From owner-freebsd-hackers@FreeBSD.ORG  Mon Oct 22 03:28:03 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5187116A417
	for <freebsd-hackers@freebsd.org>; Mon, 22 Oct 2007 03:28:03 +0000 (UTC)
	(envelope-from lx@redundancy.redundancy.org)
Received: from redundancy.redundancy.org (redundancy.redundancy.org
	[64.147.160.152])
	by mx1.freebsd.org (Postfix) with SMTP id 2792E13C4BB
	for <freebsd-hackers@freebsd.org>; Mon, 22 Oct 2007 03:28:03 +0000 (UTC)
	(envelope-from lx@redundancy.redundancy.org)
Received: (qmail 10410 invoked by uid 1001); 22 Oct 2007 03:28:20 -0000
Date: Sun, 21 Oct 2007 20:28:19 -0700
From: "David E. Thiel" <lx@freebsd.org>
To: Adrian Chadd <adrian@freebsd.org>
Message-ID: <20071022032819.GE75639@redundancy.redundancy.org>
References: <20071021013917.GB86865@redundancy.redundancy.org>
	<d763ac660710211907p5b23e145o62da8a5661b6b902@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <d763ac660710211907p5b23e145o62da8a5661b6b902@mail.gmail.com>
X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13
X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg
X-Face: %H~{$1~NOw1y#%mM6{|4:/<p]y9X%E+4%:1wo-M!re,zl.qH~yzbL-MWhtp$3QuKP&di
	/a{FOctD[FuX.\n4U*,M{TJg$oYp663.NyX!%H~~Tw$eR9xZU5W?1BM#t"a@'27^2x
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-hackers@freebsd.org
Subject: Re: packages, libfetch, and SSL
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2007 03:28:03 -0000

On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote:
> You can't (easily) cache data over SSL. Well, you can't use a HTTP
> proxy that doesn't break the SSL conversation and cache the updates.
> 
> As someone who occasionally makes sure that distribution updates
> through a Squid proxy actually caches said updates, I'd really prefer
> you didn't stick package contents behind SSL.

Fair enough.

> > Now, we could take another approach of PGP-signing packages instead, but
> > all the efforts I've seen to integrate PGP with the package management
> > system in the past haven't gone anywhere. The changes above seem to be
> > a bit more trivial than inventing a package-signing infrastructure and
> > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
> > packages and having a baked-in key would work as well.
> 
> Considering its a solved problem (mostly!) in other distributions, and
> their updates are very cachable, why not do this?

Sounds fine to me - I'll take a closer look at this. I'd still like
to see the root CA certs merged into base so libfetch can be fixed.
Does anyone object to just using the ones currently provided by the
ca_root_nss port?