Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Sep 2020 16:14:57 +0200
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        Andrew Savchenko <andrew@lists.savchenko.net>
Cc:        freebsd-pkg@freebsd.org
Subject:   Re: Switching `pkg` to HTTPS by default
Message-ID:  <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net>
In-Reply-To: <8310678484.20200911231037@savchenko.net>
References:  <8310678484.20200911231037@savchenko.net>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> Hello,
> 
> I have added the following snippet under the 
> /usr/local/etc/pkg/repos/FreeBSD.conf:
> 
> ```
> FreeBSD: {
>   url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
>   mirror_type: "srv",
>   signature_type: "fingerprints",
>   fingerprints: "/usr/share/keys/pkg",
>   enabled: yes
> }
> ```
> 
> Note the "https" part of the address. Regardless, `pkg` continued fetching 
> binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf for 
> this to have any effect.

This discussion happened many time in the past, regarding the pkg repository the
https does not bring much as everything is signed and checked against checksums.

That said the point of not having https by default is only related to the fact
that by default there is no CAROOT so no way to validate the certificates in
base, so the bootstrap will fail.

Note that this is doable now in CURRENT.
> 
> Setting `VULNXML_SITE` to HTTPS in /usr/local/etc/pkg.conf worked as expected.
> 
> Is this a valid bug to report over to freebsd-bugs@freebsd.org?
> 
Best regards,
Bapt

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEgOTj3suS2urGXVU3Y4mL3PG3PloFAl9bhl8ACgkQY4mL3PG3
PlqQ8Q/6ArFaka8oNNbsvIpfPNFo1Vfuw+hvPpccvq09LPYxye1wp/5cSYHcaemH
MEOrA8OPot1PVRXLX6chdSxY80DraScTKlqS+irG8PyS31sjcX/w+Fiyww0HdUsj
NMIQkNXPGdVySzDcu+vJsdJ2GV5UhB8+fXrnb9WBKvxFqpNaJmUxKdn2H9jLUvFv
9y4uMhhKY96SkGRaSksk31s/ReLyETnRuOSWObhxIqkj9kMJ9/Ab5R3KNus+AHXM
RxQQJto/Vh+EkssfAQbDAbBul2k2ApqIIrw108qlALasoisHYW2D8WcfCcFRhkiK
CP7HrQZ4pz/R9+5+7F/EUSwI0XStIkYnvTyAkdpWfnqSe3gi2nUWDX+5tleaXHgx
FaXmQB1T2PEIPmxoHaEZPBioJwZTphEHTZBX3nyrvbt7KxZQoaG5ifriArytzvVX
GFXpsJSHXv8DKtqTvt/Dw0JPvyge53DjtwOTGWGAGZOP1MKcGVctSKiqGRHBfjyL
hTQgdgH2D6s2kDq3/ESGz4ba2J7hTlP8eetWHtO0L8gzm3zyUOXTqsChsFYiRkPl
F1A3Xy8vlN5wmMrozYI7dnb7FmlQreFCyUgxLX0veCArS5ILT2PX8Mg/nBFz4nEu
FL6kRJy4infnHOl7UUrqnYzOnyAR/EFjoIgst5xefFYBxywqJbU=
=JDSN
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200911141457.yzrirgbvlhjtrnrr>