diff mbox

gnu: font-un: Add mirror.

Message ID 87wpjbdy3u.fsf@we.make.ritual.n0.is
State New
Headers show

Commit Message

non such Aug. 20, 2016, 7:44 p.m. UTC
This adds another mirror for font-un, this time with tls
enabled. Leaving the sdf.org mirror in the list in case dl.n0.is goes
down.

Comments

Leo Famulari Aug. 22, 2016, 8:26 p.m. UTC | #1
On Sat, Aug 20, 2016 at 07:44:21PM +0000, ng0 wrote:
> This adds another mirror for font-un, this time with tls
> enabled. Leaving the sdf.org mirror in the list in case dl.n0.is goes
> down.

Hi, can you remind us why this is necessary?
non such Aug. 22, 2016, 10:47 p.m. UTC | #2
Leo Famulari <leo@famulari.name> writes:

> On Sat, Aug 20, 2016 at 07:44:21PM +0000, ng0 wrote:
>> This adds another mirror for font-un, this time with tls
>> enabled. Leaving the sdf.org mirror in the list in case dl.n0.is goes
>> down.
>
> Hi, can you remind us why this is necessary?

It is possible that it is unnecessary. My motivation was that tls
enabled source urls provide minimal more security. But we have the
hash of the file which is expected, so there should be no significant
difference between those two protocols, correct?

If this is true, this patch was unnecessary.
Leo Famulari Aug. 31, 2016, 7:25 p.m. UTC | #3
On Mon, Aug 22, 2016 at 10:47:38PM +0000, ng0 wrote:
> > On Sat, Aug 20, 2016 at 07:44:21PM +0000, ng0 wrote:
> >> This adds another mirror for font-un, this time with tls
> >> enabled. Leaving the sdf.org mirror in the list in case dl.n0.is goes
> >> down.
> >
> > Hi, can you remind us why this is necessary?
> 
> It is possible that it is unnecessary. My motivation was that tls
> enabled source urls provide minimal more security. But we have the
> hash of the file which is expected, so there should be no significant
> difference between those two protocols, correct?

Since we check the hash of the downloaded source file, there _shouldn't_
be any difference between using HTTP and HTTPS.

However, users of HTTP don't have the privacy that HTTPS can provide.

Also, HTTP is unauthenticated, so a man-in-the-middle could provide a
malformed source file that exploited bugs in our HTTP client or
hash checker.

Those are the drawbacks of HTTP that I can think of with respect to
Guix's source file downloading. I'm no expert, so I could be wrong, and
there could be other drawbacks.

> If this is true, this patch was unnecessary.

But, I don't think we should start re-hosting the source tarballs
ourself unless there is no other source. Also, Hydra itself serves as a
content-addressed mirror now.
diff mbox

Patch

From 163375e4af66eacece1860bb7850b7e92cd75cb6 Mon Sep 17 00:00:00 2001
From: ng0 <ng0@we.make.ritual.n0.is>
Date: Sat, 20 Aug 2016 19:40:14 +0000
Subject: [PATCH] gnu: font-un: Add tls mirror.

* gnu/packages/fonts.scm (font-un)[source]: Add mirror.
---
 gnu/packages/fonts.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index 9b2281a..e69d5c9 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -708,6 +708,8 @@  symbols unable to be displayed properly.")
     (source (origin
               (method url-fetch)
               (uri (list
+                    (string-append "https://dl.n0.is/hosted/"
+                                   name "-" version ".tar.gz")
                     (string-append
                      "http://krosos.sdf.org/static/unix/"
                      "un-fonts-core-" version ".tar.gz")
-- 
2.9.3