Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Dec 2021 02:31:57 +0000
From:      bugzilla-noreply@freebsd.org
To:        ruby@FreeBSD.org
Subject:   [Bug 260019] net/foreman-proxy: update to 3.0.1
Message-ID:  <bug-260019-21402-qJCsgLjxPF@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-260019-21402@https.bugs.freebsd.org/bugzilla/>
References:  <bug-260019-21402@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260019

Jason Unovitch <junovitch@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |junovitch@freebsd.org

--- Comment #2 from Jason Unovitch <junovitch@freebsd.org> ---
(In reply to Frank Wall from comment #0)

Hi Frank, thanks for picking up where PR 253008 left off. I'm speaking for
myself on this one and am not tracking the most recent commit policy, but we
don't need to pull in systemd for this. My patch added in PR for the 2.2.3 =
to
2.3.5 update includes a patch file to revert the callback in
theforeman/smart-proxy@99e9e5bf5843 which introduced the new dependency on =
the
sd_notify Rubygem port. I can't find clear guidance in the handbook on what=
 we
do for this just now but we can patch it out until the upstream code is more
agnostic to *nix implementation it's on.

Visual inspection of the patch looks mostly good but I do have one alibi
putting the security hat on, why do we need to patch lib/proxy/http_downloa=
d.rb
to include a "verify_server_cert =3D false" line? There would be implicatio=
ns if
there is an adversary performing a MITM including this suggested portion of=
 the
patch that I am hesitant on without further understanding of what it means =
at
runtime. For the rest of the patch if you have tested and run it I'm good
myself and we'll just need an active/current committer to pick this up.

I'll be traveling for a job until the new year and limited on things but am
glad to discuss regarding the verify_server_cert pending your feedback. Tha=
nks
again!

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260019-21402-qJCsgLjxPF>