time to drop http from metalinks by default?

[nirik]

Given letsencrypt, it should be pretty easy for mirrors to have https anymore, so perhaps we should just switch over to that fully now?

How many http only mirrors are there left?

[adrianreber]

How many http only mirrors are there left?

Not sure. The SQL query to get this is too complicated for me 😉 . There are 1200 http:// URLs in the database and 500 https://, however.

From what I see with new mirrors, there are still many HTTP only mirrors and especially for private mirrors HTTPS might be unnecessary complicated

[nirik]

Ah yeah, I didn't think of private ones... indeed that could be more difficult. ;(

Perhaps it's worth then just a post to the mirror-admin list asking everyone to make sure they have https and drop http if they do?

Or we could just close this... whatever you prefer.

[nirik]

Perhaps it's worth revisiting this now?

We could exempt the private ones and just enforce no http on public ones?

[adrianreber]

We could make this a Fedora decision by changing the repository file.

CentOS Stream for example disables rsync in the metalink results: https://gitlab.com/redhat/centos-stream/rpms/centos-release/-/blob/c9s/centos.repo?ref_type=heads#L3

Fedora could do the same by only requesting https. Fedora could appen protocol=https to all metalink lines. Or maybe try it with rawhide first.

[nirik]

True... I guess the biggest place it's noticable is the website download isos...

The website link could/should just default to https. Will see if thats feasable.