Re: Cert validation in pkg_add

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: Cert validation in pkg_add
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Sun, 17 Dec 2023 13:00:57 -0500

I read again.  My issues are:

  This, while I know you see it as a bug fix, is a huge change in
  existing practice.

  We have had one positive comment.  One person told me they would test
  and comment, but haven't yet.  Another person in private mail was
  vaguely positive but unconvinced about the rush.

  I'm still uncomfortable about the lack of other people really reading
  and consdering impacts, given that this arose in month 3.

  This seems to make libfetch reject ftp/http if V is on, but we
  discussed changing semantics to only affecting https.  If a program
  that uses libfetch wants pkix-validated methods only, it should filter
  them.  Really I see this as wanting to change https to default to pkix
  validation, and doing that via V because it would be an incompat
  chagne.  This is blurring that flip with "reject ftp even though it
  was asked for".  I expected in this round to have the fail-ftp code to
  just vanish.

  The comment says "after the branch we'll just remove the NetBSD 10
  conditional".  That's no an ok comment because we have not had that
  discussion.  I have narrowed thinking about this to the NetBSD 10 case
  only, because everything else is not any more urgent than it has been
  the last 10 years.  So this should be "discussion has only happened
  for this case" and not presuppose the rest.

  I still do not like INSECURE_TRANSPORT as it seeks to frighten rather
  than inform.  I think TLS_VALIDATE_CERTIFICTES=no should be settable,
  with it defaulting to yes.  (Or really, the default being yes on
  NetBSD 10 and no elsewhere, for now.)  That leads the reader to the
  correct impression without docs.  I also think the variable should
  just being about TLS validation.  A decision to reject http/ftp is
  another thing, and if implemented at all (which I 95% think is bad)
  should get another variable.  To me, disallowing http/ftp is a further
  step beyond tls validation, and much more than a bug fix.

  I don't see bumping the required pkg_install version in the patch.  I
  think we might need that to get "pkg_add will be the same".  That
  makes this more complicated.

  Do we have agreement from netbsd releng that this change is going to
  be pulled up to netbsd-10 before release?  If not, then there's risk
  to pkgsrc without gain.  I haven't see any comments from any of them
  on this list.


I'll note that we could pull this up the branch later, after things have
really settled and been tested.  I am really uncomfortable doing things
last-minute and under time pressure, and that's what this feels like.
Not your fault, that's what happens with time-based releases, a bit of a
minus.  On the plus side, they actually happen!


So I wonder about landing it in netbsd-10 and after it all works ok then
I think it would be easy to get consensus to bring that change
(conditioned on netbsd-10) into pkgsrc.

Follow-Ups:
- Re: Cert validation in pkg_add
  - From: Benny Siegert
- Re: Cert validation in pkg_add
  - From: Taylor R Campbell

References:
- Re: Cert validation in pkg_add
  - From: Taylor R Campbell

Prev by Date: Re: CVS commit: pkgsrc/graphics/tiff
Next by Date: Re: Cert validation in pkg_add
Previous by Thread: Re: Cert validation in pkg_add
Next by Thread: Re: Cert validation in pkg_add
Indexes:

Home | Main Index | Thread Index | Old Index