On 01/25, m...@netbsd.org wrote:
> On Sat, Jan 25, 2020 at 01:34:34AM +0100, yarl-bau...@mailoo.org wrote:
> > May I ask how is safe the use pkgsrc binary packages. For example using 
> > pkgin. Does libfetch is doing fine with https? Any thoughts?
> > 
> > Is the authenticity and integrity of packages installed this way is 
> > guaranteed assuming no bugs in software involved?
> 
> No.

Wow!  That's surprising.  Can you explain why?

I understand that the binary packages are not digitally signed, but if
the binary repo is served over HTTPS, as long as the repo has not been
compromised, the integrity and authenticity is guaranteed, no?

Or as the OP asked, is pkgin not actually validating the server's SSL
certificate?  That would be terrible if it's silently behaving that way.
If it can't handle HTTPS properly, it should refuse to use the URL.
Anyway, I would be very surprised if this is what's going on, so I'm
just asking to understand better.

Thank you!

Lewis

Reply via email to