On Wed, Nov 20, 2013 at 6:44 PM, Till Maas <opensource@xxxxxxxxx> wrote: > On Wed, Nov 20, 2013 at 11:50:17AM +0200, Ville Skyttä wrote: > >> I think I'll make spectool tell curl not to verify SSL certs by >> default in the next release. If you want it already now for your local >> spectool, do for example this: "echo --insecure >> >> /etc/rpmdevtools/curlrc" > > IMHO the default should be to check certificates I kind of guessed you'd disagree here as you didn't like the patch I added to cnucnu disabling the certificate check :) BTW IMNSHO the certificate check should still be disabled in cnucnu as well. I don't think it makes sense to fail the entire purpose of the tool (to notify people who have subscribed to notifications about updates) because of certificate check failures (and in a silent way so that the subscribers will probably never know). > especially since > spectool is the usual tool to update source files in dist-git. Only if > there is no need to check the certificate, this should be disabled. I don't think there's any need for the connection where publicly available sources are fetched from without supplying any credentials to be encrypted in the first place. Checking the downloaded content matters, and that has nothing to do with whether the certificate of the transfer connection is expired or not or if it's issued by a trusted party or not or if it passes common name/hostname checks. spectool is not a source verification tool nor a certificate validation one, and I'm not going to help people get the misconception that it might be something like that. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
