Welcome-Mail

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Welcome-Mail

Stefan Wollny-2
Hi there,

I may be wrong but I thought usage of ftp to get information and to
download packages is discouraged. I just noticed (after having done a
fresh install of amd64-current) reading the welcome mail "Welcome to
OpenBSD 5.8!" that the ftp-protocol is still given.

Instead
        ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
shouldn't this rather be
        http://ftp.openbsd.org/pub/OpenBSD/5.8/packages
?

And consequently the following sentence would be adjusted accordingly
just like the example download of emacs.

If ftp is still a valid option please excuse the noise.

Best,
STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

Marc Peters-3
Am 11/16/15 um 12:00 schrieb Stefan Wollny:

> Hi there,
>
> I may be wrong but I thought usage of ftp to get information and to
> download packages is discouraged. I just noticed (after having done a
> fresh install of amd64-current) reading the welcome mail "Welcome to
> OpenBSD 5.8!" that the ftp-protocol is still given.
>
> Instead
>     ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
> shouldn't this rather be
>     http://ftp.openbsd.org/pub/OpenBSD/5.8/packages

ftp is still a valid option for packages. The installation via ftp is
not supported anymore.


Marc

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

Eric Furman-3
Yea, but ftp is a shitty protocol that should have died
a merciful death a long time ago so....

On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote:

> Am 11/16/15 um 12:00 schrieb Stefan Wollny:
> > Hi there,
> >
> > I may be wrong but I thought usage of ftp to get information and to
> > download packages is discouraged. I just noticed (after having done a
> > fresh install of amd64-current) reading the welcome mail "Welcome to
> > OpenBSD 5.8!" that the ftp-protocol is still given.
> >
> > Instead
> >     ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
> > shouldn't this rather be
> >     http://ftp.openbsd.org/pub/OpenBSD/5.8/packages
>
> ftp is still a valid option for packages. The installation via ftp is
> not supported anymore.
>
>
> Marc

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

Raul Miller
All protocols are, to some degree or another. Especially when you look
at all the irrelevant complexity of a full implementation.

Sometimes there's no good answers.

--
Raul

On Mon, Nov 16, 2015 at 8:25 AM, Eric Furman <[hidden email]> wrote:

> Yea, but ftp is a shitty protocol that should have died
> a merciful death a long time ago so....
>
> On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote:
>> Am 11/16/15 um 12:00 schrieb Stefan Wollny:
>> > Hi there,
>> >
>> > I may be wrong but I thought usage of ftp to get information and to
>> > download packages is discouraged. I just noticed (after having done a
>> > fresh install of amd64-current) reading the welcome mail "Welcome to
>> > OpenBSD 5.8!" that the ftp-protocol is still given.
>> >
>> > Instead
>> >     ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
>> > shouldn't this rather be
>> >     http://ftp.openbsd.org/pub/OpenBSD/5.8/packages
>>
>> ftp is still a valid option for packages. The installation via ftp is
>> not supported anymore.
>>
>>
>> Marc

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

securityvsconvenience
I hope these are not dumb questions.

Would sftp (secure ftp) be a better alternative than ftp? What was the
logic to remove that option on the network install versus http? is there
even a benefit for the mirrors to be on https (secure http) vs http and
would that allow for a verified download like the openbsd compact disks? I
always got really concerned when the install prompted me that "Directory
does not contain SHA256.sig. Continue without verification?" before
actually using official openbsd compact dics. My intent is to assess the
strengths and weaknesses of the protocols being discussed and comparing
them with respect to security.

On Mon, Nov 16, 2015 at 6:09 AM, Raul Miller <[hidden email]> wrote:

> All protocols are, to some degree or another. Especially when you look
> at all the irrelevant complexity of a full implementation.
>
> Sometimes there's no good answers.
>
> --
> Raul
>
> On Mon, Nov 16, 2015 at 8:25 AM, Eric Furman <[hidden email]>
> wrote:
> > Yea, but ftp is a shitty protocol that should have died
> > a merciful death a long time ago so....
> >
> > On Mon, Nov 16, 2015, at 06:07 AM, Marc Peters wrote:
> >> Am 11/16/15 um 12:00 schrieb Stefan Wollny:
> >> > Hi there,
> >> >
> >> > I may be wrong but I thought usage of ftp to get information and to
> >> > download packages is discouraged. I just noticed (after having done a
> >> > fresh install of amd64-current) reading the welcome mail "Welcome to
> >> > OpenBSD 5.8!" that the ftp-protocol is still given.
> >> >
> >> > Instead
> >> >     ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
> >> > shouldn't this rather be
> >> >     http://ftp.openbsd.org/pub/OpenBSD/5.8/packages
> >>
> >> ftp is still a valid option for packages. The installation via ftp is
> >> not supported anymore.
> >>
> >>
> >> Marc

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

Giancarlo Razzolini-3
Em 16-11-2015 13:59, Danny Nguyen escreveu:
> I hope these are not dumb questions.
>
> Would sftp (secure ftp) be a better alternative than ftp?

Which "secure ftp" you're referring here? SSH's sftp or ftps? Because if
it's the latter, then I'd say it wouldn't be a better alternative. ftp
is ftp. Putting a TLS layer on top of it won't change the most hated
things about the protocol. And, using SSH's sftp has the added
complexity of host keys to the mix. Do you expect that the OpenBSD team
would manage all ssh host keys for all the sftp mirrors and put them on
the install media? And what if one of them changes?

>  What was the
> logic to remove that option on the network install versus http? is there
> even a benefit for the mirrors to be on https (secure http) vs http and
> would that allow for a verified download like the openbsd compact disks?

You are mixing things here. You can verify any download from any OpenBSD
mirror regardless of protocol (ftp, http). Last I checked, there weren't
any https OpenBSD mirrors.

>  I
> always got really concerned when the install prompted me that "Directory
> does not contain SHA256.sig. Continue without verification?" before
> actually using official openbsd compact dics. My intent is to assess the
> strengths and weaknesses of the protocols being discussed and comparing
> them with respect to security.

This has been answered on this list many times. If you're really
concerned, verify your disks manually, or perform a network install. My
suggestion? Buy the CD's (or donate) to help the project. But perform
the installation using a USB stick. As far as weakness and strengths of
the protocols, they are quite irrelevant for the OpenBSD installation.
Everything is signed using signify. The transfer medium can (and is) be
unencrypted. Of course this pretty much means anyone listening knows
you're downloading/installing OpenBSD. If your concern is this, then
you'll need to figure it for yourself how to hide the fact that you're
installing OpenBSD.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Welcome-Mail

Stuart Henderson
In reply to this post by Marc Peters-3
On 2015-11-16, Marc Peters <[hidden email]> wrote:

> Am 11/16/15 um 12:00 schrieb Stefan Wollny:
>> Hi there,
>>
>> I may be wrong but I thought usage of ftp to get information and to
>> download packages is discouraged. I just noticed (after having done a
>> fresh install of amd64-current) reading the welcome mail "Welcome to
>> OpenBSD 5.8!" that the ftp-protocol is still given.
>>
>> Instead
>>     ftp://ftp.openbsd.org/pub/OpenBSD/5.8/packages
>> shouldn't this rather be
>>     http://ftp.openbsd.org/pub/OpenBSD/5.8/packages
>
> ftp is still a valid option for packages. The installation via ftp is
> not supported anymore.

It is still valid for some mirrors. But we shouldn't be directing people
there, pkg_add (and in particular pkg_add -u) works a lot better with http.
Especially if the ftp is going through ftp-proxy.