> > Installation uses HTTP to fetch a boot volume image. > This is a problem wit... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		josteink on Sept 28, 2016 \| parent \| context \| favorite \| on: Stali: A new static Linux distribution > > Installation uses HTTP to fetch a boot volume image. > This is a problem with all of the suckless software and it, well, sucks. If you serve things over HTTP its easier to daisy-chain it in a PXE -> iPXE kind of setup. HTTPS is not supported by most boot-ROMs. Keep your boot-image server on site and local and HTTP isn't a real world issue.

startling on Sept 29, 2016 [–]

1) dl.sta.li is not on my site, and probably not on yours.

2) That's still suboptimal. You're giving each host on your LAN the ability to interfere with any newly-provisioned server. This is a perfect and hard-to-detect way for an attacker to pivot from "RCE on some random webapp" to "advanced persistent threat".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact