From owner-freebsd-ports@FreeBSD.ORG Fri Jan 18 20:55:55 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7B94DC10 for ; Fri, 18 Jan 2013 20:55:55 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 0A11C77C for ; Fri, 18 Jan 2013 20:55:54 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.6/8.14.6) with ESMTP id r0IKtn8k053105 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 18 Jan 2013 20:55:49 GMT (envelope-from m.seaman@infracaninophile.co.uk) DKIM-Filter: OpenDKIM Filter v2.7.4 smtp.infracaninophile.co.uk r0IKtn8k053105 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1358542549; bh=XVdUFzic0I6/ULfkG5ByywtwxXto8Dh2gWaqHT3P+6I=; h=Date:From:To:CC:Subject:References:In-Reply-To; z=Date:=20Fri,=2018=20Jan=202013=2020:55:40=20+0000|From:=20Matthew =20Seaman=20|To:=20Michael=20Gmel in=20|CC:=20freebsd-ports@freebsd.org|Subject:=20 Re:=20Using=20bidirectional=20authentication=20in=20pkgng|Referenc es:=20<20130118035721.283135fb@bsd64.grem.de>|In-Reply-To:=20<2013 0118035721.283135fb@bsd64.grem.de>; b=U1hGERrTGYvQ/xkR+TRgWBM0eVj/06nmZEtblZtfIXZQx4rGUcL2NXKruTWAi0ayY Maad2M3xojiGpNBoRj2aVlU1MDkMiFVK3pR9NpXWbrvuAQIUVa3OKQkCBzVjXEtlDV FuYuZh8gw5eFpWH83BiB773+2N/dwmQSDVy4RRFo= Message-ID: <50F9B6CC.3040303@infracaninophile.co.uk> Date: Fri, 18 Jan 2013 20:55:40 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Michael Gmelin Subject: Re: Using bidirectional authentication in pkgng References: <20130118035721.283135fb@bsd64.grem.de> In-Reply-To: <20130118035721.283135fb@bsd64.grem.de> X-Enigmail-Version: 1.5 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2KXXJSQWNFDMTSSQAMMBL" X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jan 2013 20:55:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2KXXJSQWNFDMTSSQAMMBL Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/01/2013 02:57, Michael Gmelin wrote: > a. I understand that my use case is not necessarily pkgng's top > priority. Ultimately requirement 2 is pretty nonsensical for > distributing open source packages Well, yes. I must admit that ssh based transport authenticated with keys is not top of the list. Not that we have any objection to implementing all sorts of transport schemes, but the libfetch provided targets are the easiest and most popular use cases. If you really want this, please open an issue at GitHub. It will get dealt with eventually. Sooner if anyone wants to send a pull-request. > b. It still would be great if sftp could somehow be supported in the > future - or at least some syntax that allows external tools to be > called to accomplish the task. That way people could use sftp, curl > or what not to fetch packages. Hmmm... it may be possible to implement this sort of thing via a suitable modification of the plugin architecture. Incorporating new transport schemes is OK, so long as the code to do it is BSD licensed (or something compatible like the MIT or Apache licenses) and it doesn't add run-time dependencies to pkgng. (ie. we have to be able to compile it into the binaries so the pkg package can be installed standalone.) > c. libfetch really needs to get fixed to allow certificate verification= > in its fetchX* and fetchHTTP* functions when using HTTPS. fetch(3) > is based on it and there is no indication anywhere whatsoever that > no checks are done at all (none of the libfetch or fetch utility man= > pages mention it). This would be useful functionality to add to libfetch. However, support for DANE (RFC 6698) would be even better, IMHO. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matthew@infracaninophile.co.uk ------enig2KXXJSQWNFDMTSSQAMMBL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD5ttQACgkQ8Mjk52CukIzujQCeKa4T2WWbTF7d+fTPcFP/+gzM WakAn22xx6jOuM6LdefGHDkptTHDWvcj =heL3 -----END PGP SIGNATURE----- ------enig2KXXJSQWNFDMTSSQAMMBL--