From owner-freebsd-security@freebsd.org  Sat Sep 19 08:21:31 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C94B9CEF39
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sat, 19 Sep 2015 08:21:31 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ACF5B1EA8
 for <freebsd-security@freebsd.org>; Sat, 19 Sep 2015 08:21:30 +0000 (UTC)
 (envelope-from dan@obluda.cz)
X-SubmittedBy: id 100000045929 subject
 /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202
 auth type TLS.MFF
Received: from [100.81.119.126] (ip-37-188-128-130.eurotel.cz [37.188.128.130])
 (authenticated)
 by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t8J8LGAo057806
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK)
 for <freebsd-security@freebsd.org>; Sat, 19 Sep 2015 10:21:26 +0200 (CEST)
 (envelope-from dan@obluda.cz)
Subject: Re: HTTPS on freebsd.org, git, reproducible builds
To: freebsd-security <freebsd-security@freebsd.org>
References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>
 <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org>
 <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl>
 <CACf9JSXsEBBMmo57OB_cqgRM7SvbW+dh7n0ybDg2kX4EGyMVjw@mail.gmail.com>
 <201509181444.IAA15072@mail.lariat.net>
 <BAAC79FE-6D93-47CF-BC0A-B3B381698524@ccsys.com>
From: Dan Lukes <dan@obluda.cz>
Message-ID: <55FD1AF6.6040106@obluda.cz>
Date: Sat, 19 Sep 2015 10:21:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0
 SeaMonkey/2.35
MIME-Version: 1.0
In-Reply-To: <BAAC79FE-6D93-47CF-BC0A-B3B381698524@ccsys.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 08:21:31 -0000

Chad J. Milios wrote:
> How did this topic of the conversation start? Because http://freebsd.org doesn't issue a redirect to https://? Such a thing does not increase security

I'm against automatic redirection as well. If someone prefer https then
he can use it just now. If someone can't use https or doesn't prefer it,
then he can use https. I see nothing positive to force https regardless
the users preference.

According binary distribution - I would like prefer a validation
mechanism independent from particular transport protocol. E.g. a
signature. In such case even FTP can be used.

Just my $0.02

Dan