On 19-10-2022 10:31, Neal Gompa wrote:
On Wed, Oct 19, 2022 at 4:01 AM Vitaly Zaitsev via devel
<devel(a)lists.fedoraproject.org> wrote:
>
> On 19/10/2022 09:48, Peter Robinson wrote:
>> Sure but as mentioned it's public data, and the modification, and I
>> covered that in my reply, would be picked up by the other mechanisms.
>
> They can collect a lot of sensitive information: your IP, Fedora
> version, packages version, etc. This can help with recon for attackers.
>
HTTPS does not help with that. It's just a transport protocol.
Security is covered, as probinson already mentioned, by internal
verification.
>> There isn't actually that many mirrors left do we
>> really want to reduce the number more for end users for no actual
>> improvement in security?
>
> It will improve privacy at least.
>
Not in any meaningful way, and in most cases HTTPS makes mirrors slower too.
If privacy is your concern, which is something the user has to decide,
there's the torproxy plugin for DNF. I think that would protect your
privacy and allow use of plain http - win/win.
>> Ultimately bandwidth is expensive in a lot of
>> parts of the world for commercial entities to provide, that's why
>> there's mirrors.
>
> Fedora COPR has moved to Amazon CDN. Maybe Fedora's main mirror can
> switch to a CDN too?
>
We don't have a "main mirror" for that to work.
So, this has been looked into already? It definitely sounds like it
could help in sparsely served parts of the world at a reasonable cost.
-- Sandro (just throwing in my $0.02)