| Summary: | distfiles.gentoo.org does not offer SSL | ||
|---|---|---|---|
| Product: | Websites | Reporter: | Ash <ash.plasma> |
| Component: | Gentoo Website | Assignee: | Gentoo Website Team <www> |
| Status: | RESOLVED CANTFIX | ||
| Severity: | normal | CC: | infra-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Ash
2018-12-09 18:48:35 UTC
distfiles.gentoo.org has never had SSL, because we don't control those hosts, despite the domain name. It is merely a round-robin DNS name to our many mirror hosts. The security instead comes from external sources such as manifested repositories for source downloads and GPG signed stage3 downloads. 1. If you don't mind added latency, you can use the distfiles target of bouncer: https://bouncer.gentoo.org/fetch/distfiles/all/ (append the filename you want afterwards) It will not downgrade your request to HTTP (requests MAY be upgraded, but not downgraded). 2. You can see in the mirror data that about half of the mirrors have SSL (28 of 59). https://www.gentoo.org/downloads/mirrors/ intermediate form: https://gitweb.gentoo.org/data/api.git/tree/files/mirrors/distfiles.xml 3. If you see somewhere that explicitly has "https://distfiles.gentoo.org/" written, please report it as a new bug, it should be changed to http:// explicitly. |
