Is it standard not to provide secure downloads?

[Montel Bahn]

I thought I had learned that https/encrypted connections were recommended minimal security,
specially when downloading binaries, ISOs etc...

Are the ISOs signed with a tool that this noob is not aware of?
Is it simply that the ISOs can be reproducibly built, to verify the hash? Is there a recipe somewhere?

Also, I'm still doing set-up, so I'd like to know...
A. Can I enter a time manually.
B. Silence or change NTPD frequency.
C. Change the time server in the GUI.
I'm working without internet connected and it is so 'spammy' my logs are rolling over. It's a pain that my box is trying to call home all the time, even the 'trains' thing that i haven't even looked at yet or configured is trying to curl or something over plain http

Slap me now if I'm out to lunch!

 

[jgreco]

You learned wrong. Encrypted connections for things like downloads are the bane of the Internet. They largely break the ability of service providers to do intelligent caching, make it more difficult to deploy a CDN, etc., etc.

The releases are all SHA256 signed and the signatures can be downloaded from the download site. I'll be happy to agree with you that it sucks that these are not protected via SSL.

You can certainly change your time server, System->NTP Servers. If you want manual time, set it in the BIOS. I'm not sure if there's an option to disable NTPD, and that may be a spectacularly bad idea since some protocols are highly dependent on accurate time.

 

[Montel Bahn]

I for sure understand the importance of NTP.
Thanks a bunch for the advice, I Just increased the minimum poll interval for now.

I think I get the gist of the cdn caching thing.
So an https page with the hashes, maybe even 512, would be 'nice to have' in this world we live in.
I can't be the only one left wondering and put-off. Very perplexing.

 

[jgreco]

The world is slowly going SSL but it's been kind of a draggy process. This gets really complicated for a whole bunch of reasons, not the least of which is that a lot of infrastructure out there is *old*. Sigh!

 

[Sakuru]

If you're really worried about someone intercepting your traffic you should download the ISO at work instead of StarBucks. I agree that having the hash and signature available over HTTPS would be nice, but I think the risk of malicious activity is really low.

 

[jgreco]

The paranoid among us download the SHA256 over some other random network connection.

 

[Montel Bahn]

@jgreco
Sorry but the TLAs haven't just geolocated your IP, wifi, local Starbucks and IDed you;
They see also that your browser is the quickest one in Whoville,USA to report "Seuss' Serif Font installed and rendered"

Maybe we are paranoid and they don't care for pictures of our green bananas?
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

Someone should make a secure site that validates some softwares like Freebsd and takes reports of tampering from around the world.
That way activists in Ukraine can safely store GIMPed pictures of Anatoly's jewels on Putin's face without fear of
polonium death! I'll stop now.

Re: my system time,
It's not getting picked up from bios(X10SDV SM mobo). I'd say this is a bug.

I understand NTP is much more better, but not everyone wants/can have their NAS always uplinked.
I wonder where the arbitrary system time setting came from in the first place... was off by like 4hrs and 12 minutes.

I used date via ssh and it stuck through reboot, but a friendly reminder that clock needs setting and the option to set in GUI would at least 'be nice to have'.
I deleted 2 of the ntp servers because the minpoll setting doesn't work strictly (as per design, "...kernel discipline is switched to FLL mode...", yadayada), so even minpoll set at 15 was still querying every 16 minutes and filling my logs and console.

Hopefully I can give back more than newbie criticism soon. I have more issues to deal with. But I am thankful.

 

[pirateghost]

Why not run your own internal NTP server?

 

[BigDave]

... that a lot of infrastructure out there is *old*. Sigh!

Thank God! otherwise I wouldn't have a job! :D

 

[Ericloewe]

Mod note: This thread was locked because it devolved into general nastiness, which has since been mostly moderated out.

The question raised is important and this thread was not locked for "being an inconvenience", or similar reasons.

Please let this be a reminder that maintaining a friendly atmosphere and a healthy discussion is crucial to advancing important matters, whereas resorting to name-calling, conspiracy theories or a nasty attitude will achieve nothing.