tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Use the newly introduced GIT_ENV instead of tweaking a supposedly internal variable.

Hauke Fath <> writes:

>> Take a look at
>> security/mozilla-rootcerts
>> security/mozilla-rootcerts-openssl
>> It will not install these for you, and I think that's fine too.
> It is not, in that a 'make' (or even 'make clean') for a git based 
> package accessing the repository via SSL will error out, and you get to 
> find out that (and how) you have to provide git with an SSL cert store.

The basic problem is that the underlying way PKI works in the real world
is unsound (one is expected to configure ~100 CAs as trust anchors).
Some systems preload these, and NetBSD has chosen not to, in order to
leave security-critical decisions to the user.

We should review which tools insist on a validated path for https fetch,
and whether we think it's reasonable for them to fail.  Then whether
pkgsrc should insist on certificate chain validation.  Arguably it need
not, because we have hashes for distfiles.

So perhaps fetches using curl should all disable cert path checking.

Turning it off per package doesn't make sense.  That's kind of like
setting FETCH_USING because the system ftp doesn't support https, and we
decided not to do that.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index