packages, libfetch, and SSL
Adrian Chadd
adrian at freebsd.org
Sun Oct 21 19:34:21 PDT 2007
On 21/10/2007, David E. Thiel <lx at freebsd.org> wrote:
>
> The lowest-impact way to fix this, I think, is to use SSL for pkg_adds.
> There are a couple of things that would need to change to make this
> happen.
You can't (easily) cache data over SSL. Well, you can't use a HTTP
proxy that doesn't break the SSL conversation and cache the updates.
As someone who occasionally makes sure that distribution updates
through a Squid proxy actually caches said updates, I'd really prefer
you didn't stick package contents behind SSL.
> Now, we could take another approach of PGP-signing packages instead, but
> all the efforts I've seen to integrate PGP with the package management
> system in the past haven't gone anywhere. The changes above seem to be
> a bit more trivial than inventing a package-signing infrastructure and
> putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
> packages and having a baked-in key would work as well.
Considering its a solved problem (mostly!) in other distributions, and
their updates are very cachable, why not do this?
Adrian
--
Adrian Chadd - adrian at freebsd.org
More information about the freebsd-hackers
mailing list