Date: Mon, 22 Oct 2007 11:17:18 -0500 From: Brooks Davis <brooks@freebsd.org> To: "David E. Thiel" <lx@freebsd.org> Cc: freebsd-hackers@freebsd.org, Adrian Chadd <adrian@freebsd.org> Subject: Re: packages, libfetch, and SSL Message-ID: <20071022161718.GB21096@lor.one-eyed-alien.net> In-Reply-To: <20071022032819.GE75639@redundancy.redundancy.org> References: <20071021013917.GB86865@redundancy.redundancy.org> <d763ac660710211907p5b23e145o62da8a5661b6b902@mail.gmail.com> <20071022032819.GE75639@redundancy.redundancy.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 21, 2007 at 08:28:19PM -0700, David E. Thiel wrote: > On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote: > > You can't (easily) cache data over SSL. Well, you can't use a HTTP > > proxy that doesn't break the SSL conversation and cache the updates. > >=20 > > As someone who occasionally makes sure that distribution updates > > through a Squid proxy actually caches said updates, I'd really prefer > > you didn't stick package contents behind SSL. >=20 > Fair enough. >=20 > > > Now, we could take another approach of PGP-signing packages instead, = but > > > all the efforts I've seen to integrate PGP with the package management > > > system in the past haven't gone anywhere. The changes above seem to be > > > a bit more trivial than inventing a package-signing infrastructure and > > > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to s= ign > > > packages and having a baked-in key would work as well. > >=20 > > Considering its a solved problem (mostly!) in other distributions, and > > their updates are very cachable, why not do this? >=20 > Sounds fine to me - I'll take a closer look at this. I'd still like > to see the root CA certs merged into base so libfetch can be fixed. > Does anyone object to just using the ones currently provided by the > ca_root_nss port? If we're going to have a default set, this is the right one since it's the = one everyone already trusts. It would be useful to know what the security team thinks of the idea. -- Brooks --z6Eq5LdranGa6ru8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFHHM0NXY6L6fI4GtQRAmoiAJsEtJU6xN8MOvWoUZM4Lot8959SIgCg5OKJ ElxIQ2RPTiGCgI3R4SuG+oM= =MTYR -----END PGP SIGNATURE----- --z6Eq5LdranGa6ru8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071022161718.GB21096>