[PATCH] Revert "build: switch VERSION_REPO to HTTPS"

Petr Štetiar ynezz at true.cz
Wed Nov 25 09:11:24 EST 2020


Baptiste Jonglez <baptiste at bitsofnetworks.org> [2020-11-25 12:41:18]:

Hi,

> For the imagebuilder, it increases the *total* build time (not just
> download time!) by +50%:
> 
> http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html

I don't consider 10 seconds dramatic increase of time, but it of course
depends on your use case. If you aim for faster builds you can disable the
HTTPS (one sed command) by yourself, proxy/cache the downloads etc.

One of the project's goal is standard installation secure by default, which
for me means HTTPS in this case and I'm willing to make this 10 second
tradeoff.

> On a device, I suspect it will be much worse but I can't currently test
> that.  It shouldn't be too hard, just make sure to clean opkg files
> between each test to have a proper apple-to-apple comparison.

You hardly download 100 packages on device. You don't care if it takes two
minutes, because you're not doing it every day, it's running in the background
etc.

> The main problem is the lack of persistent connection, which means doing a
> full expensive TLS exchange for each separate file download, however small
> it is.  It's a lot of crypto for a small CPU on devices,

You can turn off HTTPS if you prefer speed over maximum security

> and if it's widely deployed it will also impact the load on the download
> server.

There should be CDN from Fastly soon, hopefully before the release, SFC has
already revisited the deal/documents and AFAIK it's waiting for the final
signature.

> Thus, it's not reasonable to have this by default in a release.

I don't agree. It has to be default in the next release :-)

> I'm working on adding persistent connection support to opkg but it's not
> straightforward.

Great, thanks!


Cheers,

Petr



More information about the openwrt-devel mailing list