hi, "https://gitweb.gentoo.org/repo/proj/prefix.git/plain/scripts/bootstrap-prefix.sh" has the following download URL declarations without SSL. 1) http://dev.gentoo.org/~grobian/distfiles prefix-overlay-${PV}.tar.bz2 2) http://dev.gentoo.org/~redlizard/distfile/02_all_disable_modules_and_ssl.patch 3) GNU_URL=${XZ_URL:-http://tukaani.org} bootstrap_gnu xz 5.2.3 -- has https:// with auto-redirection 4) DISTFILES_URL=${DISTFILES_URL:-"http://dev.gentoo.org/~grobian/distfiles"} 5) GNU_URL=${GNU_URL:="http://ftp.gnu.org/gnu"} -- has https:// with auto-redirection. 6) GENTOO_MIRRORS=${GENTOO_MIRRORS:="http://distfiles.gentoo.org"} -- has https:// with improperly configured cert. 7) "http://rsync.prefix.bitzolder.nl" -- has https:// 8) "http://www.opensource.apple.com/darwinsource/tarballs/other" -- has https:// 9) "http://pkg.oracle.com/solaris/release" This drastically increases chances of a possible MITM and unauthorised URL based malicious package redirection or metadata logging while downloading the packages. Please rectify this and notify the domain host / admins where https is not available.
Assigned to prefix team. This should be fixed, but it is their repo to manage.
This is actually on purpose, because SSL isn't available during early bootstrap.
