On Thu, Feb 15, 2024 at 10:50:19PM +0800, Philip Paeps wrote: > On 2024-02-15 22:40:19 (+0800), Shawn Webb wrote: > > On Thu, Feb 15, 2024 at 10:28:53PM +0800, Philip Paeps wrote: > > > On 2024-02-15 22:06:09 (+0800), Ronald Klop wrote: > > > > Shouldn’t this be > > > > > > > > https://download.freebsd.org/ > > > > > > No. > > > > > > For hysterical raisins, FTP sites conventionally put FreeBSD under > > > /pub/FreeBSD. HTTP mirrors (including http://ftp.FreeBSD.org) have > > > followed > > > that convention. > > > > > > http://download.FreeBSD.org is a more recent addition, and it has > > > FreeBSD > > > under /, not under /pub/FreeBSD. We could teach nginx to put it > > > under > > > /pub/FreeBSD too, but spelling it ftp.FreeBSD.org was less work. > > > > I'm curious to learn why you chose http:// rather than https://. > > Because https:// only adds work. And work is heat. > > bsdinstall uses the MANIFEST to confirm integrity. > > If your bsdinstall and MANIFEST are from a trustworthy source, anything > downloaded over http:// will be trustworthy. Just as trustworthy, in fact, > as anything downloaded over ftp://.
There is the problem of metadata leakage, which HTTPS helps to address (though not completely.) Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
