HTTPS Gentoo Mirrors

Some Gentoo mirrors able to accommodate SSL wrapped HTTP.

Note that some of these mirrors have expired and/or self-signed certificates. I've still included them. In my opinion, if you're maintaining your system from a tree that uses only md5sum to verify package integrity[1] on public mirrors that you don't control, you've resigned yourself to an acceptable level of risk based on the design.

With that in mind. I think it's reasonable to, if available, use a self-signed, expired, certificate with SSL instead of un-ecrypted HTTP. We've already accepted that we trust the source as a mirror, at this point the gained security is that of security-by-privacy (otherwise known as security by obscurity). By wrapping our system update in SSL we've limited the number of people in the world, with any idea as to what version and type of software installed on our system, to just us and the mirror operator. A small gain, but certainly worth the effort of putting an "s" on the URL you're using already. All of these mirrors have an HTTP tree available from the mirror list at gentoo.org.

• https://ftp.ucsb.edu/pub/mirrors/linux/gentoo/


• https://ftp.ussg.iu.edu/linux/gentoo/


• https://prometheus.cs.wmich.edu/gentoo/


• https://modzer0.cs.uaf.edu/public/gentoo/


• https://mirror.phy.olemiss.edu/mirror/gentoo/


• https://www.las.ic.unicamp.br/pub/gentoo/


• https://ftp.physics.auth.gr/pub/mirrors/gentoo/


• https://linuv.uv.es/mirror/gentoo/


• https://gentoo.channelx.biz/

In order to take advantage of mirrors that self-sign or may be expired, you'll likely need to add arguments to the download method you have enabled in your make.conf. You'll want to add or adjust the GENTOO_MIRRORS, FETCHCOMMAND, and RESUMECOMMAND entries.

For example:

GENTOO_MIRRORS="https://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"
FETCHCOMMAND="/usr/bin/wget --no-check-certificate -t 5 -P \${DISTDIR} \${URI}"
RESUMECOMMAND="/usr/bin/wget --no-check-certificate -c -t 5 -P \${DISTDIR} \${URI}"

Random:
1. The fact that portage only uses md5 to verify distfiles is a real issue. One that we've hopefully all realized is there, and accepted the possible risks associated with that. While the probability of mirror compromise is low, its value is not 0. There are steps taken within the Gentoo infrastructure to minimize this risk, and presumably if you're using Gentoo they meet your criteria. I will say though that I sincerely look to the day where the portage tree files are signed by a master key.