On Tue, Sep 15, 2020 at 08:49:51AM +0200, Baptiste Jonglez wrote: > On 27-08-20, Paul Spooren wrote: > > The variable VERSION_REPO is used by opkg to download package(list)s. > > Now that the default installation support encrypted HTTP opkg should > > make use of it. > > I wonder what is the performance impact of this? Opkg forks a new wget > process to download each package, so the HTTPS connection is never reused. > > Running a simple "time make image > PROFILE=mikrotik_routerboard-921gs-5hpacd-15s" with the ath79/mikrotik > imagebuilder results in a 50% increase of running time: > > - with HTTPS: 32 seconds > - with HTTP: 22 seconds > > (timing for the second run is shown, and dl/ is cleaned up before each run) > > The overhead might be even more significant on a device, and the download > server probably sees more load from the large number of key exchange. > Anybody got any figures? > > With HTTPS, opkg would really need connection reuse. I don't think the > current situation is acceptable for a stable release, if only to avoid > high load on the download server.
I suggest to revert that change as HTTPS doesn't do us a favour here. It prevents Web-Caches (squid and such), hurts performance and integrity should (at least now) anyway be ensured by SHA256 of the package contained in the ed25519 signed package list. In my opinion HTTPS even gives users a false sense of security, as it is up to a few hundred certification authorities to not compromise rather than just to a few keys shipped with OpenWrt. Plus the the complexity of the handshake, large choice of ciphers (rather than pinning SHA256 + ed25519), ... Even major distributions like Debian and ArchLinux make HTTPS optional and opt-in for their package download servers. Imho the disadvantages clearly outweight the benifits here. > > Baptiste > > > Suggested-by: Petr Štetiar <yn...@true.cz> > > Suggested-by: Baptiste Jonglez <bapti...@bitsofnetworks.org> > > Signed-off-by: Paul Spooren <m...@aparcar.org> > > --- > > include/version.mk | 2 +- > > package/base-files/image-config.in | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/include/version.mk b/include/version.mk > > index 7d3c1ad640..b7f42e13bb 100644 > > --- a/include/version.mk > > +++ b/include/version.mk > > @@ -32,7 +32,7 @@ VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE)) > > VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION)) > > > > VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO)) > > -VERSION_REPO:=$(if > > $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/snapshots) > > +VERSION_REPO:=$(if > > $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/snapshots) > > > > VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST)) > > VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt) > > diff --git a/package/base-files/image-config.in > > b/package/base-files/image-config.in > > index 4bace77db0..bfa3055cc8 100644 > > --- a/package/base-files/image-config.in > > +++ b/package/base-files/image-config.in > > @@ -183,7 +183,7 @@ if VERSIONOPT > > config VERSION_REPO > > string > > prompt "Release repository" > > - default "http://downloads.openwrt.org/snapshots"; > > + default "https://downloads.openwrt.org/snapshots"; > > help > > This is the repository address embedded in the image, > > it defaults > > to the trunk snapshot repo; the url may contain the > > following placeholders: > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
