ubuntu-appstore-developers team mailing list archive

[Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>]

On Tue, Jul 2, 2013 at 8:40 PM, Alejandro J. Cura
<alejandro.cura@xxxxxxxxxxxxx> wrote:
>
>
>> HTTPS will be required for all requests, both for uploads and downloads.
>> HTTP
>> requests will be unconditionally redirected to HTTPS. [DONE]
>
> I can clearly understand why we are using HTTPS for private packages,
> but I don't understand why we can't use it for public packages (I'm
> assuming that we have some checksum received via HTTPS before
> downloading from HTTP, or a package signature, to avoid tampering).
>
> My naïve thinking is that allowing HTTP for public packages would
> results in improved download speeds due to ISP and perhaps CDN
> caching, hopefully freeing bandwidth in our datacenter for private
> packages, and perhaps some cost savings too. Am I way off?

I think the savings nowadays are going to be pretty minimal in https
vs http, and any CDN usage will be of our own, so it won't make a
difference. We'll be doing caching within our own infrastructure to
make downloads cheap.
I'm not sure what client-side verification there's going to be, but I
think having some level of guarantee that packages can't be tampered
with at the transport level can only be a good thing.
Finally, we may need all downloads to be authenticated, so we may not
want the signed URL to be exposed anywhere else down the chain.

Make sense?

--
Martin