Re: Cert validation in pkg_add

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: Cert validation in pkg_add
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sun, 17 Dec 2023 19:59:24 +0100

On Sun, Dec 17, 2023 at 06:35:54PM +0000, Taylor R Campbell wrote:
> In other words, there is no change when you write `pkg_add http://...'
> (or use PKG_PATH=http://...).  So this won't affect, e.g., NetBSD 9
> installations where the suggested PKG_PATH in /root/.profile is an
> http:// URL.
> 
> The change affects only uses that _explicitly ask_ for secure
> transport by writing https:// URLs, which, currently, pkg_add silently
> fails to verify.

I have just commited changes to sysinst (that I plan to request pullup to 10
for) that offer https as a transport mechanism (previously onl ftp and http
were available), and also select https as the default for new installs.

This also creates a pkgin repositories.conf file with a https URL.

Together with Taylor's suggested changes this would lead to full SSL 
verified https downloads for binary pkgs both (later) at runtime but
also during the download of pkgin and the initial summary file.

The user can easily opt out at in the pkgin sysinst menu by selecting
ftp or http transfers.

I consider this a good default and a good way forward, so I'm all for
landing Taylor's patch.

Martin

References:
- Re: Cert validation in pkg_add
  - From: Greg Troxel
- Re: Cert validation in pkg_add
  - From: Taylor R Campbell

Prev by Date: pkg options inheritance
Next by Date: Re: Cert validation in pkg_add
Previous by Thread: Re: Cert validation in pkg_add
Next by Thread: Re: Cert validation in pkg_add
Indexes:

Home | Main Index | Thread Index | Old Index