[PATCH] Revert "build: switch VERSION_REPO to HTTPS"

Paul Spooren mail at aparcar.org
Wed Nov 25 13:52:30 EST 2020


On Wed Nov 25, 2020 at 4:11 AM HST, Petr Štetiar wrote:
> Baptiste Jonglez <baptiste at bitsofnetworks.org> [2020-11-25 12:41:18]:
>
> Hi,
>
> > For the imagebuilder, it increases the *total* build time (not just
> > download time!) by +50%:
> > 
> > http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html
>
> I don't consider 10 seconds dramatic increase of time, but it of course
> depends on your use case. If you aim for faster builds you can disable
> the
> HTTPS (one sed command) by yourself, proxy/cache the downloads etc.
>
> One of the project's goal is standard installation secure by default,
> which
> for me means HTTPS in this case and I'm willing to make this 10 second
> tradeoff.
>
> > On a device, I suspect it will be much worse but I can't currently test
> > that.  It shouldn't be too hard, just make sure to clean opkg files
> > between each test to have a proper apple-to-apple comparison.
>
> You hardly download 100 packages on device. You don't care if it takes
> two
> minutes, because you're not doing it every day, it's running in the
> background
> etc.
>
> > The main problem is the lack of persistent connection, which means doing a
> > full expensive TLS exchange for each separate file download, however small
> > it is.  It's a lot of crypto for a small CPU on devices,
>
> You can turn off HTTPS if you prefer speed over maximum security
>
> > and if it's widely deployed it will also impact the load on the download
> > server.
>
> There should be CDN from Fastly soon, hopefully before the release, SFC
> has
> already revisited the deal/documents and AFAIK it's waiting for the
> final
> signature.
>
> > Thus, it's not reasonable to have this by default in a release.
>
> I don't agree. It has to be default in the next release :-)
>
> > I'm working on adding persistent connection support to opkg but it's not
> > straightforward.
>
> Great, thanks!

I agree with all your points, it should be supported and it should be
default. However worse than no security seem a false sense of security.
Based on the discussion on IRC I understand that certificates are
inadequately validated, allowing encryption with faked certs.

Until somebody jumps on ustream-ssl and fixes the WolfSSL
implementation, we should consider to disable it.

Best,
Paul



More information about the openwrt-devel mailing list