HTTPS on, git, reproducible builds

Mark Felder feld at
Fri Sep 18 12:21:34 UTC 2015

On Thu, Sep 17, 2015, at 22:20, grarpamp wrote:
> Is there some reason "" and all it's
> subdomains don't immediately 302 over to
> https foreverafter?

What good does https on provide except checking a box that
some people are obsessed about right now? You're adding another layer of
complexity. The front page, documentation, handbooks, etc are not
sensitive data.

There are two different opinions on this matter throughout the project:

* Encrypt all the things
* Encrypt what is necessary

If FreeBSD is visibly penalized by Google in the future for not hosting
on https it might be worth doing.

> Same goes for use of svn, which has no native
> signable hashed commit graph, as freebsd's
> canonical repo... instead of git which does.

svn is available over https

> Not to mention the irreproducible builds / pkgs / ISO's.

Nobody is doing this successfully yet. Last I checked Debian is closest.
But keep in mind this is not a security feature, it's debugging feature.
You still need to solve backdoored compilers ("use this new double
compiler method!" OK...) and then you need to solve backdoored hardware.

> These days these flaws are more than a bit ridiculous,
> especially for an OS, which by definition [excepting
> the hardware] should be your root of trust.
> Can we get a wiki project page and some traction on this?
> Thanks.

  Mark Felder
  ports-secteam member
  feld at

More information about the freebsd-questions mailing list