From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [psa] various server software upgrades
Date: Tue, 08 Dec 2015 08:50:48 +0100 [thread overview]
Message-ID: <87a8plnztz.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20151207225408.GC24430@vapier.lan> (Mike Frysinger's message of "Mon, 7 Dec 2015 17:54:08 -0500")
>>>>> "Mike" == Mike Frysinger <vapier@gentoo.org> writes:
Hi,
>> So how about if we drop the global HSTS headers and http->https
>> redirects for now and then move a bit more slowly forward sub domain by
>> subdomain:
>>
>> 1: Enable https next to http and verify that it works
>> 2: Add http->https redirect and verify that it works
>> 3: add HSTS header
> we're already at (3). even if we weren't, i don't see how transitioning
> would affect the SNI issue. the question is simple: how long do you want
> to (try to) support old systems where people refuse to fix their setup ?
The new setup causes more problems than just SNI. The wget issues are
important for sources.buildroot.{net,org}, but not for E.G. bugzilla.
As I said, it is a question about tradeoffs, and the tradeoffs may be
different for each subdomain.
> we're talking about systems that are over three years old (wget-1.14 was
> released in Aug 2012). what is your cut off ? 3 years ? 4 years ? i'd
> also highlight <wget-1.16 versions have@least one security vuln that
> can be remotely exploited (when you download via ftp -- CVE-2014-4877).
For sources.* (and preferably the buildroot tarballs themselves) I would
prefer it to work even with a wget without SNI support.
I haven't checked the autobuilders (I believe the build script uses
curl), but there we possibly have the same issue.
For bugzilla I don't have any issues requiring SNI and HTTPS.
>> I agree, old systems are a pain - But we do try to keep buildroot
>> working on various enterprise distributions when possible. So far we've
>> worked around SNI issues by using http URLs from those locations instead
>> (and verifying against our local hashes).
> that doesn't help when sites transition to http->https redirects such as
> uclibc.org now does.
Indeed, which is why I would prefer to disable that for
*.buildroot.{org,net}, with the possibly exception of
bugs.buildroot.{org,net}.
--
Venlig hilsen,
Peter Korsgaard
next prev parent reply other threads:[~2015-12-08 7:50 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 7:35 [Buildroot] [psa] various server software upgrades Mike Frysinger
2015-12-02 7:58 ` Lionel Orry
2015-12-02 8:43 ` Peter Korsgaard
2015-12-02 9:25 ` Nikolay Dimitrov
2015-12-02 9:28 ` Nikolay Dimitrov
2015-12-02 17:31 ` Mike Frysinger
2015-12-02 18:38 ` Nikolay Dimitrov
2015-12-06 21:42 ` Yann E. MORIN
2015-12-06 22:00 ` Peter Korsgaard
2015-12-07 1:55 ` Mike Frysinger
2015-12-07 6:34 ` Peter Korsgaard
2015-12-07 18:51 ` Mike Frysinger
2015-12-07 20:37 ` Peter Korsgaard
2015-12-07 21:55 ` Mike Frysinger
2015-12-07 22:16 ` Peter Korsgaard
2015-12-07 22:54 ` Mike Frysinger
2015-12-07 23:02 ` Yann E. MORIN
2015-12-07 23:22 ` Mike Frysinger
2015-12-08 7:52 ` Peter Korsgaard
2015-12-08 16:40 ` Mike Frysinger
2015-12-08 16:43 ` Peter Korsgaard
2015-12-08 17:27 ` Mike Frysinger
2015-12-08 7:50 ` Peter Korsgaard [this message]
2015-12-08 0:17 ` Mike Frysinger
2015-12-08 7:55 ` Peter Korsgaard
2015-12-08 16:38 ` Mike Frysinger
2015-12-07 8:00 ` Peter Korsgaard
2015-12-07 8:23 ` Peter Korsgaard
2015-12-07 18:52 ` Mike Frysinger
2015-12-07 19:57 ` Mike Frysinger
2015-12-07 19:59 ` Yann E. MORIN
2015-12-07 23:52 ` Mike Frysinger
2015-12-07 20:42 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a8plnztz.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox