On Mon, 30 Mar 2015 11:57:45 +0300 Andrew Savchenko <birc...@gentoo.org> wrote:
> The Gentoo tree is not verified anyway: mirrors distribute it via > http, rsync and ftp. And using https for that will create a > tremendous stress on mirror's CPUs, so this is a bad approach. > Not to mention that https itself is very hapless protocol with tons > of vulnerabilities (all SSL versions are affected and most TLS > implementations). > > A proper solution will be to use cryptographic verification of > downloaded files. We should probably distinguish security of reading from Gentoo mirror and writing to it. But for paranoid ones we probably should add the option to read from https:// or other secured protocols too.
