[Bug 260019] net/foreman-proxy: update to 3.0.1

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260019

Jason Unovitch <junovitch@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |junovitch@freebsd.org

--- Comment #2 from Jason Unovitch <junovitch@freebsd.org> ---
(In reply to Frank Wall from comment #0)

Hi Frank, thanks for picking up where PR 253008 left off. I'm speaking for
myself on this one and am not tracking the most recent commit policy, but we
don't need to pull in systemd for this. My patch added in PR for the 2.2.3 to
2.3.5 update includes a patch file to revert the callback in
theforeman/smart-proxy@99e9e5bf5843 which introduced the new dependency on the
sd_notify Rubygem port. I can't find clear guidance in the handbook on what we
do for this just now but we can patch it out until the upstream code is more
agnostic to *nix implementation it's on.

Visual inspection of the patch looks mostly good but I do have one alibi
putting the security hat on, why do we need to patch lib/proxy/http_download.rb
to include a "verify_server_cert = false" line? There would be implications if
there is an adversary performing a MITM including this suggested portion of the
patch that I am hesitant on without further understanding of what it means at
runtime. For the rest of the patch if you have tested and run it I'm good
myself and we'll just need an active/current committer to pick this up.

I'll be traveling for a job until the new year and limited on things but am
glad to discuss regarding the verify_server_cert pending your feedback. Thanks
again!

-- 
You are receiving this mail because:
You are the assignee for the bug.