emerge ignores FETCHCOMMAND and uses insecure wget: in site-packages/portage/_emirrordist/FetchTask.py Line 24 it defines default_fetchcommand as 'wget -c -v -t 1 --passive-ftp --no-check-certificate --timeout=60 -O "${DISTDIR}/${FILE}" "${URI}"' and uses it with checking FETCHCOMMAND at line 487. FETCHCOMMAND may be required for special proxy or security settings, and it is not nice to use --no-check-certificate hardwired without the user knowing or able to configure it.
(In reply to emdee_is from comment #0) > emerge ignores FETCHCOMMAND and uses insecure wget: in > site-packages/portage/_emirrordist/FetchTask.py Is code from that file executed via emerge?
(In reply to John Helmert III from comment #1) As far as I can tell, this is only relevant for people using the emirrordist script to replicate distfiles.
Note that while this is still likely worth fixing: 1. you couldn't ever really force pure HTTPS when running emirrordist (the origin SRC_URI is what it is, you can't magically *make* it HTTPS); 2. it's comparing against Manifest anyway; 3. generally, mirrors running emirrordist are not a secret. But I accept that it's silly to force some of this. Please keep in mind this has *no bearing at all* on normal Portage operation.
