On Wed, Nov 25, 2020 at 03:11:24PM +0100, Petr Štetiar wrote: > Baptiste Jonglez [2020-11-25 12:41:18]: >> For the imagebuilder, it increases the *total* build time (not just >> download time!) by +50%: >> >> http://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031406.html > > I don't consider 10 seconds dramatic increase of time, but it of > course depends on your use case. If you aim for faster builds you can > disable the HTTPS (one sed command) by yourself, proxy/cache the > downloads etc. > > One of the project's goal is standard installation secure by default, > which for me means HTTPS in this case and I'm willing to make this 10 > second tradeoff.
+1 >> On a device, I suspect it will be much worse but I can't currently >> test that. It shouldn't be too hard, just make sure to clean opkg >> files between each test to have a proper apple-to-apple comparison. > > You hardly download 100 packages on device. You don't care if it takes > two minutes, because you're not doing it every day, it's running in > the background etc. +1 >> The main problem is the lack of persistent connection, which means >> doing a full expensive TLS exchange for each separate file download, >> however small it is. It's a lot of crypto for a small CPU on >> devices, > > You can turn off HTTPS if you prefer speed over maximum security +1 >> Thus, it's not reasonable to have this by default in a release. > > I don't agree. It has to be default in the next release :-) +1 >> I'm working on adding persistent connection support to opkg but it's >> not straightforward. > > Great, thanks! +1 Thanks to both of you for your efforts. I know everyone is trying to strike good trade-offs, but security should be prioritised by default. Thanks again, Sam -- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing? () ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel