From owner-freebsd-pkg@freebsd.org Fri Sep 11 14:18:42 2020 Return-Path: Delivered-To: freebsd-pkg@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83E2B3DBE3F for ; Fri, 11 Sep 2020 14:18:42 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BnyXy31l1z4P9V; Fri, 11 Sep 2020 14:18:42 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 44AB8253D1; Fri, 11 Sep 2020 14:18:42 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f178.google.com with SMTP id o16so9973951qkj.10; Fri, 11 Sep 2020 07:18:42 -0700 (PDT) X-Gm-Message-State: AOAM530yVoMthjzWIGh1fQzCUhdGXbKgJKmbXVjIRHDF52LwAx7YmCWQ xwiCWJxHptjsbHQku7/KYww6jLtgugmHhR3Wnx0= X-Google-Smtp-Source: ABdhPJzd5Rkv7rF6ZtBVtrf0U5uboqOIAnJeFdfJaP1HzE/v+XdwsSFAi41alpC2hEMtT36NXpDgMMMFrTbw1CBJFtQ= X-Received: by 2002:a05:620a:4fb:: with SMTP id b27mr1783982qkh.120.1599833921795; Fri, 11 Sep 2020 07:18:41 -0700 (PDT) MIME-Version: 1.0 References: <8310678484.20200911231037@savchenko.net> <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> In-Reply-To: <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> From: Kyle Evans Date: Fri, 11 Sep 2020 09:18:30 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Switching `pkg` to HTTPS by default To: Baptiste Daroussin Cc: Andrew Savchenko , freebsd-pkg@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2020 14:18:42 -0000 On Fri, Sep 11, 2020 at 9:15 AM Baptiste Daroussin wrote: > > On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote: > > Hello, > > > > I have added the following snippet under the > > /usr/local/etc/pkg/repos/FreeBSD.conf: > > > > ``` > > FreeBSD: { > > url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", > > mirror_type: "srv", > > signature_type: "fingerprints", > > fingerprints: "/usr/share/keys/pkg", > > enabled: yes > > } > > ``` > > > > Note the "https" part of the address. Regardless, `pkg` continued fetching > > binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf for > > this to have any effect. > > This discussion happened many time in the past, regarding the pkg repository the > https does not bring much as everything is signed and checked against checksums. > In this case they were trying to do it for just the single machine, presumably with caroot installed from ports... shouldn't the entries have been merged and url from this one override?