From owner-freebsd-ports@FreeBSD.ORG Wed Jan 23 00:41:52 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5A396103; Wed, 23 Jan 2013 00:41:52 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) by mx1.freebsd.org (Postfix) with ESMTP id AABF0F00; Wed, 23 Jan 2013 00:41:51 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id 16so1501812wgi.3 for ; Tue, 22 Jan 2013 16:41:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=oGuTu6wd2RjclLcmIl3Px7H1g1yCigH9u6JBqA/qa2w=; b=P8qL78mIo0YmFJhg+rJR/q3El3ZtjN/IKlRgoiunQmo0uDnum6A82e7pl1Q5dA6qMR SLmn9Emgodd8W6kJUKdLR9+cKiycYq/hDWLzFxGUuN5mYqWJdpGUU+a7HjuaOSrIWnwS LA6nMA9rm7BYLIz0F40gP9v33CnijUFmuEw6ixkikzxGl9cQt/teGF8x8wF072Modymj jwnA4IdejYcO/VotCZ3X3/jzF0Cgvu70SbC170VoZZfHTH/WmBef8bsNma/2XbTxzf0c QXhevtaSqX6sldu/FhfN6lsFHOxms4zXz5GF3ylpuOVSUPbj1bk5j1Q1t9XbSD9of616 IB3g== X-Received: by 10.194.58.175 with SMTP id s15mr35410681wjq.31.1358901710552; Tue, 22 Jan 2013 16:41:50 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPS id gz3sm24201060wib.2.2013.01.22.16.41.49 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 22 Jan 2013 16:41:49 -0800 (PST) Sender: Baptiste Daroussin Date: Wed, 23 Jan 2013 01:41:47 +0100 From: Baptiste Daroussin To: Michael Gmelin Subject: Re: Using bidirectional authentication in pkgng Message-ID: <20130123004147.GG27275@ithaqua.etoilebsd.net> References: <20130118035721.283135fb@bsd64.grem.de> <50F9B6CC.3040303@infracaninophile.co.uk> <20130122193035.4c51be04@bsd64.grem.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VACxsDaSTfeluoxK" Content-Disposition: inline In-Reply-To: <20130122193035.4c51be04@bsd64.grem.de> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: des@FreeBSD.org, freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2013 00:41:52 -0000 --VACxsDaSTfeluoxK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 22, 2013 at 07:30:35PM +0100, Michael Gmelin wrote: > On Fri, 18 Jan 2013 20:55:40 +0000 > Matthew Seaman wrote: >=20 > > On 18/01/2013 02:57, Michael Gmelin wrote: > >=20 > > > a. I understand that my use case is not necessarily pkgng's top > > > priority. Ultimately requirement 2 is pretty nonsensical for > > > distributing open source packages > >=20 > > Well, yes. I must admit that ssh based transport authenticated with > > keys is not top of the list. Not that we have any objection to > > implementing all sorts of transport schemes, but the libfetch provided > > targets are the easiest and most popular use cases. If you really > > want this, please open an issue at GitHub. It will get dealt with > > eventually. Sooner if anyone wants to send a pull-request. > >=20 > > > b. It still would be great if sftp could somehow be supported in the > > > future - or at least some syntax that allows external tools to be > > > called to accomplish the task. That way people could use sftp, > > > curl or what not to fetch packages. > >=20 > > Hmmm... it may be possible to implement this sort of thing via a > > suitable modification of the plugin architecture. Incorporating new > > transport schemes is OK, so long as the code to do it is BSD licensed > > (or something compatible like the MIT or Apache licenses) and it > > doesn't add run-time dependencies to pkgng. (ie. we have to be able > > to compile it into the binaries so the pkg package can be installed > > standalone.) > >=20 > > > c. libfetch really needs to get fixed to allow certificate > > > verification in its fetchX* and fetchHTTP* functions when using > > > HTTPS. fetch(3) is based on it and there is no indication anywhere > > > whatsoever that no checks are done at all (none of the libfetch or > > > fetch utility man pages mention it). > >=20 > > This would be useful functionality to add to libfetch. However, > > support for DANE (RFC 6698) would be even better, IMHO. >=20 > I implemented the necessary bits over the weekend and filed a PR > containing the patch (SSL peer verification, hostname checking, client > certificates etc.). >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D175514 >=20 > Assuming the code quality is sufficient, it would be great if it made it > to base (not sure if des@freebsd.org is still taking care of libfetch).= =20 Yes he is, that is why I have CCed him >=20 > I agree that implementing DANE would be a good thing. The basic features > I implemented should be in there anyway though, since the current > PKI structure should be supported until something better is around - > DNSSEC adoption itself is still pretty low (at least around here most > hosting companies don't even offer the option) and migration will > probably be a lengthy process. For private CA setups this > solution provides an acceptable level of security anyway. >=20 > That said, if there's interest I could volunteer to implement DANE > later this year - assuming there is someone who can audit the > results. >=20 > Cheers, > Michael >=20 > --=20 > Michael Gmelin > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" --VACxsDaSTfeluoxK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlD/McsACgkQ8kTtMUmk6EwlewCePINrPUr3V6YjaE9Ya2+YrCwd rmwAnRWR1CUT4aQuWsGeuFMjRRMyPdH/ =Er/y -----END PGP SIGNATURE----- --VACxsDaSTfeluoxK--