Re: F38 proposal: RPM Sequoia (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Oct 19, 2022 at 8:40 AM Vitaly Zaitsev via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 19/10/2022 09:33, Peter Robinson wrote:
> > Why are they insecure? This is public open data, not banking data,
> > where the data being downloaded is verifiable by the rpm signatures
> > and signing keys.
>
> ISPs or anyone on the the same network can view, intercept or even
> modify HTTP/rsync traffic.

Sure but as mentioned it's public data, and the modification, and I
covered that in my reply, would be picked up by the other mechanisms.

> > The flip side is we remove the non https mirrors and the mirror system
> > slows down considerably, or in some cases is even unavailable, for
> > users which in IMO is more of a problem because people then really do
> > have insecure systems.
>
> We can give mirror owners some time (for example, a month) to migrate
> their mirrors to HTTPS.

The ones that actually care have already migrated, they've been
actively encouraged to do this previously and haven't, see point above
about a lack of mirrors. Ultimately bandwidth is expensive in a lot of
parts of the world for commercial entities to provide, that's why
there's mirrors. There isn't actually that many mirrors left do we
really want to reduce the number more for end users for no actual
improvement in security?

While where you are there may be lots of mirrors there are places
where there are very few and having less will likely make Fedora
unusable, I had a report on the arm channel just this week of problems
with lack of available mirrors just this week.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux