[Xen-devel] Proposed plan and URL name for new VM to download xen tarballs (ftp.xenproject.org)

[Lars Kurth <lars.kurth.xen@xxxxxxxxx>]

Hi,

as part of a number of tasks to move Xen Project websites to https, we 
investigated whether we can move our tarballs to a new Xen Project owned domain 
to download tarballs. Currently tarballs are stored on 
http://bits.xensource.com, which is a http site only. We do not have sufficient 
control of bits.xensource.com (which is an Akamai site) to convert the site to 
https, and are thus potentially exposed to MiM attacks. 

To fix this, the current plan of record is to
- Copy existing tarballs to an existing or new VM
- To expose that VM via the new public URL ftp.xenproject.org (this is 
non-browsable, thus ftp - we also already have 
https://downloads.xenproject.org/ to host legacy content)
- To only publish new tarballs on https://ftp.xenproject.org
- To update http://xenproject.org/downloads/xen-archives.html to use the new VM

In most cases, the ftp.xenproject.org site would *not* be exposed directly to 
users, but via the download manager on xenproject.org. The exception are blog 
posts and xen-devel@/etc. mails such as 
https://blog.xenproject.org/2016/05/11/announcing-xen-project-4-7-rc-and-test-day-schedule/

We would either keep existing tarballs on bits.xensource.com OR - if we have 
sufficient control - implement a 301 redirect to the new site. This would 
ensure that 3rd party links to tarballs are not broken. 

Does anyone have any objection regarding the name of the site and/or proposal. 
I am assuming this is non-controversial: if I don't get any objections by end 
of day Friday 12th, Aug assume we can go ahead with the change.

Best Regards
Lars
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel