Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Sep 2015 07:21:32 -0500
From:      Mark Felder <feld@FreeBSD.org>
To:        grarpamp <grarpamp@gmail.com>, freebsd-security@freebsd.org
Cc:        freebsd-questions@freebsd.org
Subject:   Re: HTTPS on freebsd.org, git, reproducible builds
Message-ID:  <1442578892.1807598.387215049.07156D0F@webmail.messagingengine.com>
In-Reply-To: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>
References:  <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On Thu, Sep 17, 2015, at 22:20, grarpamp wrote:
> Is there some reason "freebsd.org" and all it's
> subdomains don't immediately 302 over to
> https foreverafter?
> 

What good does https on freebsd.org provide except checking a box that
some people are obsessed about right now? You're adding another layer of
complexity. The front page, documentation, handbooks, etc are not
sensitive data.

There are two different opinions on this matter throughout the project:

* Encrypt all the things
* Encrypt what is necessary

If FreeBSD is visibly penalized by Google in the future for not hosting
on https it might be worth doing.

> Same goes for use of svn, which has no native
> signable hashed commit graph, as freebsd's
> canonical repo... instead of git which does.
> 

svn is available over https

> Not to mention the irreproducible builds / pkgs / ISO's.
> 

Nobody is doing this successfully yet. Last I checked Debian is closest.
But keep in mind this is not a security feature, it's debugging feature.
You still need to solve backdoored compilers ("use this new double
compiler method!" OK...) and then you need to solve backdoored hardware.

> These days these flaws are more than a bit ridiculous,
> especially for an OS, which by definition [excepting
> the hardware] should be your root of trust.
> 
> Can we get a wiki project page and some traction on this?
> Thanks.
> 

https://wiki.freebsd.org/ReproducibleBuilds

-- 
  Mark Felder
  ports-secteam member
  feld@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1442578892.1807598.387215049.07156D0F>