On Mon, Aug 22, 2016 at 10:47:38PM +0000, ng0 wrote: > > On Sat, Aug 20, 2016 at 07:44:21PM +0000, ng0 wrote: > >> This adds another mirror for font-un, this time with tls > >> enabled. Leaving the sdf.org mirror in the list in case dl.n0.is goes > >> down. > > > > Hi, can you remind us why this is necessary? > > It is possible that it is unnecessary. My motivation was that tls > enabled source urls provide minimal more security. But we have the > hash of the file which is expected, so there should be no significant > difference between those two protocols, correct?
Since we check the hash of the downloaded source file, there _shouldn't_ be any difference between using HTTP and HTTPS. However, users of HTTP don't have the privacy that HTTPS can provide. Also, HTTP is unauthenticated, so a man-in-the-middle could provide a malformed source file that exploited bugs in our HTTP client or hash checker. Those are the drawbacks of HTTP that I can think of with respect to Guix's source file downloading. I'm no expert, so I could be wrong, and there could be other drawbacks. > If this is true, this patch was unnecessary. But, I don't think we should start re-hosting the source tarballs ourself unless there is no other source. Also, Hydra itself serves as a content-addressed mirror now.
