Date: Fri, 11 Sep 2020 09:18:30 -0500 From: Kyle Evans <kevans@freebsd.org> To: Baptiste Daroussin <bapt@freebsd.org> Cc: Andrew Savchenko <andrew@lists.savchenko.net>, freebsd-pkg@freebsd.org Subject: Re: Switching `pkg` to HTTPS by default Message-ID: <CACNAnaEUWEnrkSJSU=sxbQn9L%2BJV57KS=6gY6OaoOvgPXxYNhQ@mail.gmail.com> In-Reply-To: <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net> References: <8310678484.20200911231037@savchenko.net> <20200911141457.yzrirgbvlhjtrnrr@ivaldir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 11, 2020 at 9:15 AM Baptiste Daroussin <bapt@freebsd.org> wrote:
>
> On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> > Hello,
> >
> > I have added the following snippet under the
> > /usr/local/etc/pkg/repos/FreeBSD.conf:
> >
> > ```
> > FreeBSD: {
> > url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
> > mirror_type: "srv",
> > signature_type: "fingerprints",
> > fingerprints: "/usr/share/keys/pkg",
> > enabled: yes
> > }
> > ```
> >
> > Note the "https" part of the address. Regardless, `pkg` continued fetching
> > binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf for
> > this to have any effect.
>
> This discussion happened many time in the past, regarding the pkg repository the
> https does not bring much as everything is signed and checked against checksums.
>
In this case they were trying to do it for just the single machine,
presumably with caroot installed from ports... shouldn't the entries
have been merged and url from this one override?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaEUWEnrkSJSU=sxbQn9L%2BJV57KS=6gY6OaoOvgPXxYNhQ>