Re: packages, libfetch, and SSL
- From: "Adrian Chadd" <adrian@xxxxxxxxxxx>
- Date: Mon, 22 Oct 2007 10:07:33 +0800
On 21/10/2007, David E. Thiel <lx@xxxxxxxxxxx> wrote:
The lowest-impact way to fix this, I think, is to use SSL for pkg_adds.
There are a couple of things that would need to change to make this
happen.
You can't (easily) cache data over SSL. Well, you can't use a HTTP
proxy that doesn't break the SSL conversation and cache the updates.
As someone who occasionally makes sure that distribution updates
through a Squid proxy actually caches said updates, I'd really prefer
you didn't stick package contents behind SSL.
Now, we could take another approach of PGP-signing packages instead, but
all the efforts I've seen to integrate PGP with the package management
system in the past haven't gone anywhere. The changes above seem to be
a bit more trivial than inventing a package-signing infrastructure and
putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
packages and having a baked-in key would work as well.
Considering its a solved problem (mostly!) in other distributions, and
their updates are very cachable, why not do this?
Adrian
--
Adrian Chadd - adrian@xxxxxxxxxxx
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: packages, libfetch, and SSL
- From: David E. Thiel
- Re: packages, libfetch, and SSL
- References:
- packages, libfetch, and SSL
- From: David E. Thiel
- packages, libfetch, and SSL
- Prev by Date: auditpipe leak?
- Next by Date: Re: packages, libfetch, and SSL
- Previous by thread: packages, libfetch, and SSL
- Next by thread: Re: packages, libfetch, and SSL
- Index(es):
Relevant Pages
|
|
