On Tue, 13 Dec 2016 17:24:03 -0500
Colin Walters wrote:
> Did we lose TLS-authenticated access to the pkg git?
Nope. It just changed.
pkgs.fedoraproject.org now redirects http/https to
src.fedoraproject.org which is behind our proxies and uses a well known
cert.
> I see on the cgit webpage:
> https://src.fedoraproject.org/cgit/rpms/golang-googlecode-go-crypto.git/
> It only offers anonymous transports without integrity (http://,
> git://).
We missed fixing this when we made changes sunday night.
Oops. Thanks for pointing it out.
I have now done so, and it should only offer https://
> Specifically for the CentOS Atomic Host SIG builds we
> go out of our way to use ca-pinning[1]:
>
> https://github.com/CentOS/sig-atomic-buildscripts/blob/master/overlay.yml#L13
>
> However, this broke, and I am not immediately working out
> the apparent cyclical redirects between src.fp.org and pkgs.fp.org.
>
> Trying e.g.:
>
> $ curl -L -v -k
> https://pkgs.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/
> < HTTP/1.1 302 Found < Location:
> https://src.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ <
> HTTP/1.1 404 Not Found
>
> [1] Because I think CA pinning + GPG signatures on upstream source
> is stronger and better than having humans manually upload
> tarballs
pkgs redirects http/https to src.fedoraproject.org.
You should use https://src.fedoraproject.org/ and it's well known cert
now. (It's our digicert wildcard cert)
If you see anything else broken, please do let us know...
kevin
pgpVvui5nYY9q.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
