On 12/20/2015 02:28 PM, Gordon Messmer wrote:
On 12/20/2015 10:10 AM, Alice Wonder wrote:
Yes, but I've run into instance where curl does not work for https -
for example I believe if ECDSA TLS certificate is being used on the
server, curl doesn't work. Not sure about wget.
Why do you think the solution is to make yum behave well when there's
malicious data in /etc, rather than updating rpm/curl to properly
support https so that it doesn't get there?
_______________________________________________
It's a validation step.
Even with https - fraudulently signed certificates are still a problem,
as well as the issue of there not being any RFC stating what certificate
authorities must be trusted.
So if a server serves an RPM over https - it has to be with a
certificate signed by an authority trusted by client. There's no way to
guarantee that.
DNSSEC validation doesn't have that issue.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos