Date: Fri, 11 Sep 2020 16:14:57 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Andrew Savchenko <andrew@lists.savchenko.net> Cc: freebsd-pkg@freebsd.org Subject: Re: Switching `pkg` to HTTPS by default Message-ID: <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> In-Reply-To: <8310678484.20200911231037@savchenko.net> References: <8310678484.20200911231037@savchenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--2eewvepvmiz24znt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> Hello,
>=20
> I have added the following snippet under the=20
> /usr/local/etc/pkg/repos/FreeBSD.conf:
>=20
> ```
> FreeBSD: {
> url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
> mirror_type: "srv",
> signature_type: "fingerprints",
> fingerprints: "/usr/share/keys/pkg",
> enabled: yes
> }
> ```
>=20
> Note the "https" part of the address. Regardless, `pkg` continued fetchin=
g=20
> binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf=
for=20
> this to have any effect.
This discussion happened many time in the past, regarding the pkg repositor=
y the
https does not bring much as everything is signed and checked against check=
sums.
That said the point of not having https by default is only related to the f=
act
that by default there is no CAROOT so no way to validate the certificates in
base, so the bootstrap will fail.
Note that this is doable now in CURRENT.
>=20
> Setting `VULNXML_SITE` to HTTPS in /usr/local/etc/pkg.conf worked as expe=
cted.
>=20
> Is this a valid bug to report over to freebsd-bugs@freebsd.org?
>=20
Best regards,
Bapt
--2eewvepvmiz24znt
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEgOTj3suS2urGXVU3Y4mL3PG3PloFAl9bhl8ACgkQY4mL3PG3
PlqQ8Q/6ArFaka8oNNbsvIpfPNFo1Vfuw+hvPpccvq09LPYxye1wp/5cSYHcaemH
MEOrA8OPot1PVRXLX6chdSxY80DraScTKlqS+irG8PyS31sjcX/w+Fiyww0HdUsj
NMIQkNXPGdVySzDcu+vJsdJ2GV5UhB8+fXrnb9WBKvxFqpNaJmUxKdn2H9jLUvFv
9y4uMhhKY96SkGRaSksk31s/ReLyETnRuOSWObhxIqkj9kMJ9/Ab5R3KNus+AHXM
RxQQJto/Vh+EkssfAQbDAbBul2k2ApqIIrw108qlALasoisHYW2D8WcfCcFRhkiK
CP7HrQZ4pz/R9+5+7F/EUSwI0XStIkYnvTyAkdpWfnqSe3gi2nUWDX+5tleaXHgx
FaXmQB1T2PEIPmxoHaEZPBioJwZTphEHTZBX3nyrvbt7KxZQoaG5ifriArytzvVX
GFXpsJSHXv8DKtqTvt/Dw0JPvyge53DjtwOTGWGAGZOP1MKcGVctSKiqGRHBfjyL
hTQgdgH2D6s2kDq3/ESGz4ba2J7hTlP8eetWHtO0L8gzm3zyUOXTqsChsFYiRkPl
F1A3Xy8vlN5wmMrozYI7dnb7FmlQreFCyUgxLX0veCArS5ILT2PX8Mg/nBFz4nEu
FL6kRJy4infnHOl7UUrqnYzOnyAR/EFjoIgst5xefFYBxywqJbU=
=JDSN
-----END PGP SIGNATURE-----
--2eewvepvmiz24znt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200911141457.yzrirgbvlhjtrnrr>