Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Oct 2007 20:28:19 -0700
From:      "David E. Thiel" <lx@freebsd.org>
To:        Adrian Chadd <adrian@freebsd.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: packages, libfetch, and SSL
Message-ID:  <20071022032819.GE75639@redundancy.redundancy.org>
In-Reply-To: <d763ac660710211907p5b23e145o62da8a5661b6b902@mail.gmail.com>
References:  <20071021013917.GB86865@redundancy.redundancy.org> <d763ac660710211907p5b23e145o62da8a5661b6b902@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote:
> You can't (easily) cache data over SSL. Well, you can't use a HTTP
> proxy that doesn't break the SSL conversation and cache the updates.
> 
> As someone who occasionally makes sure that distribution updates
> through a Squid proxy actually caches said updates, I'd really prefer
> you didn't stick package contents behind SSL.

Fair enough.

> > Now, we could take another approach of PGP-signing packages instead, but
> > all the efforts I've seen to integrate PGP with the package management
> > system in the past haven't gone anywhere. The changes above seem to be
> > a bit more trivial than inventing a package-signing infrastructure and
> > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
> > packages and having a baked-in key would work as well.
> 
> Considering its a solved problem (mostly!) in other distributions, and
> their updates are very cachable, why not do this?

Sounds fine to me - I'll take a closer look at this. I'd still like
to see the root CA certs merged into base so libfetch can be fixed.
Does anyone object to just using the ones currently provided by the
ca_root_nss port?




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071022032819.GE75639>