[Bug 260019] net/foreman-proxy: update to 3.0.1
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 260019] net/foreman-proxy: update to 3.0.1"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 01 Dec 2021 02:31:57 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260019 Jason Unovitch <junovitch@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |junovitch@freebsd.org --- Comment #2 from Jason Unovitch <junovitch@freebsd.org> --- (In reply to Frank Wall from comment #0) Hi Frank, thanks for picking up where PR 253008 left off. I'm speaking for myself on this one and am not tracking the most recent commit policy, but we don't need to pull in systemd for this. My patch added in PR for the 2.2.3 to 2.3.5 update includes a patch file to revert the callback in theforeman/smart-proxy@99e9e5bf5843 which introduced the new dependency on the sd_notify Rubygem port. I can't find clear guidance in the handbook on what we do for this just now but we can patch it out until the upstream code is more agnostic to *nix implementation it's on. Visual inspection of the patch looks mostly good but I do have one alibi putting the security hat on, why do we need to patch lib/proxy/http_download.rb to include a "verify_server_cert = false" line? There would be implications if there is an adversary performing a MITM including this suggested portion of the patch that I am hesitant on without further understanding of what it means at runtime. For the rest of the patch if you have tested and run it I'm good myself and we'll just need an active/current committer to pick this up. I'll be traveling for a job until the new year and limited on things but am glad to discuss regarding the verify_server_cert pending your feedback. Thanks again! -- You are receiving this mail because: You are the assignee for the bug.