Em 27-03-2014 12:43, Theo de Raadt escreveu: >> JB> Could you please elaborate why not sftp for sets (and/or >> JB> for pkg_add)? >> >> I'll rephrase: can someone besides Theo elaborate? It was an obvious >> mistake to reply to his email (to be fair, I've addressed it to misc, not >> to him). >> In his "long email" Theo was talking about openssl. It's my understanding >> that openssh is going away from openssl, so I don't see a direct >> connection. I also see that psftp (from the putty) is about 300K, and I >> don't believe it has any important dependencies (kerberos could be ignored >> in this case). > psftp.... > > Great, so you can't even use the right example. Classy. > > As it happens, sftp is just a wrapper around ssh, and ssh itself > statically linked is: > > text data bss dec hex > 1445154 24580 52312 1522046 17397e > > So, even bigger than openssl. > >> BTW, what is limiting the bsd.rd size? It's not for a floppy. I've tried >> searching and found only a "rumor" that there is might be the size limit. > First off, you are suggesting that we double the size of the large thing > on the install media. You are showing that you can't do any research at > all, but want to throw ideas out. > > My main reason is Taste. I'll stand against the addition of useless > stuff that people can't use correctly. > > You are throwing sftp out there as an idea, without any deep consideration. > > I don't know who you are asking us to keep serving your needs. Never > heard of you before. > Even if the size wasn't an issue, using ssh on the installer would only be really secure if associated with DNSSEC and SSHFP records for the server. There are sysadmins that blindly trust host keys, ssl certificates, so imagine a regular user trying to install OpenBSD and being prompted for an unknonw host key. And we are just talking about the installer side. Imagine the headache of configuring mirrors with sftp. Even if all mirrors host keys were somehow compressed and putted in the installer, this wouldn't solve the issue when installing from a personal mirror, and such. Please stop. It's bad enough having ftp. Yesterday I did a http install, very fast, and the best part, very easy. With 5.5 on the horizon, signify and all the good things that will come with it, the install process will be much more reliable.
Just take as example all the linuxes installation and updates processes. They all use http, with no tls/ssl. I can't remember if any of them have ssl enabled on their mirrors. sftp? Good luck finding one. I hope that this is elaborate enough. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
