From 1f1653217ccebdb471fa302484576b13fe923f61 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Mon, 05 Aug 2019 20:52:07 -0400 Subject: dev/archive/mirroring: Forbid HSTS --- (limited to 'dev/archive/mirroring.mdwn') diff --git a/dev/archive/mirroring.mdwn b/dev/archive/mirroring.mdwn index 618d721..d89ef82 100644 --- a/dev/archive/mirroring.mdwn +++ b/dev/archive/mirroring.mdwn @@ -34,7 +34,11 @@ least once a day. Otherwise, during the update, some feed index files may reference deleted files. Serving the archive mirror at `/pub/proteanos` over HTTP and FTP is recommended, -but any path and either protocol may be used. +but any path and either protocol may be used. HTTP Strict Transport Security +(HSTS) must not be used except on private mirrors used by ProteanOS systems +known to install the `wolfssl-util` package. The ProteanOS package archive is +already [cryptographically verified][archive-signing] using software smaller +than a TLS implementation. Mirrors are classified by their synchronization source as either "primary" or "secondary" as described below. This design distributes synchronization @@ -48,14 +52,15 @@ ProteanOS project bandwidth for those that contribute bandwidth back to the project. [arch-conf]: http://files.proteanos.com/pub/proteanos/conf +[archive-signing]:http://lists.proteanos.com/proteanos-dev/2019/04/msg00008.html Primary Public Mirror --------------------- Primary mirrors are those that synchronize directly from -<files.proteanos.com> and must serve their contents publicly over HTTP and -rsync and may also serve over anonymous FTP as defined by [IETF RFC -1635][rfc1635] with no password requirements. +<files.proteanos.com> and must serve their contents publicly over HTTP +(without HSTS) and rsync and may also serve over anonymous FTP as defined by +[IETF RFC 1635][rfc1635] with no password requirements. Run the following command one to four times (four times preferred) daily to synchronize your mirror: @@ -68,9 +73,9 @@ Secondary Public or Private Mirror Secondary mirrors are those that synchronize from a primary mirror and serve their contents either publicly or privately. Public mirrors must serve over -HTTP and may also serve over anonymous FTP as defined by [IETF RFC -1635][rfc1635] with no password requirements. Private mirrors may serve over -either protocol. +HTTP (without HSTS) and may also serve over anonymous FTP as defined by [IETF +RFC 1635][rfc1635] with no password requirements. Private mirrors may serve +over either protocol. Run the following command one to four times (four times preferred) daily to synchronize your mirror: -- cgit v0.9.1