Re: Blocking high-risk non-secure downloads

(I'm not on the w3 list presently, hopefully this email gets to you
after my sub is confirmed).

Emily wrote:
> I would like to hear from developers if they are distributing downloads
> that they can reasonably SRI but can't move to HTTPS. I know Mike and
> others have argued vociferously in the past against allowing SRI to
> substitute for HTTPS...

Hi!

From the Linux distribution front, with a hat of mirroring.

SRI would be trivial to provide for our content, as we already have the
checksums [1], but we cannot move everything to HTTPS because we don't
control how the mirrors run their systems :-(.

See Gentoo's mirrors page as an example:
https://www.gentoo.org/downloads/mirrors/

Many of the mirrors have not yet deployed HTTPS, despite requests to do
so, or have deployed it in a way that was broken (self-signed certs,
misconfigured vhosts).

We do include sideband signatures for verification:
https://www.gentoo.org/downloads/signatures/

The above was the general list of mirrors.
The direct download links are here:
https://www.gentoo.org/downloads/

All of the links off that page are two formats:
http://distfiles.gentoo.org/...
https://bouncer.gentoo.org/...

distfiles.g.o is a GeoDNS rotation that some of the larger mirrors are
in, specifically without SSL because it would be an untrusted key, as
those mirrors are run by third parties who are not Gentoo.

Bouncer is a HTTP redirection service, that tries to redirect you to a
mirror that:
- is close to you
- actually has the file you're looking for
- If requested on HTTPS, only redirects to HTTPS links where possible.

[1] Example checksums file: https://gentoo.osuosl.org/releases/amd64/autobuilds/current-stage3-amd64/install-amd64-minimal-20190410T214502Z.iso.DIGESTS.asc

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136