tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Cert validation in pkg_add
On Sun, Dec 17, 2023 at 06:35:54PM +0000, Taylor R Campbell wrote:
> In other words, there is no change when you write `pkg_add http://...'
> (or use PKG_PATH=http://...). So this won't affect, e.g., NetBSD 9
> installations where the suggested PKG_PATH in /root/.profile is an
> http:// URL.
>
> The change affects only uses that _explicitly ask_ for secure
> transport by writing https:// URLs, which, currently, pkg_add silently
> fails to verify.
I have just commited changes to sysinst (that I plan to request pullup to 10
for) that offer https as a transport mechanism (previously onl ftp and http
were available), and also select https as the default for new installs.
This also creates a pkgin repositories.conf file with a https URL.
Together with Taylor's suggested changes this would lead to full SSL
verified https downloads for binary pkgs both (later) at runtime but
also during the download of pkgin and the initial summary file.
The user can easily opt out at in the pkgin sysinst menu by selecting
ftp or http transfers.
I consider this a good default and a good way forward, so I'm all for
landing Taylor's patch.
Martin
Home |
Main Index |
Thread Index |
Old Index