bsd.sites.mk: Do we prefer http or https (or both)

Adam Weinberger adamw at adamw.org
Sat Mar 11 21:25:18 UTC 2017 

> On 11 Mar, 2017, at 12:53, Adam Weinberger <adamw at adamw.org> wrote:
> 
>> On 11 Mar, 2017, at 12:29, Tijl Coosemans <tijl at freebsd.org> wrote:
>> 
>> On Sat, 11 Mar 2017 10:18:18 -0700 Adam Weinberger <adamw at adamw.org>
>> wrote:
>>> On 11 Mar, 2017, at 10:13, Tijl Coosemans <tijl at FreeBSD.org> wrote:
>>>> On Sat, 11 Mar 2017 12:18:51 +0000 (UTC) jbeich at freebsd.org (Jan
>>>> Beich) wrote:  
>>>>> Tijl Coosemans <tijl at FreeBSD.org> writes:  
>>>>>> On Sat, 11 Mar 2017 10:53:01 +0100 (CET) Gerald Pfeifer
>>>>>> <gerald at pfeifer.com> wrote:  
>>>>>>> As some of you may have seen, I have done a bit of work on
>>>>>>> bsd.sites.mk recently.
>>>>>>> 
>>>>>>> One question I ran into:  If a site offers both HTTPS and HTTP, 
>>>>>>> which of the two do we prefer?  (Or do we want to list both?)    
>>>>>> 
>>>>>> https first for people that run 'make makesum'.    
>>>>> 
>>>>> It was made MITM-friendly sometime ago.
>>>>> 
>>>>> https://svnweb.freebsd.org/changeset/ports/324051  
>>>> 
>>>> Ugh, can portmgr approve the attached
>>>> patch?<fetchenv.patch>_______________________________________________  
>>> 
>>> If distfiles from sites with invalid certificates won't fetch for
>>> end-users, they won't fetch during makesum either.
>> 
>> - Given that web browsers have become much less forgiving about such
>> certificates this is probably much less of a problem nowadays.
>> - Possibly, many of these errors are because users forgot to install
>> ca_root_nss.  We can hold port maintainers to a higher standard and
>> expect them to have this installed.
>> - Such sites should perhaps be removed from MASTER_SITES.  If that's not
>> possible FETCH_ENV can be set in the port Makefile.
> 
> I don't disagree with any point. Do you want to submit a PR so that an exp-run of sorts can see how many distfiles we're talking about?

Antoine reminded me that this only affects makesum, so I guess there's really no way of telling what ports this would affect. Either way, your reasoning is sound and you've convinced me. I'm good with this change; as you said, worst-case scenario, ports with broken MASTER_SITES can override FETCH_ENV or a toggle can be added.

# Adam


-- 
Adam Weinberger
adamw at adamw.org
https://www.adamw.org

More information about the freebsd-ports mailing list