From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 22 16:17:20 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52C3616A419; Mon, 22 Oct 2007 16:17:20 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (cl-162.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:a1::2]) by mx1.freebsd.org (Postfix) with ESMTP id BEDE813C494; Mon, 22 Oct 2007 16:17:19 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.8/8.13.8) with ESMTP id l9MGHINx021747; Mon, 22 Oct 2007 11:17:18 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.8/8.13.8/Submit) id l9MGHIX5021746; Mon, 22 Oct 2007 11:17:18 -0500 (CDT) (envelope-from brooks) Date: Mon, 22 Oct 2007 11:17:18 -0500 From: Brooks Davis To: "David E. Thiel" Message-ID: <20071022161718.GB21096@lor.one-eyed-alien.net> References: <20071021013917.GB86865@redundancy.redundancy.org> <20071022032819.GE75639@redundancy.redundancy.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="z6Eq5LdranGa6ru8" Content-Disposition: inline In-Reply-To: <20071022032819.GE75639@redundancy.redundancy.org> User-Agent: Mutt/1.5.15 (2007-04-06) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Mon, 22 Oct 2007 11:17:18 -0500 (CDT) Cc: freebsd-hackers@freebsd.org, Adrian Chadd Subject: Re: packages, libfetch, and SSL X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Oct 2007 16:17:20 -0000 --z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 21, 2007 at 08:28:19PM -0700, David E. Thiel wrote: > On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote: > > You can't (easily) cache data over SSL. Well, you can't use a HTTP > > proxy that doesn't break the SSL conversation and cache the updates. > >=20 > > As someone who occasionally makes sure that distribution updates > > through a Squid proxy actually caches said updates, I'd really prefer > > you didn't stick package contents behind SSL. >=20 > Fair enough. >=20 > > > Now, we could take another approach of PGP-signing packages instead, = but > > > all the efforts I've seen to integrate PGP with the package management > > > system in the past haven't gone anywhere. The changes above seem to be > > > a bit more trivial than inventing a package-signing infrastructure and > > > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to s= ign > > > packages and having a baked-in key would work as well. > >=20 > > Considering its a solved problem (mostly!) in other distributions, and > > their updates are very cachable, why not do this? >=20 > Sounds fine to me - I'll take a closer look at this. I'd still like > to see the root CA certs merged into base so libfetch can be fixed. > Does anyone object to just using the ones currently provided by the > ca_root_nss port? If we're going to have a default set, this is the right one since it's the = one everyone already trusts. It would be useful to know what the security team thinks of the idea. -- Brooks --z6Eq5LdranGa6ru8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFHHM0NXY6L6fI4GtQRAmoiAJsEtJU6xN8MOvWoUZM4Lot8959SIgCg5OKJ ElxIQ2RPTiGCgI3R4SuG+oM= =MTYR -----END PGP SIGNATURE----- --z6Eq5LdranGa6ru8--