HTTPS on freebsd.org, git, reproducible builds
Mark Felder
feld at FreeBSD.org
Fri Sep 18 12:21:34 UTC 2015
On Thu, Sep 17, 2015, at 22:20, grarpamp wrote:
> Is there some reason "freebsd.org" and all it's
> subdomains don't immediately 302 over to
> https foreverafter?
>
What good does https on freebsd.org provide except checking a box that
some people are obsessed about right now? You're adding another layer of
complexity. The front page, documentation, handbooks, etc are not
sensitive data.
There are two different opinions on this matter throughout the project:
* Encrypt all the things
* Encrypt what is necessary
If FreeBSD is visibly penalized by Google in the future for not hosting
on https it might be worth doing.
> Same goes for use of svn, which has no native
> signable hashed commit graph, as freebsd's
> canonical repo... instead of git which does.
>
svn is available over https
> Not to mention the irreproducible builds / pkgs / ISO's.
>
Nobody is doing this successfully yet. Last I checked Debian is closest.
But keep in mind this is not a security feature, it's debugging feature.
You still need to solve backdoored compilers ("use this new double
compiler method!" OK...) and then you need to solve backdoored hardware.
> These days these flaws are more than a bit ridiculous,
> especially for an OS, which by definition [excepting
> the hardware] should be your root of trust.
>
> Can we get a wiki project page and some traction on this?
> Thanks.
>
https://wiki.freebsd.org/ReproducibleBuilds
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-questions
mailing list