Re: Cert validation in pkg_add

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Sunday, December 17, 2023 11:38:38 PM CET Taylor R Campbell wrote:
> > Date: Sun, 17 Dec 2023 23:01:23 +0100
> > From: Joerg Sonnenberger <joerg%bec.de@localhost>
> > 
> > It should be noted that a very common setup nowaday is to just redirect
> > all http traffic to https anyway, so this has a somewhat broader impact than
> > might be obvious.
> 
> Note: The change I proposed only affects the path where you
> specifically request `pkg_add https://...' or set
> `PKG_PATH=https://...'.  It does not affect the case where a user
> specifies http and the server redirects that to https.

I can think easily of some semi-sensible setup choices that would have a local
server accessable via http and redirecting to a remote server with https.
So I don't think special casing this is in any way helpful.

> This way it won't break existing setups that use PKG_PATH=http://...
> and have no trust anchors, even if the http URL is a redirect to
> https.

Screw them. 

> On the one hand, not validating https on redirect from http -- and,
> conversely, _refusing_ https to http redirect -- may be surprising.

I'm only aware on one group doing that and I'm very comfortable ignoring
them. (*cough* Debian *cough*)

Seriously, anything beyond "validate HTTPS by default, always" and "provide
one mechanism to declare insecure operation" is going to result in a situation
like what we have right now, but much more difficult to find.

Joerg