On Tue, 13 Dec 2016 17:24:03 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > Did we lose TLS-authenticated access to the pkg git? Nope. It just changed. pkgs.fedoraproject.org now redirects http/https to src.fedoraproject.org which is behind our proxies and uses a well known cert. > I see on the cgit webpage: > https://src.fedoraproject.org/cgit/rpms/golang-googlecode-go-crypto.git/ > It only offers anonymous transports without integrity (http://, > git://). We missed fixing this when we made changes sunday night. Oops. Thanks for pointing it out. I have now done so, and it should only offer https:// > Specifically for the CentOS Atomic Host SIG builds we > go out of our way to use ca-pinning[1]: > > https://github.com/CentOS/sig-atomic-buildscripts/blob/master/overlay.yml#L13 > > However, this broke, and I am not immediately working out > the apparent cyclical redirects between src.fp.org and pkgs.fp.org. > > Trying e.g.: > > $ curl -L -v -k > https://pkgs.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ > < HTTP/1.1 302 Found < Location: > https://src.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ < > HTTP/1.1 404 Not Found > > [1] Because I think CA pinning + GPG signatures on upstream source > is stronger and better than having humans manually upload > tarballs pkgs redirects http/https to src.fedoraproject.org. You should use https://src.fedoraproject.org/ and it's well known cert now. (It's our digicert wildcard cert) If you see anything else broken, please do let us know... kevin
Attachment:
pgpgHxLj3gYgC.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
