[KORG] Availability of SSL on kernel.org

From: J.H.
Date: Thu Mar 18 2010 - 21:13:36 EST

Next message: Eric W. Biederman: "Re: [PATCH] x86 apic: Ack all pending irqs when crashed/on kexec - V5"
Previous message: Mathieu Desnoyers: "Re: [PATCH RFC 00/11] lock monitor: Separate features related tolock"
Next in thread: Paul Mundt: "Re: [kernel.org users] [KORG] Availability of SSL on kernel.org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Afternoon Everyone,

I would like to go ahead and announce the general availability of SSL
support for a number of the services on kernel.org! This should help
provide an additional level of security, in particular for our dynamic
content like the wiki's, patchwork and bugzilla.

The certificates have been very graciously donated and signed by Thawte,
and we at kernel.org greatly appreciate their support of Open Source!
These signed certificates make it trivial for our users to make use of
this additional layer of security, and alleviates a large amount of
support effort that self-signed certificates would have incurred.

"Thawte is proud of its open source lineage. Providing free
certificates to community projects is just a small way of not
only supporting the community but returning the favor. Please
spread the word."

Services that are now by default using SSL:

* Bugzilla
* Wikis
* Account Requests
* Patchwork

These are using an HTTP redirect so you should need to do anything
for these to just work.

Services that have can optionally use SSL:

* www.kernel.org
* boot.kernel.org
* git.kernel.org
* android.git.kernel.org

Just use https vs. http, there is no automatic redirection for these

Services that DO NOT offer SSL:

* mirrors.kernel.org

These machines move a large amount of data to a large number of
users and it would be difficult, and memory intensive, to provide
SSL for this service. I don't foresee enabling SSL for
mirrors.kernel.org.

* *.[us | [nl.|se.]eu | geo | all].kernel.org dns entries

These would require too many distinct certificates to adequately
cover, and are generally not user facing. These still have
the SSL certificates available to them, but the address will not
match the CN in the certificate.

As always if you encounter problems, e-mail ftpadmin or catch us on IRC.
I've done a fair amount of testing of this on my own - but due to the
large number of possible clients it's impossible for me to have tested
this from every possible angle.

- - John 'Warthog9' Hawley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkuiz7cACgkQ/E3kyWU9dicIAwCfQlTlSDEMn1GP++Cy7IFV9Oqi
MP4Aniu0hVPdXMopnAG/W/PtWd0aEDus
=pg6c
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: [PATCH] x86 apic: Ack all pending irqs when crashed/on kexec - V5"
Previous message: Mathieu Desnoyers: "Re: [PATCH RFC 00/11] lock monitor: Separate features related tolock"
Next in thread: Paul Mundt: "Re: [kernel.org users] [KORG] Availability of SSL on kernel.org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]