Re: packages, libfetch, and SSL
- From: "David E. Thiel" <lx@xxxxxxxxxxx>
- Date: Sun, 21 Oct 2007 20:28:19 -0700
On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote:
You can't (easily) cache data over SSL. Well, you can't use a HTTP
proxy that doesn't break the SSL conversation and cache the updates.
As someone who occasionally makes sure that distribution updates
through a Squid proxy actually caches said updates, I'd really prefer
you didn't stick package contents behind SSL.
Fair enough.
Now, we could take another approach of PGP-signing packages instead, but
all the efforts I've seen to integrate PGP with the package management
system in the past haven't gone anywhere. The changes above seem to be
a bit more trivial than inventing a package-signing infrastructure and
putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
packages and having a baked-in key would work as well.
Considering its a solved problem (mostly!) in other distributions, and
their updates are very cachable, why not do this?
Sounds fine to me - I'll take a closer look at this. I'd still like
to see the root CA certs merged into base so libfetch can be fixed.
Does anyone object to just using the ones currently provided by the
ca_root_nss port?
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: packages, libfetch, and SSL
- From: Peter Jeremy
- Re: packages, libfetch, and SSL
- From: Brooks Davis
- Re: packages, libfetch, and SSL
- References:
- packages, libfetch, and SSL
- From: David E. Thiel
- Re: packages, libfetch, and SSL
- From: Adrian Chadd
- packages, libfetch, and SSL
- Prev by Date: Re: packages, libfetch, and SSL
- Next by Date: Re: packages, libfetch, and SSL
- Previous by thread: Re: packages, libfetch, and SSL
- Next by thread: Re: packages, libfetch, and SSL
- Index(es):
Relevant Pages
|
