Date: Sat, 06 Nov 2010 00:49:34 -0600 From: Warner Losh <imp@bsdimp.com> To: Garrett Cooper <gcooper@FreeBSD.org> Cc: jpaetzel@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: txt-sysinstall scrapped Message-ID: <4CD4FA7E.4030602@bsdimp.com> In-Reply-To: <AANLkTi=G2UEj4P=h=B7Tr58vg7RC9McMZq-q73ArDWOZ@mail.gmail.com> References: <201011052316.27839.jpaetzel@freebsd.org> <AANLkTi=62rRhZsN4wUi6p_yokSxG0tkjUHK7gosLtTRZ@mail.gmail.com> <20101105.230617.74669306.imp@bsdimp.com> <AANLkTi=G2UEj4P=h=B7Tr58vg7RC9McMZq-q73ArDWOZ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/06/2010 00:04, Garrett Cooper wrote: > On Fri, Nov 5, 2010 at 10:06 PM, Warner Losh<imp@bsdimp.com> wrote: >>> Just to add to that (because I do find it a novel idea), 1) how >>> are you going to properly prevent man in the middle attacks (SSL, TLS, >>> etc?), and 2) what webserver would you use? >> https or ssh. >> >> We're also toying with the idea of having a partition that you could >> 'dd' your certs and keys to (so any system can customize the image >> with keys to make sure you were talking to who you think you are). >> We'd just reserve 1MB of space on partition s3. We'd then check to >> see if there was a tar ball. If so, we'd extract it and do the >> intelligent thing with the keys we find there. > Wouldn't it be better just to go with a read-write media solution > (USB) like Matt Dillon was suggesting at today then? That's exactly what I'm doing, i think. I didn't hear matt's suggestion at all, so I have no idea what you are talking about. my idea was that you could do this with an image you'd DD to a usb stick. For the cdrom, you'd need to do more complicated things, which I hadn't though about earlier... While I thought of this for vm creation mostly, I can see cdrom booting might be desirable too... > Then again, > determining the root device to date is still a bit kludgy isn't it? > Not anymore. ufs labels and glabel make it almost bulletproof. >>> I bring up the former item because I wouldn't want my data going >>> unencrypted across any wire, and what BSD compatible web servers did >>> you guys have in store and who would maintain the server, and what >>> kinds of vulnerabilities would you be introducing by adding a service >>> which would be enabled by default at runtime? >> The web server would just be there at installation time. You'd run it >> out of the ram disk and it would evaporate when the system reboots >> after it being installed. > Sure. > >> Also, I'm not sure we even need to have to have a set of prompts. If >> we do the web page right, we likely can just go directly to lynx... > Well... I like the curl idea a lot more for this approach (esp because > it supports more protocols than just http and ftp, whereas lynx is > constrained to ftp and http for the most part), but having both > solutions is more heavyweight for the task than it probably should be. I must be explaining badly. lynx isn't for downloading anything from the web, but connecting to the web-server that's running on your box to configure the box before the install happens. You don't need https for that, and while I suppose we could offer the uber-geek ftp install via command line extensions to ftpd, I hadn't planned on that :) I have no idea what the curl idea is. Maybe you could explain to me what you are suggesting here. Warner > Cheers, > -Garrett > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CD4FA7E.4030602>