[Buildroot] [psa] various server software upgrades
Peter Korsgaard
peter at korsgaard.com
Tue Dec 8 07:50:48 UTC 2015
>>>>> "Mike" == Mike Frysinger <vapier at gentoo.org> writes:
Hi,
>> So how about if we drop the global HSTS headers and http->https
>> redirects for now and then move a bit more slowly forward sub domain by
>> subdomain:
>>
>> 1: Enable https next to http and verify that it works
>> 2: Add http->https redirect and verify that it works
>> 3: add HSTS header
> we're already at (3). even if we weren't, i don't see how transitioning
> would affect the SNI issue. the question is simple: how long do you want
> to (try to) support old systems where people refuse to fix their setup ?
The new setup causes more problems than just SNI. The wget issues are
important for sources.buildroot.{net,org}, but not for E.G. bugzilla.
As I said, it is a question about tradeoffs, and the tradeoffs may be
different for each subdomain.
> we're talking about systems that are over three years old (wget-1.14 was
> released in Aug 2012). what is your cut off ? 3 years ? 4 years ? i'd
> also highlight <wget-1.16 versions have at least one security vuln that
> can be remotely exploited (when you download via ftp -- CVE-2014-4877).
For sources.* (and preferably the buildroot tarballs themselves) I would
prefer it to work even with a wget without SNI support.
I haven't checked the autobuilders (I believe the build script uses
curl), but there we possibly have the same issue.
For bugzilla I don't have any issues requiring SNI and HTTPS.
>> I agree, old systems are a pain - But we do try to keep buildroot
>> working on various enterprise distributions when possible. So far we've
>> worked around SNI issues by using http URLs from those locations instead
>> (and verifying against our local hashes).
> that doesn't help when sites transition to http->https redirects such as
> uclibc.org now does.
Indeed, which is why I would prefer to disable that for
*.buildroot.{org,net}, with the possibly exception of
bugs.buildroot.{org,net}.
--
Venlig hilsen,
Peter Korsgaard
More information about the buildroot
mailing list