From owner-svn-src-all@freebsd.org Sun Jul 29 01:48:46 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 456F81064DC2; Sun, 29 Jul 2018 01:48:46 +0000 (UTC) (envelope-from seanc@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E96FE8A250; Sun, 29 Jul 2018 01:48:45 +0000 (UTC) (envelope-from seanc@FreeBSD.org) Received: from localhost (50-46-198-89.evrt.wa.frontiernet.net [50.46.198.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: seanc) by smtp.freebsd.org (Postfix) with ESMTPSA id 5045B1D0C3; Sun, 29 Jul 2018 01:48:45 +0000 (UTC) (envelope-from seanc@FreeBSD.org) Date: Sat, 28 Jul 2018 18:48:43 -0700 From: Sean Chittenden To: rgrimes@freebsd.org, cem@freebsd.org, Eitan Adler Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers , core@FreeBSD.org Subject: Re: svn commit: r336757 - in head: share/man/man4 share/man/man7 share/misc sys/dev/firewire sys/dev/hwpmc sys/dev/sk sys/dev/sound/pci sys/dev/sound/pcm sys/fs/nfsclient Message-ID: <20180729014843.ea4vbqiyu5zl5kj2@FreeBSD.org> References: <201807271912.w6RJCJbs052385@pdx.rh.CN85.dnsmgr.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="whsoynb3c7yqymt5" Content-Disposition: inline In-Reply-To: <201807271912.w6RJCJbs052385@pdx.rh.CN85.dnsmgr.net> User-Agent: NeoMutt/20180622 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 01:48:46 -0000 --whsoynb3c7yqymt5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > This may intersect badly with our current policy of not shipping any CA= s in > > base. > > I objected to the conversion of http -> https in base when it started. I= saw > no good reason for it, and for the very reason you site, https is totally > useless in base until you have installed CA's. The inclusion of public CAs is a source of active debate by core@. In adva= nce of a final decision on that subject, we want to get ahead of some of this discussion. The FreeBSD Project's place on the interwebs is secured via HTTPS (with lim= ited exception). Referring to material hosted by the Project using HTTPS is sou= nd best practice that help us collectively improve our security posture. The links where the scheme was changed from http to https are all in documentation or comments, and are NOT used at runtime by developers, opera= tors, or any meaningful automation (i.e. this isn't something pkg(1) or fetch(1) uses). While this process of updating http links to https does cause a bit= of necessary churn, updating http links in documentation and comments is a reasonable activity that help us keep the project current with modern stand= ards. Maintenance activities that enhance our trust with the community is not glamorous and comes in the form of many similar incremental improvements. = Like many things in technology, the definition of what's relevant, competitive, = and modern changes over time (including hardware, protocols, performance primit= ives, developer productivity, and security best practices). Moving to HTTPS for non-runtime links is a sensible example of an incremental improvement that should not be considered avant-garde in this day and age. Regardless of the outcome of core@'s decision to include and maintain publi= c CAs in base (or change a default in the installer to install a port), modernizi= ng docs or other maintenance activities that improve our security posture is a= +1 activity from core@'s perspective. -sc (on behalf of core@) --=20 Sean Chittenden --whsoynb3c7yqymt5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEE74y44SUGZ4YNR0/x11Nmqtx5Ry0FAltdHPdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVG OENCOEUxMjUwNjY3ODYwRDQ3NEZGMUQ3NTM2NkFBREM3OTQ3MkQACgkQ11Nmqtx5 Ry1Z4ggAmxpMgrxkAz9q7CQbzLxLg0yHrq8FoCLkDvNMyL4+dCNiTVTRR2NFthBX cQ0CoerpeDroyuO08lh/+789XY5Eqv2ch53RNjDzrtc9zV2K5FTZ27or0tG6sXSA 3y2OtEkY3e/Gd1KB/i4ftuJWWjLiG/a/cgUJ93vNzHM0D3sTNULHUBleSO/ASU3k d2epBStviclW9hWqHlCIOlvFtG56TNAts4Xu8iT7PS4rEACzeo7hLRwOb0ZVlQIP cDbNctZ+0Ncq4AHjNIUESg8N756m38vTVp9HDgmJzz+fIrM8c8reR+VSeeZyMm1O NI6+Cyzfpyz6aQf7WNgqG4C7JloGZg== =YFcd -----END PGP SIGNATURE----- --whsoynb3c7yqymt5--