summaryrefslogtreecommitdiffstats
path: root/dev
diff options
context:
space:
mode:
authorPatrick McDermott <pehjota>2019-08-05 20:52:07 (EDT)
committer Patrick McDermott <pehjota>2019-08-05 20:52:07 (EDT)
commit1f1653217ccebdb471fa302484576b13fe923f61 (patch)
treeb5d13434a58c79ad327297ee9e4c929f0af1d992 /dev
parent88abe8041c14882ec5f6e3a9bd37da96f5ed3520 (diff)
dev/archive/mirroring: Forbid HSTS
Diffstat (limited to 'dev')
-rw-r--r--dev/archive/mirroring.mdwn19
1 files changed, 12 insertions, 7 deletions
diff --git a/dev/archive/mirroring.mdwn b/dev/archive/mirroring.mdwn
index 618d721..d89ef82 100644
--- a/dev/archive/mirroring.mdwn
+++ b/dev/archive/mirroring.mdwn
@@ -34,7 +34,11 @@ least once a day. Otherwise, during the update, some feed index files may
reference deleted files.
Serving the archive mirror at `/pub/proteanos` over HTTP and FTP is recommended,
-but any path and either protocol may be used.
+but any path and either protocol may be used. HTTP Strict Transport Security
+(HSTS) must not be used except on private mirrors used by ProteanOS systems
+known to install the `wolfssl-util` package. The ProteanOS package archive is
+already [cryptographically verified][archive-signing] using software smaller
+than a TLS implementation.
Mirrors are classified by their synchronization source as either "primary" or
"secondary" as described below. This design distributes synchronization
@@ -48,14 +52,15 @@ ProteanOS project bandwidth for those that contribute bandwidth back to the
project.
[arch-conf]: http://files.proteanos.com/pub/proteanos/conf
+[archive-signing]:http://lists.proteanos.com/proteanos-dev/2019/04/msg00008.html
Primary Public Mirror
---------------------
Primary mirrors are those that synchronize directly from
-&lt;files.proteanos.com&gt; and must serve their contents publicly over HTTP and
-rsync and may also serve over anonymous FTP as defined by [IETF RFC
-1635][rfc1635] with no password requirements.
+&lt;files.proteanos.com&gt; and must serve their contents publicly over HTTP
+(without HSTS) and rsync and may also serve over anonymous FTP as defined by
+[IETF RFC 1635][rfc1635] with no password requirements.
Run the following command one to four times (four times preferred) daily to
synchronize your mirror:
@@ -68,9 +73,9 @@ Secondary Public or Private Mirror
Secondary mirrors are those that synchronize from a primary mirror and serve
their contents either publicly or privately. Public mirrors must serve over
-HTTP and may also serve over anonymous FTP as defined by [IETF RFC
-1635][rfc1635] with no password requirements. Private mirrors may serve over
-either protocol.
+HTTP (without HSTS) and may also serve over anonymous FTP as defined by [IETF
+RFC 1635][rfc1635] with no password requirements. Private mirrors may serve
+over either protocol.
Run the following command one to four times (four times preferred) daily to
synchronize your mirror: