Re: Welcome-Mail
On 2015-11-16, Marc Peters wrote: > Am 11/16/15 um 12:00 schrieb Stefan Wollny: >> Hi there, >> >> I may be wrong but I thought usage of ftp to get information and to >> download packages is discouraged. I just noticed (after having done a >> fresh install of amd64-current) reading the welcome mail "Welcome to >> OpenBSD 5.8!" that the ftp-protocol is still given. >> >> Instead >> ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages >> shouldn't this rather be >> http://ftp.openbsd.org/pub/OpenBSD/5.8/packages > > ftp is still a valid option for packages. The installation via ftp is > not supported anymore. It is still valid for some mirrors. But we shouldn't be directing people there, pkg_add (and in particular pkg_add -u) works a lot better with http. Especially if the ftp is going through ftp-proxy.
Re: Welcome-Mail
Em 16-11-2015 13:59, Danny Nguyen escreveu: > I hope these are not dumb questions. > > Would sftp (secure ftp) be a better alternative than ftp? Which "secure ftp" you're referring here? SSH's sftp or ftps? Because if it's the latter, then I'd say it wouldn't be a better alternative. ftp is ftp. Putting a TLS layer on top of it won't change the most hated things about the protocol. And, using SSH's sftp has the added complexity of host keys to the mix. Do you expect that the OpenBSD team would manage all ssh host keys for all the sftp mirrors and put them on the install media? And what if one of them changes? > What was the > logic to remove that option on the network install versus http? is there > even a benefit for the mirrors to be on https (secure http) vs http and > would that allow for a verified download like the openbsd compact disks? You are mixing things here. You can verify any download from any OpenBSD mirror regardless of protocol (ftp, http). Last I checked, there weren't any https OpenBSD mirrors. > I > always got really concerned when the install prompted me that "Directory > does not contain SHA256.sig. Continue without verification?" before > actually using official openbsd compact dics. My intent is to assess the > strengths and weaknesses of the protocols being discussed and comparing > them with respect to security. This has been answered on this list many times. If you're really concerned, verify your disks manually, or perform a network install. My suggestion? Buy the CD's (or donate) to help the project. But perform the installation using a USB stick. As far as weakness and strengths of the protocols, they are quite irrelevant for the OpenBSD installation. Everything is signed using signify. The transfer medium can (and is) be unencrypted. Of course this pretty much means anyone listening knows you're downloading/installing OpenBSD. If your concern is this, then you'll need to figure it for yourself how to hide the fact that you're installing OpenBSD. Cheers, Giancarlo Razzolini
Re: Welcome-Mail
I hope these are not dumb questions. Would sftp (secure ftp) be a better alternative than ftp? What was the logic to remove that option on the network install versus http? is there even a benefit for the mirrors to be on https (secure http) vs http and would that allow for a verified download like the openbsd compact disks? I always got really concerned when the install prompted me that "Directory does not contain SHA256.sig. Continue without verification?" before actually using official openbsd compact dics. My intent is to assess the strengths and weaknesses of the protocols being discussed and comparing them with respect to security. On Mon, Nov 16, 2015 at 6:09 AM, Raul Miller wrote: > All protocols are, to some degree or another. Especially when you look > at all the irrelevant complexity of a full implementation. > > Sometimes there's no good answers. > > -- > Raul > > On Mon, Nov 16, 2015 at 8:25 AM, Eric Furman > wrote: > > Yea, but ftp is a shitty protocol that should have died > > a merciful death a long time ago so > > > > On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote: > >> Am 11/16/15 um 12:00 schrieb Stefan Wollny: > >> > Hi there, > >> > > >> > I may be wrong but I thought usage of ftp to get information and to > >> > download packages is discouraged. I just noticed (after having done a > >> > fresh install of amd64-current) reading the welcome mail "Welcome to > >> > OpenBSD 5.8!" that the ftp-protocol is still given. > >> > > >> > Instead > >> > ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages > >> > shouldn't this rather be > >> > http://ftp.openbsd.org/pub/OpenBSD/5.8/packages > >> > >> ftp is still a valid option for packages. The installation via ftp is > >> not supported anymore. > >> > >> > >> Marc
Re: Welcome-Mail
All protocols are, to some degree or another. Especially when you look at all the irrelevant complexity of a full implementation. Sometimes there's no good answers. -- Raul On Mon, Nov 16, 2015 at 8:25 AM, Eric Furman wrote: > Yea, but ftp is a shitty protocol that should have died > a merciful death a long time ago so > > On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote: >> Am 11/16/15 um 12:00 schrieb Stefan Wollny: >> > Hi there, >> > >> > I may be wrong but I thought usage of ftp to get information and to >> > download packages is discouraged. I just noticed (after having done a >> > fresh install of amd64-current) reading the welcome mail "Welcome to >> > OpenBSD 5.8!" that the ftp-protocol is still given. >> > >> > Instead >> > ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages >> > shouldn't this rather be >> > http://ftp.openbsd.org/pub/OpenBSD/5.8/packages >> >> ftp is still a valid option for packages. The installation via ftp is >> not supported anymore. >> >> >> Marc
Re: Welcome-Mail
Yea, but ftp is a shitty protocol that should have died a merciful death a long time ago so On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote: > Am 11/16/15 um 12:00 schrieb Stefan Wollny: > > Hi there, > > > > I may be wrong but I thought usage of ftp to get information and to > > download packages is discouraged. I just noticed (after having done a > > fresh install of amd64-current) reading the welcome mail "Welcome to > > OpenBSD 5.8!" that the ftp-protocol is still given. > > > > Instead > > ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages > > shouldn't this rather be > > http://ftp.openbsd.org/pub/OpenBSD/5.8/packages > > ftp is still a valid option for packages. The installation via ftp is > not supported anymore. > > > Marc
Re: Welcome-Mail
Am 11/16/15 um 12:00 schrieb Stefan Wollny: > Hi there, > > I may be wrong but I thought usage of ftp to get information and to > download packages is discouraged. I just noticed (after having done a > fresh install of amd64-current) reading the welcome mail "Welcome to > OpenBSD 5.8!" that the ftp-protocol is still given. > > Instead > ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages > shouldn't this rather be > http://ftp.openbsd.org/pub/OpenBSD/5.8/packages ftp is still a valid option for packages. The installation via ftp is not supported anymore. Marc
Welcome-Mail
Hi there, I may be wrong but I thought usage of ftp to get information and to download packages is discouraged. I just noticed (after having done a fresh install of amd64-current) reading the welcome mail "Welcome to OpenBSD 5.8!" that the ftp-protocol is still given. Instead ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages shouldn't this rather be http://ftp.openbsd.org/pub/OpenBSD/5.8/packages ? And consequently the following sentence would be adjusted accordingly just like the example download of emacs. If ftp is still a valid option please excuse the noise. Best, STEFAN