On 19/10/2022 09:33, Peter Robinson wrote:
Why are they insecure? This is public open data, not banking data, where the data being downloaded is verifiable by the rpm signatures and signing keys.
ISPs or anyone on the the same network can view, intercept or even modify HTTP/rsync traffic.
The flip side is we remove the non https mirrors and the mirror system slows down considerably, or in some cases is even unavailable, for users which in IMO is more of a problem because people then really do have insecure systems.
We can give mirror owners some time (for example, a month) to migrate their mirrors to HTTPS.
-- Sincerely, Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
