Open Googulator opened 8 months ago
Given that all downloaded files are currently checked using a hash, the CA bundle could be omitted. This would get the sustainability/compatibility of HTTPS, keeping the authenticity from the hash. Although this would compromise privacy compared to a CA bundle.
This is the approach currently taken by nixpkgs/NixOS.
Plain HTTP is a dangerous dependency for sustainability. Plain HTTP download sources are expected to become increasingly rare as sites switch to redirecting to their HTTPS versions.
For this reason, it's advisable to switch to including prerequisites for HTTPS downloads in srcfs.
Unfortunately, this will increase srcfs size, which I would like to see reduced to no more than 256MiB, to facilitate building "trusted flash drives". For this reason, various strategies will be needed to reduce the overhead, e.g.: