pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
validation of https in libfetch: perhaps coming soon to 2023Q4 as a pullup
Over on tech-pkg we have been discussing (at greater length than perhaps
should have been necessary in part due to me trying to deal with the
branch, this, and non-computer things):
changing pkgsrc so that
pkg_add https://some.server/some/path/some-package.tar.gz
will do certificate validation, meaning expecting a certificate with
the right name, not expired, signed by a CA configured as a trust
anchor in the system. Nothing tricky or odd, just "actually validate"
applying that change to the 2023Q4 branch
mostly, limited to NetBSD 10 and up
Taylor has done all the work.
The overall rationale is
package fetches should validate as a security mechanism to help guard
against malware
NetBSD 10 now configures trust anchors in the base system, so this is
feasible
This is a bugfix as libfetch probably always should have validated.
https fetches done by libfetch should be validated regardless of the
caller. https is simply a protocol that expects validation.
It's ok to pull the bugfix up to the branch.
Maybe we should not impose the bugfix, because it changes behavior,
on users of other than NetBSD >= 10.
Because there's an env var to set to opt out of validation, it won't
really cause anyone any real trouble.
This leaves for a possible/likely future change
Make libfetch refuse to follow https to http redirects.
So, assuming:
the change lands in pkgsrc-current soon
after a bit we'll pull it up to the branch
then we have a choice:
1) ifdef it so that it only applies (on the branch) to NetBSD >= 10
2) don't ifdef it, so it applies to all platforms.
Earlier I wanted 1, so that we'd have limited changes. I have come to
see it as a bugfix with an easy opt out, so that makes me want to just
rip the bandaid off and fix the bug.
So, if you use the stable branch on other than NetBSD 10 and you fetch
packages over https, or anything else with libfetch, do you
fetch from places with valid certs and so this is fine
Note that valid is with respect to the trust anchors you have configured!
fetch from places without valid certs, but if you set the env var it
won't validate, you are ok with it?
fetch from places without valid certs, but setting the env var in
your world as a change during the branch is painful, so you are not ok
with this?
I hope this made sense; please speak up if turning on https validation
for all systems, with an env var to opt out, is going to cause you
trouble.
Greg
Home |
Main Index |
Thread Index |
Old Index