On Fri, Nov 19, 2021 at 2:49 AM Adrian Reber adrian@lisas.de wrote:
I was curious about the reordering part and the reason reordering helps is that curl tries to guess the local file name and if path is at the end curl guesses it right. The reordering does not change the content you get from the server in any way.
Yes, I would rather (from a UX point of view) have things match with a clean output vs having a mangled filename. GNOME Boxes itself appends a ~ character to its own downloads, so it's not the biggest issue.
On Fri, Nov 19, 2021 at 2:49 AM Adrian Reber adrian@lisas.de wrote:
You will get http and https mirrors if you do not specify the protocol option. Using protocol you can limit it to a certain protocol.
Yes. The question was more about what the Project believes should be the default protocol here for use in osinfo-db. At the moment I have it configured to serve the mirrorlist over HTTPS and select only HTTPS mirrors. However, I know HTTPS can be an issue in some environments, such as with corporate firewalls that like to MITM traffic (a usual suspect for things like repos/registries in tooling). Whether that's an impact in a download like this, I'm not sure as I will not claim to be a networking or security guru. So from a layman perspective I'm trying to figure out whether this should cover the broadest use case or the most secure (again, this will define things for any project using osinfo-db).
# Using 'both' to signify the absence of param or combined use of http,https values. http{,s}://mirrors.centos.org/mirrorlist?protocol={both,http,https}
https://gitlab.com/libosinfo/osinfo-db/-/merge_requests/376