[PATCH] Revert "build: switch VERSION_REPO to HTTPS"
Sam Kuper
sampablokuper at posteo.net
Wed Nov 25 13:33:11 EST 2020
On Wed, Nov 25, 2020 at 03:11:24PM +0100, Petr Štetiar wrote:
> Baptiste Jonglez [2020-11-25 12:41:18]:
>> For the imagebuilder, it increases the *total* build time (not just
>> download time!) by +50%:
>>
>> http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html
>
> I don't consider 10 seconds dramatic increase of time, but it of
> course depends on your use case. If you aim for faster builds you can
> disable the HTTPS (one sed command) by yourself, proxy/cache the
> downloads etc.
>
> One of the project's goal is standard installation secure by default,
> which for me means HTTPS in this case and I'm willing to make this 10
> second tradeoff.
+1
>> On a device, I suspect it will be much worse but I can't currently
>> test that. It shouldn't be too hard, just make sure to clean opkg
>> files between each test to have a proper apple-to-apple comparison.
>
> You hardly download 100 packages on device. You don't care if it takes
> two minutes, because you're not doing it every day, it's running in
> the background etc.
+1
>> The main problem is the lack of persistent connection, which means
>> doing a full expensive TLS exchange for each separate file download,
>> however small it is. It's a lot of crypto for a small CPU on
>> devices,
>
> You can turn off HTTPS if you prefer speed over maximum security
+1
>> Thus, it's not reasonable to have this by default in a release.
>
> I don't agree. It has to be default in the next release :-)
+1
>> I'm working on adding persistent connection support to opkg but it's
>> not straightforward.
>
> Great, thanks!
+1
Thanks to both of you for your efforts. I know everyone is trying to
strike good trade-offs, but security should be prioritised by default.
Thanks again,
Sam
--
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?
() ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
More information about the openwrt-devel
mailing list