Date: prev next · Thread: first prev next last
2020 Archives by date, by thread · List index


Hi,

At Ipfire, a migration deadline was set and then all http only mirrors
were removed from the list. :)

We consider HTTPS only on mirror servers a change with security benefit
for IPFire users. Since getting trusted DV certificates is not a problem
anymore - although Let's Encrypt grows bigger and bigger, becoming
too big to fail one day - and cryptography acceleration is widely common,
I do not see a technical reason against this.

Thereof, I propose 2018-10-01 as a deadline to this, removing every
mirror from the list which does not provide HTTPS then.


You could post your https plans to the mirrors mailing list -
mirrors@documentfoundation.org - so everyone involved would be informed.

My priority is to avoid damaging the user experience when downloading,
so if You planning to disable the other two .hu mirrors please do not
send all the .hu traffic to my server because the download time would be
greatly increased.


Thank you for considering the suggestion. :)


Cheers,

Peter


On 2020. 02. 09. 20:37, Guilhem Moulin wrote:
Hi,

On Sun, 09 Feb 2020 at 17:05:11 +0100, Florian Effenberger wrote:
- Chrome seems to disable insecure (i.e. FTP and HTTP) downloads from secure
websites (HTTPS) like ours in the future.
AFAICT only http:// mirror baseURLs are impacted, because the download
page doesn't redirect to ftp:// nor rsync:// links.

In the past 2 years or so I've regularly run a script to upgrade
baseURLs (typical case is when the operator of an old mirror silently
adds TLS support).  Right now 72/113 (63.71%) have an https:// base URL.
Grouping by region,

 region | insecure | total | ratio 
--------+----------+-------+-------
 af     |        2 |     4 | 50.00
 na     |        6 |    13 | 46.00
 eu     |       23 |    62 | 37.00
 oc     |        1 |     3 | 33.00
 as     |        5 |    17 | 29.00
 sa     |        4 |    14 | 28.00

and by country (only for ratio ≥50%)

 country | insecure | total | ratio  
---------+----------+-------+--------
 pl      |        1 |     1 | 100.00
 tr      |        1 |     1 | 100.00
 za      |        1 |     1 | 100.00
 nc      |        1 |     1 | 100.00
 ru      |        2 |     2 | 100.00
 kr      |        1 |     1 | 100.00
 at      |        1 |     1 | 100.00
 lk      |        1 |     1 | 100.00
 by      |        1 |     1 | 100.00
 bw      |        1 |     1 | 100.00
 ro      |        1 |     1 | 100.00
 ba      |        1 |     1 | 100.00
 bd      |        1 |     1 | 100.00
 pt      |        2 |     3 |  66.00
 hu      |        2 |     3 |  66.00
 cz      |        1 |     2 |  50.00
 br      |        4 |     8 |  50.00
 jp      |        1 |     2 |  50.00
 ca      |        1 |     2 |  50.00
 id      |        1 |     2 |  50.00
 us      |        5 |    10 |  50.00
 dk      |        1 |     2 |  50.00

It's not clear to me how disruptive the change will be in practice,
because we have redirects between the download page and the actual
mirror.  However https:// adoption is at a point where we could remove
http:// base URLs without notice without causing too much disruption on
the remaining mirrors nor users (except perhaps those in south Africa
and Russia).

Also, the target mirror is send to Matomo like other download metrics.
In January I see 3 (resp. 12) HTTP mirrors with ≥2% (resp. ≥1%) of
redirects.  Among these only the Russian mirrors don't have a HTTPS
fallback nearby (but we have some in Eastern Europe and Asia).


-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.