infrastructure such as github.com, freedesktop.org, sourceforge.net, etc.

For HOMEPAGE, requiring HTTPS URLs where available encourages users to navigate to HOMEPAGE URLs via a protocol that they can have more trust in (i.e. the advice/documentation they're reading via HOMEPAGE hasn't been maliciously modified via a MITM attacker).

Comment 2 Ulrich Müller 2017-08-25 09:10:15 UTC

(In reply to Patrick Lauer from comment #0)
> Since the ebuild carries checksums it's also relatively useless, since we
> can already verify that the file is not compromised.

I second this, there is no point in warning about http or ftp in SRC_URI when we check integrity of files via checksums.

Also I am not aware of such a policy, and I cannot find any prior discussion before adding this warning.


(In reply to David Hicks from comment #1)
> The use of encryption for downloading files also has the benefit of hiding
> the fact that a particular file is being downloaded from a remote server.

That won't work for files on Gentoo mirrors (which generally don't support https). Also I don't see why someone would want to hide downloading an open source file. (And if you absolutely must, use something like https://wiki.gentoo.org/wiki/Tor#Portage instead of a half-baked solution that is bound to fail in many cases.)

Comment 3 Sam James 2022-07-12 03:18:15 UTC

repoman support has been removed per bug 835013.

Please file a new bug (or, I suppose, reopen this one) if you feel this check is still applicable to pkgcheck and doesn't already exist.