From 1f1653217ccebdb471fa302484576b13fe923f61 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <pehjota>
Date: Mon, 05 Aug 2019 20:52:07 -0400
Subject: dev/archive/mirroring: Forbid HSTS

---
(limited to 'dev')

diff --git a/dev/archive/mirroring.mdwn b/dev/archive/mirroring.mdwn
index 618d721..d89ef82 100644
--- a/dev/archive/mirroring.mdwn
+++ b/dev/archive/mirroring.mdwn
@@ -34,7 +34,11 @@ least once a day.  Otherwise, during the update, some feed index files may
 reference deleted files.
 
 Serving the archive mirror at `/pub/proteanos` over HTTP and FTP is recommended,
-but any path and either protocol may be used.
+but any path and either protocol may be used.  HTTP Strict Transport Security
+(HSTS) must not be used except on private mirrors used by ProteanOS systems
+known to install the `wolfssl-util` package.  The ProteanOS package archive is
+already [cryptographically verified][archive-signing] using software smaller
+than a TLS implementation.
 
 Mirrors are classified by their synchronization source as either "primary" or
 "secondary" as described below.  This design distributes synchronization
@@ -48,14 +52,15 @@ ProteanOS project bandwidth for those that contribute bandwidth back to the
 project.
 
 [arch-conf]: http://files.proteanos.com/pub/proteanos/conf
+[archive-signing]:http://lists.proteanos.com/proteanos-dev/2019/04/msg00008.html
 
 Primary Public Mirror
 ---------------------
 
 Primary mirrors are those that synchronize directly from
-&lt;files.proteanos.com&gt; and must serve their contents publicly over HTTP and
-rsync and may also serve over anonymous FTP as defined by [IETF RFC
-1635][rfc1635] with no password requirements.
+&lt;files.proteanos.com&gt; and must serve their contents publicly over HTTP
+(without HSTS) and rsync and may also serve over anonymous FTP as defined by
+[IETF RFC 1635][rfc1635] with no password requirements.
 
 Run the following command one to four times (four times preferred) daily to
 synchronize your mirror:
@@ -68,9 +73,9 @@ Secondary Public or Private Mirror
 
 Secondary mirrors are those that synchronize from a primary mirror and serve
 their contents either publicly or privately.  Public mirrors must serve over
-HTTP and may also serve over anonymous FTP as defined by [IETF RFC
-1635][rfc1635] with no password requirements.  Private mirrors may serve over
-either protocol.
+HTTP (without HSTS) and may also serve over anonymous FTP as defined by [IETF
+RFC 1635][rfc1635] with no password requirements.  Private mirrors may serve
+over either protocol.
 
 Run the following command one to four times (four times preferred) daily to
 synchronize your mirror:
--
cgit v0.9.1