From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39813)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eCBBB-0004nF-VG
	for guix-patches@gnu.org; Tue, 07 Nov 2017 16:13:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eCBB8-0001t6-4I
	for guix-patches@gnu.org; Tue, 07 Nov 2017 16:13:05 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:48464)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eCBB8-0001t2-0R
	for guix-patches@gnu.org; Tue, 07 Nov 2017 16:13:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eCBB7-0008W7-Qk
	for guix-patches@gnu.org; Tue, 07 Nov 2017 16:13:01 -0500
Subject: [bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.
Resent-Message-ID: <handler.29046.B29046.151008915732708@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <70ee5da890c2fe609d54af4a3e1f18df@mykolab.com>
	<30a6703bf921961424f93af098f2ec8f@mykolab.com>
	<20171030144408.GB27298@jasmine.lan> <87po94cut9.fsf@netris.org>
	<20171031022214.GA21447@jasmine.lan> <87zi7y5a37.fsf@gnu.org>
	<87tvy5gb9n.fsf@netris.org>
Date: Tue, 07 Nov 2017 22:12:31 +0100
In-Reply-To: <87tvy5gb9n.fsf@netris.org> (Mark H. Weaver's message of "Tue, 07
	Nov 2017 14:05:24 -0500")
Message-ID: <87y3nhyerk.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: 29046@debbugs.gnu.org, Rutger Helling <rhelling@mykolab.com>

Mark H Weaver <mhw@netris.org> skribis:

> Is an active attack needed to determine which file we are downloading
> from linux-libre.fsfla.org?  I think not.  The IP address of that host
> reverse resolves to "linux-libre.fsfla.org", which makes it obvious.
> The title of the paper Ludovic cited above makes the point:
>
>   I Know Why You Went to the Clinic
>
> or in this case:
>
>   I know why you downloaded 97 megabytes from linux-libre.fsfla.org.
>
> Unless I'm mistaken, using TLS does *not* foil passive surveillance for
> source downloads in the overwhelming majority of cases, and especially
> not in this case.  Even at web sites that serve a larger variety of
> software, determining what was downloaded by the amount of data
> transferred does not require an active attack.

You=E2=80=99re right, though it=E2=80=99s already more work for github.com =
(11% of our
packages) or PyPI (17% of our packages).

This discussion is also interesting in the context of
<https://bugs.gnu.org/28659>, where one of the options discussed would
be to favor content-addressable mirrors over upstream sites.

Ludo=E2=80=99.