- From: Emily Stark <estark@google.com>
- Date: Fri, 12 Apr 2019 19:51:54 -0700
- To: WebAppSec WG <public-webappsec@w3.org>, robbat2@gentoo.org
- Cc: Emily Stark <estark@google.com>
- Message-ID: <CAPP_2SbTmbs63op42h=AZPuM5cvxhoMXmfDgX1HfcXg5J1e1Dw@mail.gmail.com>
On Fri, Apr 12, 2019 at 12:46 AM Robin H. Johnson <robbat2@gentoo.org> wrote: > (I'm not on the w3 list presently, hopefully this email gets to you > after my sub is confirmed). > > Emily wrote: > > I would like to hear from developers if they are distributing downloads > > that they can reasonably SRI but can't move to HTTPS. I know Mike and > > others have argued vociferously in the past against allowing SRI to > > substitute for HTTPS... > > Hi! > > From the Linux distribution front, with a hat of mirroring. > > SRI would be trivial to provide for our content, as we already have the > checksums [1], but we cannot move everything to HTTPS because we don't > control how the mirrors run their systems :-(. > > See Gentoo's mirrors page as an example: > https://www.gentoo.org/downloads/mirrors/ > > Many of the mirrors have not yet deployed HTTPS, despite requests to do > so, or have deployed it in a way that was broken (self-signed certs, > misconfigured vhosts). > Thanks for sharing this example! Do you have any more details about why the mirrors cannot support proper HTTPS? Even after seeing this example, I still feel a little iffy about requiring SRI when we could be requiring HTTPS. The mirrors are going to have to support HTTPS at some point; if not now, when? Unless we want to accept that they will always be HTTP, now seems like as good a time as any to require them to support HTTPS. > > We do include sideband signatures for verification: > https://www.gentoo.org/downloads/signatures/ > > The above was the general list of mirrors. > The direct download links are here: > https://www.gentoo.org/downloads/ > > All of the links off that page are two formats: > http://distfiles.gentoo.org/... > https://bouncer.gentoo.org/... > > distfiles.g.o is a GeoDNS rotation that some of the larger mirrors are > in, specifically without SSL because it would be an untrusted key, as > those mirrors are run by third parties who are not Gentoo. > > Bouncer is a HTTP redirection service, that tries to redirect you to a > mirror that: > - is close to you > - actually has the file you're looking for > - If requested on HTTPS, only redirects to HTTPS links where possible. > > [1] Example checksums file: > https://gentoo.osuosl.org/releases/amd64/autobuilds/current-stage3-amd64/install-amd64-minimal-20190410T214502Z.iso.DIGESTS.asc > > -- > Robin Hugh Johnson > Gentoo Linux: Dev, Infra Lead, Foundation Treasurer > E-Mail : robbat2@gentoo.org > GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 > GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 >
Received on Saturday, 13 April 2019 02:52:33 UTC