Issue #4928 has been updated by Sandor Szücs. File pkg_provider_pkgdmg_with_fb.diff added
Nigel Kersten wrote: > What about an alternative that tries the secure path first, provides a > deprecation warning if it fails, and falls back to the insecure path until > the next major version? I am ok with a fallback approach. I think we do not need a deprecation, but people should be aware of security. > I don't really want to add another parameter to the package provider just for > this case. First I thought that would be a good option, but I think you are right. I implemented a Fallback approach. What do you think about? Thanks for comments, all the best Sandor ---------------------------------------- Feature #4928: SSL cert check for pkgdmg package provider http://projects.puppetlabs.com/issues/4928 Author: Sandor Szücs Status: Needs more information Priority: Normal Assignee: Nigel Kersten Category: OSX Target version: Affected version: Keywords: pkgdmg package provider ssl Branch: The curl option -k is used in order to download a source file using the pkgdmg package provider. This can be attacked by men-in-the-middle. In order to defend from mitm you have to validate certs with curl. Puppet has :certdir and :localcert configuration that you can use with curl. The patch provided fix this issue. I have tested it with a patched 0.25.4 puppet installation on Mac OSX 10.6.4. 0.25.x, 2.6.x and development HEAD are effected to this, possibly versions <0.25 are effected, too. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
