[PATCH] Revert "build: switch VERSION_REPO to HTTPS"

Sam Kuper sampablokuper at posteo.net
Wed Nov 25 13:33:11 EST 2020


On Wed, Nov 25, 2020 at 03:11:24PM +0100, Petr Štetiar wrote:
> Baptiste Jonglez [2020-11-25 12:41:18]:
>> For the imagebuilder, it increases the *total* build time (not just
>> download time!) by +50%:
>> 
>> http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html
> 
> I don't consider 10 seconds dramatic increase of time, but it of
> course depends on your use case. If you aim for faster builds you can
> disable the HTTPS (one sed command) by yourself, proxy/cache the
> downloads etc.
> 
> One of the project's goal is standard installation secure by default,
> which for me means HTTPS in this case and I'm willing to make this 10
> second tradeoff.

+1

>> On a device, I suspect it will be much worse but I can't currently
>> test that.  It shouldn't be too hard, just make sure to clean opkg
>> files between each test to have a proper apple-to-apple comparison.
> 
> You hardly download 100 packages on device. You don't care if it takes
> two minutes, because you're not doing it every day, it's running in
> the background etc.

+1

>> The main problem is the lack of persistent connection, which means
>> doing a full expensive TLS exchange for each separate file download,
>> however small it is.  It's a lot of crypto for a small CPU on
>> devices,
> 
> You can turn off HTTPS if you prefer speed over maximum security

+1

>> Thus, it's not reasonable to have this by default in a release.
> 
> I don't agree. It has to be default in the next release :-)

+1

>> I'm working on adding persistent connection support to opkg but it's
>> not straightforward.
> 
> Great, thanks!

+1

Thanks to both of you for your efforts.  I know everyone is trying to
strike good trade-offs, but security should be prioritised by default.

Thanks again,

Sam

-- 
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.



More information about the openwrt-devel mailing list