packages, libfetch, and SSL

David E. Thiel lx at
Sun Oct 21 20:28:03 PDT 2007

On Mon, Oct 22, 2007 at 10:07:33AM +0800, Adrian Chadd wrote:
> You can't (easily) cache data over SSL. Well, you can't use a HTTP
> proxy that doesn't break the SSL conversation and cache the updates.
> As someone who occasionally makes sure that distribution updates
> through a Squid proxy actually caches said updates, I'd really prefer
> you didn't stick package contents behind SSL.

Fair enough.

> > Now, we could take another approach of PGP-signing packages instead, but
> > all the efforts I've seen to integrate PGP with the package management
> > system in the past haven't gone anywhere. The changes above seem to be
> > a bit more trivial than inventing a package-signing infrastructure and
> > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign
> > packages and having a baked-in key would work as well.
> Considering its a solved problem (mostly!) in other distributions, and
> their updates are very cachable, why not do this?

Sounds fine to me - I'll take a closer look at this. I'd still like
to see the root CA certs merged into base so libfetch can be fixed.
Does anyone object to just using the ones currently provided by the
ca_root_nss port?

More information about the freebsd-hackers mailing list