Re: Cert validation in pkg_add

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Sun, 17 Dec 2023 23:48:22 +0100
> From: Joerg Sonnenberger <joerg%bec.de@localhost>
> 
> On Sunday, December 17, 2023 11:38:38 PM CET Taylor R Campbell wrote:
> > Note: The change I proposed only affects the path where you
> > specifically request `pkg_add https://...' or set
> > `PKG_PATH=https://...'.  It does not affect the case where a user
> > specifies http and the server redirects that to https.
> 
> I can think easily of some semi-sensible setup choices that would
> have a local server accessable via http and redirecting to a remote
> server with https.  So I don't think special casing this is in any
> way helpful.

What I'm proposing does not cause a regression in this scenario.

It doesn't improve security, but it also doesn't weaken security and
it doesn't break functionality.

> Seriously, anything beyond "validate HTTPS by default, always" and
> "provide one mechanism to declare insecure operation" is going to
> result in a situation like what we have right now, but much more
> difficult to find.

I'm sympathetic to the proposition that we should unconditionally
require https validation, but I'm trying to:

1. keep the risk of breakage low by not changing any existing setups
   that don't explicitly ask for https, and

2. make the security contract simple and clear: if you ask for https,
   pkg_add will guarantee it has authenticated the server it
   downloaded from.

In a future change (maybe as soon as we branch), perhaps we can
simplify the logic at the risk of breaking existing setups.