Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Jul 2018 18:48:43 -0700
From:      Sean Chittenden <seanc@FreeBSD.org>
To:        rgrimes@freebsd.org, cem@freebsd.org, Eitan Adler <eadler@freebsd.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers <src-committers@freebsd.org>, core@FreeBSD.org
Subject:   Re: svn commit: r336757 - in head: share/man/man4 share/man/man7 share/misc sys/dev/firewire sys/dev/hwpmc sys/dev/sk sys/dev/sound/pci sys/dev/sound/pcm sys/fs/nfsclient
Message-ID:  <20180729014843.ea4vbqiyu5zl5kj2@FreeBSD.org>
In-Reply-To: <201807271912.w6RJCJbs052385@pdx.rh.CN85.dnsmgr.net>
References:  <CAG6CVpU6NS0M08%2BZwQ4gRSff=tPa6Q-hWELXJ-iMM0XDU3MQfw@mail.gmail.com> <201807271912.w6RJCJbs052385@pdx.rh.CN85.dnsmgr.net>

next in thread | previous in thread | raw e-mail | index | archive | help

--whsoynb3c7yqymt5
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> > This may intersect badly with our current policy of not shipping any CA=
s in
> > base.
>
> I objected to the conversion of http -> https in base when it started.  I=
 saw
> no good reason for it, and for the very reason you site, https is totally
> useless in base until you have installed CA's.

The inclusion of public CAs is a source of active debate by core@.  In adva=
nce
of a final decision on that subject, we want to get ahead of some of this
discussion.

The FreeBSD Project's place on the interwebs is secured via HTTPS (with lim=
ited
exception).  Referring to material hosted by the Project using HTTPS is sou=
nd
best practice that help us collectively improve our security posture.

The links where the scheme was changed from http to https are all in
documentation or comments, and are NOT used at runtime by developers, opera=
tors,
or any meaningful automation (i.e. this isn't something pkg(1) or fetch(1)
uses).  While this process of updating http links to https does cause a bit=
 of
necessary churn, updating http links in documentation and comments is a
reasonable activity that help us keep the project current with modern stand=
ards.

Maintenance activities that enhance our trust with the community is not
glamorous and comes in the form of many similar incremental improvements.  =
Like
many things in technology, the definition of what's relevant, competitive, =
and
modern changes over time (including hardware, protocols, performance primit=
ives,
developer productivity, and security best practices).  Moving to HTTPS for
non-runtime links is a sensible example of an incremental improvement that
should not be considered avant-garde in this day and age.

Regardless of the outcome of core@'s decision to include and maintain publi=
c CAs
in base (or change a default in the installer to install a port), modernizi=
ng
docs or other maintenance activities that improve our security posture is a=
 +1
activity from core@'s perspective.

-sc (on behalf of core@)

--=20
Sean Chittenden

--whsoynb3c7yqymt5
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEE74y44SUGZ4YNR0/x11Nmqtx5Ry0FAltdHPdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVG
OENCOEUxMjUwNjY3ODYwRDQ3NEZGMUQ3NTM2NkFBREM3OTQ3MkQACgkQ11Nmqtx5
Ry1Z4ggAmxpMgrxkAz9q7CQbzLxLg0yHrq8FoCLkDvNMyL4+dCNiTVTRR2NFthBX
cQ0CoerpeDroyuO08lh/+789XY5Eqv2ch53RNjDzrtc9zV2K5FTZ27or0tG6sXSA
3y2OtEkY3e/Gd1KB/i4ftuJWWjLiG/a/cgUJ93vNzHM0D3sTNULHUBleSO/ASU3k
d2epBStviclW9hWqHlCIOlvFtG56TNAts4Xu8iT7PS4rEACzeo7hLRwOb0ZVlQIP
cDbNctZ+0Ncq4AHjNIUESg8N756m38vTVp9HDgmJzz+fIrM8c8reR+VSeeZyMm1O
NI6+Cyzfpyz6aQf7WNgqG4C7JloGZg==
=YFcd
-----END PGP SIGNATURE-----

--whsoynb3c7yqymt5--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180729014843.ea4vbqiyu5zl5kj2>