On Thu, Sep 17, 2015, at 22:20, grarpamp wrote:> Is there some reason "freebsd.org" and all it's > subdomains don't immediately 302 over to > https foreverafter? >What good does https on freebsd.org provide except checking a box that some people are obsessed about right now? You're adding another layer of complexity. The front page, documentation, handbooks, etc are not sensitive data. There are two different opinions on this matter throughout the project: * Encrypt all the things * Encrypt what is necessary If FreeBSD is visibly penalized by Google in the future for not hosting on https it might be worth doing.> Same goes for use of svn, which has no native > signable hashed commit graph, as freebsd's > canonical repo... instead of git which does. >svn is available over https> Not to mention the irreproducible builds / pkgs / ISO's. >Nobody is doing this successfully yet. Last I checked Debian is closest. But keep in mind this is not a security feature, it's debugging feature. You still need to solve backdoored compilers ("use this new double compiler method!" OK...) and then you need to solve backdoored hardware.> These days these flaws are more than a bit ridiculous, > especially for an OS, which by definition [excepting > the hardware] should be your root of trust. > > Can we get a wiki project page and some traction on this? > Thanks. >https://wiki.freebsd.org/ReproducibleBuilds -- Mark Felder ports-secteam member feld at FreeBSD.org
On Fri, Sep 18, 2015, at 07:21, Mark Felder wrote:> > > Same goes for use of svn, which has no native > > signable hashed commit graph, as freebsd's > > canonical repo... instead of git which does. > > > > svn is available over https >I got caught up in the https discussion and didn't cover this properly. No, I don't think we're going to use git any time soon. There's an official mirror here, though: https://github.com/freebsd/ -- Mark Felder ports-secteam member feld at FreeBSD.org
-------- In message <1442578892.1807598.387215049.07156D0F at webmail.messagingengine.com>, Mark Felder writes:>There are two different opinions on this matter throughout the project: > >* Encrypt all the things >* Encrypt what is necessaryI can recommend the book "Command & Control" as a very interesting introduction to the value of "proportional response defense". The War On Privacy will not be won by putting HTTP on totally public information like FreeBSD.org, it is a political issue.. The only way to win political issues, is to engage in politics. That means voting for the right politicians. If no candidates are suitable, inspire people to become candidates. If that fails too: Become a candidate yourself. If you feel you have more important things to do than engange in politics, then you will have to live with the consequences. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.