Switching `pkg` to HTTPS by default
Baptiste Daroussin
bapt at FreeBSD.org
Fri Sep 11 14:15:03 UTC 2020
On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> Hello,
>
> I have added the following snippet under the
> /usr/local/etc/pkg/repos/FreeBSD.conf:
>
> ```
> FreeBSD: {
> url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
> mirror_type: "srv",
> signature_type: "fingerprints",
> fingerprints: "/usr/share/keys/pkg",
> enabled: yes
> }
> ```
>
> Note the "https" part of the address. Regardless, `pkg` continued fetching
> binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf for
> this to have any effect.
This discussion happened many time in the past, regarding the pkg repository the
https does not bring much as everything is signed and checked against checksums.
That said the point of not having https by default is only related to the fact
that by default there is no CAROOT so no way to validate the certificates in
base, so the bootstrap will fail.
Note that this is doable now in CURRENT.
>
> Setting `VULNXML_SITE` to HTTPS in /usr/local/etc/pkg.conf worked as expected.
>
> Is this a valid bug to report over to freebsd-bugs at freebsd.org?
>
Best regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20200911/70848739/attachment.sig>
More information about the freebsd-pkg
mailing list