Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Sep 2020 16:22:23 +0200
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        Andrew Savchenko <andrew@lists.savchenko.net>
Cc:        freebsd-pkg@freebsd.org
Subject:   Re: Switching `pkg` to HTTPS by default
Message-ID:  <20200911142223.kt7cfs5zbu7qwtsn@ivaldir.net>
In-Reply-To: <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net>
References:  <8310678484.20200911231037@savchenko.net> <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--zyy7aogssyxfw7ld
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 11, 2020 at 04:14:57PM +0200, Baptiste Daroussin wrote:
> On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> > Hello,
> >=20
> > I have added the following snippet under the=20
> > /usr/local/etc/pkg/repos/FreeBSD.conf:
> >=20
> > ```
> > FreeBSD: {
> >   url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
> >   mirror_type: "srv",
> >   signature_type: "fingerprints",
> >   fingerprints: "/usr/share/keys/pkg",
> >   enabled: yes
> > }
> > ```
> >=20
> > Note the "https" part of the address. Regardless, `pkg` continued fetch=
ing=20
> > binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.co=
nf for=20
> > this to have any effect.
>=20
> This discussion happened many time in the past, regarding the pkg reposit=
ory the
> https does not bring much as everything is signed and checked against che=
cksums.
>=20
> That said the point of not having https by default is only related to the=
 fact
> that by default there is no CAROOT so no way to validate the certificates=
 in
> base, so the bootstrap will fail.
>=20
> Note that this is doable now in CURRENT.

Sorry I completly miss read your report

yes this is a bug I will look into it

What does pkg -vv tell you ?

Best regards,
Bapt

--zyy7aogssyxfw7ld
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEgOTj3suS2urGXVU3Y4mL3PG3PloFAl9biB8ACgkQY4mL3PG3
PlpvzA/8CivEel6kB0RehK74iWcLVA0fNWLrEo5ifiwBy3qOUNOa75JKwXDYRP0O
lzIg8Lb9LGYnHjxzrRdBu0g/yfzK93RmKemT5F5dMqYs3mhGzLVnr1bxhAz1di3K
4ZGAxwaLHfKeZymgnvlFIy6vvidpt8ph1PLfqxhvFi9vX6RHMv6m+AI4abrIE2ZA
g5JE1lXCBjRTqy4i9CZ3T5sUkor80ZPoXQbrjNmiWcOt0yHVks6Y34M1Y/9sPrGw
EixhvGdfRRqyZmyeeKann0fe15tKObxhLnVnhgQ7TnOwxNCRVBhx4pPHRppTlkfR
myRSCP+pkre4gf2ONPxEYqCKJROzgyYoiSfzKXZ6eZVINuXjb6aeyb7aRw+ij1uk
ODUwlc18mcYFFa9UL1a9pBGvwPHnuwjvpWVWSYjXLcRrfPCzrDOfLkalUeErqBSJ
+opzTVX4nEAv7vEBmWBAAutoCNIAL7xTwNutVPlGzil/RK587ptJl37EV/G22pwi
wR3DJ5DSxakmps7EVRMcCfPxzxap5n3jq9LvUy6hdg4yOFJFtN6moEVHi2UDiSJj
wEIj4EeLxogX955vFuPdtNwbG102Vw3VKhK1ZNo0mF0oWJj9s9PD4jWeXJK/MOeK
iADvwzrGVdnYmr4jFl70uXc56eOK8juxe5wmNfyKktie93atiHk=
=WFDF
-----END PGP SIGNATURE-----

--zyy7aogssyxfw7ld--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200911142223.kt7cfs5zbu7qwtsn>