svn commit: r336757 - in head: share/man/man4 share/man/man7 share/misc sys/dev/firewire sys/dev/hwpmc sys/dev/sk sys/dev/sound/pci sys/dev/sound/pcm sys/fs/nfsclient

Sean Chittenden seanc at FreeBSD.org
Sun Jul 29 01:48:46 UTC 2018 

> > This may intersect badly with our current policy of not shipping any CAs in
> > base.
>
> I objected to the conversion of http -> https in base when it started.  I saw
> no good reason for it, and for the very reason you site, https is totally
> useless in base until you have installed CA's.

The inclusion of public CAs is a source of active debate by core at .  In advance
of a final decision on that subject, we want to get ahead of some of this
discussion.

The FreeBSD Project's place on the interwebs is secured via HTTPS (with limited
exception).  Referring to material hosted by the Project using HTTPS is sound
best practice that help us collectively improve our security posture.

The links where the scheme was changed from http to https are all in
documentation or comments, and are NOT used at runtime by developers, operators,
or any meaningful automation (i.e. this isn't something pkg(1) or fetch(1)
uses).  While this process of updating http links to https does cause a bit of
necessary churn, updating http links in documentation and comments is a
reasonable activity that help us keep the project current with modern standards.

Maintenance activities that enhance our trust with the community is not
glamorous and comes in the form of many similar incremental improvements.  Like
many things in technology, the definition of what's relevant, competitive, and
modern changes over time (including hardware, protocols, performance primitives,
developer productivity, and security best practices).  Moving to HTTPS for
non-runtime links is a sensible example of an incremental improvement that
should not be considered avant-garde in this day and age.

Regardless of the outcome of core@'s decision to include and maintain public CAs
in base (or change a default in the installer to install a port), modernizing
docs or other maintenance activities that improve our security posture is a +1
activity from core@'s perspective.

-sc (on behalf of core@)

-- 
Sean Chittenden
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20180728/a2e9d78a/attachment-0001.sig>

More information about the svn-src-head mailing list