[bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: 29046@debbugs.gnu.org, Rutger Helling <rhelling@mykolab.com>
Subject: [bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.
Date: Tue, 07 Nov 2017 22:12:31 +0100	[thread overview]
Message-ID: <87y3nhyerk.fsf@gnu.org> (raw)
In-Reply-To: <87tvy5gb9n.fsf@netris.org> (Mark H. Weaver's message of "Tue, 07 Nov 2017 14:05:24 -0500")

Mark H Weaver <mhw@netris.org> skribis:

> Is an active attack needed to determine which file we are downloading
> from linux-libre.fsfla.org?  I think not.  The IP address of that host
> reverse resolves to "linux-libre.fsfla.org", which makes it obvious.
> The title of the paper Ludovic cited above makes the point:
>
>   I Know Why You Went to the Clinic
>
> or in this case:
>
>   I know why you downloaded 97 megabytes from linux-libre.fsfla.org.
>
> Unless I'm mistaken, using TLS does *not* foil passive surveillance for
> source downloads in the overwhelming majority of cases, and especially
> not in this case.  Even at web sites that serve a larger variety of
> software, determining what was downloaded by the amount of data
> transferred does not require an active attack.

You’re right, though it’s already more work for github.com (11% of our
packages) or PyPI (17% of our packages).

This discussion is also interesting in the context of
<https://bugs.gnu.org/28659>, where one of the options discussed would
be to favor content-addressable mirrors over upstream sites.

Ludo’.

next prev parent reply	other threads:[~2017-11-07 21:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-28 21:15 [bug#29046] [PATCH] gnu: linux-libre: Update to 4.13.10 and change URL to HTTPS Rutger Helling
2017-10-30  7:06 ` [bug#29046] [PATCH] gnu: linux-libre: Change " Rutger Helling
2017-10-30 14:44   ` Leo Famulari
2017-10-30 19:14     ` Mark H Weaver
2017-10-31  2:22       ` Leo Famulari
2017-11-07 16:26         ` Ludovic Courtès
2017-11-07 19:05           ` Mark H Weaver
2017-11-07 21:12             ` Ludovic Courtès [this message]
2017-11-12 20:48             ` bug#29046: " Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y3nhyerk.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=29046@debbugs.gnu.org \
    --cc=mhw@netris.org \
    --cc=rhelling@mykolab.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).