- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 26 Apr 2021 19:01:13 +1000
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
This isn't a set of recommendations for FOSS project package updates, PHK. Perhaps we should take this question to the security directorate; ultimately they're going to weigh in during IETF LC anyway, and this type of policy is more in their bailiwick. Cheers, > On 26 Apr 2021, at 6:59 pm, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > > -------- > Willy Tarreau writes: > >> Imagine a service used to retrieve signatures of package updates, it's >> possible that such signatures are implicitly controllable (e.g. PGP), > > This is actually a very on-point use-case: Most FOSS projects cannot > afford CDN's and release-day traffic can be brutal. > > Using HTTP and allowing sensible client-side caching is a good solution > since it allows end-user sites to loft a Squid for just that. > > However, I'm not sure to what extent this really comes under BCP56bis, > since it is usually just "dumb file download". > >> I really think that a strong recommendation is better, or even a SHOULD >> (i.e. it's the expected way of doing it, unless there is a good reason >> not to). MUST forces violations when there is a good reason that a spec >> authors couldn't imagine, and I don't like encouraging violations. > > Agreed. > > Mandating HTTPS where it does not belong is not good policy. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. -- Mark Nottingham https://www.mnot.net/
Received on Monday, 26 April 2021 09:01:38 UTC