HTTPS on freebsd.org, git, reproducible builds

[Brett Glass]

At 08:07 AM 9/18/2015, Ben Bailess wrote:

>I have to echo this sentiment -- authentication is important, and so is
>integrity. HTTPS would provide both -- to be sure you're talking to the
>"real" FreeBSD and give you confidence that your page content has not been
>altered in transit by a network adversary (e.g. if you are using Tor)*.

I'd mainly be concerned about downloads of distros or updates being
tampered with. Worms are appearing that infect not only PCs but also
routers (e.g. the "Moon" worm, which affected most Linksys models available
at the time), setting up a perfect scenario for an MITM attack that could
substitute an infected file AND a forged checksum for the originals. If
an HTTPS download site were available, I would absolutely prefer it to
an HTTP one. Just my $0.02 USD.

--Brett Glass