On Mon, 2019-09-30 at 07:04 +0200, Ulrich Mueller wrote: > > > > > > On Sun, 29 Sep 2019, Michał Górny wrote: > > Why is it useful? In my opinion, the most important point is that it > > stops third parties from sniffing what the Gentoo hosts are fetching > > and using this information against them. > > It won't hide the fact that a connection was established. Also, the > transferred data are public, and we verify them on the client side by > a checksum. So the advantage of https is very limited here. >
Many 'FTP' hosts belong to different tiers. There's a major difference between knowing that a user is fetching *something* from big mirror of everything, and knowing the exact precise thing being fetched. It may mean knowing that the user is fetching vulnerable package (for whatever reason). -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
