Switching `pkg` to HTTPS by default
Baptiste Daroussin
bapt at FreeBSD.org
Fri Sep 11 14:22:25 UTC 2020
On Fri, Sep 11, 2020 at 04:14:57PM +0200, Baptiste Daroussin wrote:
> On Fri, Sep 11, 2020 at 11:11:37PM +0930, Andrew Savchenko wrote:
> > Hello,
> >
> > I have added the following snippet under the
> > /usr/local/etc/pkg/repos/FreeBSD.conf:
> >
> > ```
> > FreeBSD: {
> > url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly",
> > mirror_type: "srv",
> > signature_type: "fingerprints",
> > fingerprints: "/usr/share/keys/pkg",
> > enabled: yes
> > }
> > ```
> >
> > Note the "https" part of the address. Regardless, `pkg` continued fetching
> > binaries over unencrypted http. I had to change the /etc/pkg/FreeBSD.conf for
> > this to have any effect.
>
> This discussion happened many time in the past, regarding the pkg repository the
> https does not bring much as everything is signed and checked against checksums.
>
> That said the point of not having https by default is only related to the fact
> that by default there is no CAROOT so no way to validate the certificates in
> base, so the bootstrap will fail.
>
> Note that this is doable now in CURRENT.
Sorry I completly miss read your report
yes this is a bug I will look into it
What does pkg -vv tell you ?
Best regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20200911/dad51093/attachment.sig>
More information about the freebsd-pkg
mailing list