diff options
author | Patrick McDermott <pehjota> | 2019-08-05 20:52:07 (EDT) |
---|---|---|
committer | Patrick McDermott <pehjota> | 2019-08-05 20:52:07 (EDT) |
commit | 1f1653217ccebdb471fa302484576b13fe923f61 (patch) | |
tree | b5d13434a58c79ad327297ee9e4c929f0af1d992 | |
parent | 88abe8041c14882ec5f6e3a9bd37da96f5ed3520 (diff) |
dev/archive/mirroring: Forbid HSTS
-rw-r--r-- | dev/archive/mirroring.mdwn | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/dev/archive/mirroring.mdwn b/dev/archive/mirroring.mdwn index 618d721..d89ef82 100644 --- a/dev/archive/mirroring.mdwn +++ b/dev/archive/mirroring.mdwn @@ -34,7 +34,11 @@ least once a day. Otherwise, during the update, some feed index files may reference deleted files. Serving the archive mirror at `/pub/proteanos` over HTTP and FTP is recommended, -but any path and either protocol may be used. +but any path and either protocol may be used. HTTP Strict Transport Security +(HSTS) must not be used except on private mirrors used by ProteanOS systems +known to install the `wolfssl-util` package. The ProteanOS package archive is +already [cryptographically verified][archive-signing] using software smaller +than a TLS implementation. Mirrors are classified by their synchronization source as either "primary" or "secondary" as described below. This design distributes synchronization @@ -48,14 +52,15 @@ ProteanOS project bandwidth for those that contribute bandwidth back to the project. [arch-conf]: http://files.proteanos.com/pub/proteanos/conf +[archive-signing]:http://lists.proteanos.com/proteanos-dev/2019/04/msg00008.html Primary Public Mirror --------------------- Primary mirrors are those that synchronize directly from -<files.proteanos.com> and must serve their contents publicly over HTTP and -rsync and may also serve over anonymous FTP as defined by [IETF RFC -1635][rfc1635] with no password requirements. +<files.proteanos.com> and must serve their contents publicly over HTTP +(without HSTS) and rsync and may also serve over anonymous FTP as defined by +[IETF RFC 1635][rfc1635] with no password requirements. Run the following command one to four times (four times preferred) daily to synchronize your mirror: @@ -68,9 +73,9 @@ Secondary Public or Private Mirror Secondary mirrors are those that synchronize from a primary mirror and serve their contents either publicly or privately. Public mirrors must serve over -HTTP and may also serve over anonymous FTP as defined by [IETF RFC -1635][rfc1635] with no password requirements. Private mirrors may serve over -either protocol. +HTTP (without HSTS) and may also serve over anonymous FTP as defined by [IETF +RFC 1635][rfc1635] with no password requirements. Private mirrors may serve +over either protocol. Run the following command one to four times (four times preferred) daily to synchronize your mirror: |