[OmniOS-discuss] https://pkg.omniti.com (was: SECURITY UPDATE FOR OpenSSL & Perl; plus other fixes)
Ben Summers
ben at bens.me.uk
Wed Mar 2 11:52:07 UTC 2016
> On 2 Mar 2016, at 11:41, qutic development <mailinglists at qutic.com> wrote:
>
>
>> Am 02.03.2016 um 12:08 schrieb Ben Summers <ben at bens.me.uk>:
>>
>> This was rejected previously due to the significant additional latency of https.
>
>
> Please, please do not spread myth from the last century. This is not true!
> Add a proper tls-termination in front and you are good to go.
I believe this was measured. pkg makes lots of small requests and doesn't appear to be very clever with session management.
What results did you get when you benchmarked it?
>
>> Now that packages are signed properly, you don't need https to assure integrity of the software.
>
>
> Yes signed packages are fine, but not my case. As you now your county is taking a full take - on all they can get!
Which country?
>
>> If you wish to avoid disclosing your updates to passive observers, you could use a local mirror.
>
>
> Yes I could be, but that does not make the internet a better and more secure place!
I found OmniTI to be really open to making security improvements, and I'm sure they would be very interested in learning about your specific concerns.
Ben
More information about the OmniOS-discuss
mailing list