On Sat, Feb 13, 2021 at 03:37:52AM +0100, Danny Milosavljevic wrote:
> Changing the URL to "https" instead of "ftp" would work.
> Changing it to "http" instead of "ftp" would also work.
> Which should we use?

I recommend HTTPS over HTTP. Although we don't verify the HTTPS
certificate with the X.509 PKI for this case [0], it still protects
against passive eavesdropping.

[0] https://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/perform-download.scm?id=0e3de2cf1108ed0226297046302079fab9057522#n84