ubuntu-appstore-developers team mailing list archive

["Alejandro J. Cura" <alejandro.cura@xxxxxxxxxxxxx>]

On Wed, Jul 3, 2013 at 9:23 AM, Martin Albisetti
<martin.albisetti@xxxxxxxxxxxxx> wrote:
> On Tue, Jul 2, 2013 at 8:40 PM, Alejandro J. Cura
> <alejandro.cura@xxxxxxxxxxxxx> wrote:
>>
>>
>>> HTTPS will be required for all requests, both for uploads and downloads.
>>> HTTP
>>> requests will be unconditionally redirected to HTTPS. [DONE]
>>
>> I can clearly understand why we are using HTTPS for private packages,
>> but I don't understand why we can't use it for public packages (I'm
>> assuming that we have some checksum received via HTTPS before
>> downloading from HTTP, or a package signature, to avoid tampering).
>>
>> My naïve thinking is that allowing HTTP for public packages would
>> results in improved download speeds due to ISP and perhaps CDN
>> caching, hopefully freeing bandwidth in our datacenter for private
>> packages, and perhaps some cost savings too. Am I way off?
>
> I think the savings nowadays are going to be pretty minimal in https
> vs http, and any CDN usage will be of our own, so it won't make a
> difference. We'll be doing caching within our own infrastructure to
> make downloads cheap.
> I'm not sure what client-side verification there's going to be, but I
> think having some level of guarantee that packages can't be tampered
> with at the transport level can only be a good thing.
> Finally, we may need all downloads to be authenticated, so we may not
> want the signed URL to be exposed anywhere else down the chain.
>
> Make sense?

It does, thanks!
-- 
alecu