On 08/08/16 12:43, Lars Kurth wrote: > Hi, > > as part of a number of tasks to move Xen Project websites to https, we > investigated whether we can move our tarballs to a new Xen Project owned > domain to download tarballs. Currently tarballs are stored on > http://bits.xensource.com, which is a http site only. We do not have > sufficient control of bits.xensource.com (which is an Akamai site) to convert > the site to https, and are thus potentially exposed to MiM attacks. > > To fix this, the current plan of record is to > - Copy existing tarballs to an existing or new VM > - To expose that VM via the new public URL ftp.xenproject.org (this is > non-browsable, thus ftp - we also already have > https://downloads.xenproject.org/ to host legacy content) > - To only publish new tarballs on https://ftp.xenproject.org
The pedant in me thinks it's strange to have a server titled "ftp" that is speaking https rather than ftp. But we're apparently already using "downloads.xenproject.org" for something else, and I don't have a better name, so I suppose it will have to do. :-) -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
