--> https://www.gentoo.org/downloads/ https-certificate for https://distfiles.gentoo.org/ does not work (because it redirects to https://gentoo.osuosl.org/ Steps to reproduce: ---- $ wget https://distfiles.gentoo.org --2020-01-20 12:19:37-- https://distfiles.gentoo.org/ Resolving distfiles.gentoo.org... 64.50.236.52, 156.56.247.195, 216.165.129.135, ... Connecting to distfiles.gentoo.org|64.50.236.52|:443... connected. ERROR: no certificate subject alternative name matches requested host name 'distfiles.gentoo.org'. To connect to distfiles.gentoo.org insecurely, use `--no-check-certificate'. ---- GPG Keys are not uptodate (https://www.gentoo.org/downloads/signatures/) Steps to reproduce: --- wget https://gentoo.osuosl.org/releases/amd64/autobuilds/current-stage3-amd64/stage4-amd64-minimal-20200119T214502Z.tar.xz.DIGESTS.asc 2> --quiet -O - | gpg .... gpg: Signature made Mon Jan 20 06:05:25 2020 CET gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043 ---
Where do you see any link to https://distfiles.gentoo.org/ ? This is known to not work since it's a DNS round robin.
on https://www.gentoo.org/downloads/ multiple times. all "minimal install" and "stage 3". just hybrid iso goes to: https://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/ which looks like outdated?!?
Those are all http links though, not https.
right, I just copied it from the browser and prefix it with https - since I considered this a defact to standard? at least for the ebuilds I saw a couple of "use https" PRs.
We cannot currently use https for distfiles.gentoo.org specifically for this reason. I believe there may be some eventual plans to use a bouncer for that instead of a plain DNS round-robin. I don't think there's anything for releng to fix here though.
mmh, okay but feels quite suspecious… what about the gpg-key? why is has not been add at least there: https://www.gentoo.org/downloads/signatures/ ?
The releng keys are now in the stage3.
