[repoman] A Simo Appears, and some commentary

Jürgen Hötzel juergen at hoetzel.info
Wed Jul 18 01:49:16 EDT 2007 

On Wed, Jul 18, 2007 at 12:26:12AM -0500, Simo Leone wrote:
> On Tue, Jul 17, 2007 at 12:34:47PM -0500, Simo Leone wrote:
> > 
> > Also, for an upload mechanism. I'm thinking it would be cool to
> > implement a custom FTP server that authenticates against the user
> > database. This could optionally be tunneled through an ssl tunnel, but
> > would allow any existing ftp client to be used to upload packages. 
> > SSL tunneling is No Big Deal (tm) thanks to simple, preexisting tools
> > like stunnel or ftp-ssl. I *think* twisted might give us a way to do this 
> > fairly easily without learning the ins and outs of the ftp protocol. 
> > This solution also only requires running the daemon on the server 
> > system, as opposed to the complex total chroot jail idea that I think 
> > was being tossed around with the idea of using ssh.
> > 
> > Well that's a start for now, I've gotta delve into this some more.
> > 
> 
> And delved I have. FTP tunnelling through SSL has some issues with the
> fact that FTP opens a separate data channel, which is much more
> difficult (and annoying) to encrypt than the control channel. So, after
> some thought, I thought..well gee... what if a checksum or something was
> sent through the encrypted channel, so that the data channel could
> operate normally sans the ssl mess. There may be a few clever ways to do 
> this while maintaining compatibility with any ftp client, such as
> appending the checksum to the filename specified with the STOR command,
> and parsing it out on the server side.
> 
> I duno, I might be making a frickin mountain out of a mole hill, but the
> gears are turning.
> 
> -S

ftps is even worse than ftp for firewalls: The control channel is encrypted,
so the port command is also encrypted and the firewall cannot open ports on
demand for data connections by inspecting control channel traffic.

Whats about webdav over SSL/TLS?

Jürgen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://archlinux.org/pipermail/repoman/attachments/20070718/5e7a886d/attachment.bin

More information about the repoman mailing list