On Tue, 13 Dec 2016 17:24:03 -0500
Colin Walters <walters(a)verbum.org> wrote:
Did we lose TLS-authenticated access to the pkg git?
Nope. It just changed.
pkgs.fedoraproject.org now redirects http/https to
src.fedoraproject.org which is behind our proxies and uses a well known
cert.
I see on the cgit webpage:
https://src.fedoraproject.org/cgit/rpms/golang-googlecode-go-crypto.git/
It only offers anonymous transports without integrity (http://,
git://).
We missed fixing this when we made changes sunday night.
Oops. Thanks for pointing it out.
I have now done so, and it should only offer https://
Specifically for the CentOS Atomic Host SIG builds we
go out of our way to use ca-pinning[1]:
https://github.com/CentOS/sig-atomic-buildscripts/blob/master/overlay.yml...
However, this broke, and I am not immediately working out
the apparent cyclical redirects between
src.fp.org and
pkgs.fp.org.
Trying e.g.:
$ curl -L -v -k
https://pkgs.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/
< HTTP/1.1 302 Found < Location:
https://src.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ <
HTTP/1.1 404 Not Found
[1] Because I think CA pinning + GPG signatures on upstream source
is stronger and better than having humans manually upload
tarballs
pkgs redirects http/https to
src.fedoraproject.org.
You should use
https://src.fedoraproject.org/ and it's well known cert
now. (It's our digicert wildcard cert)
If you see anything else broken, please do let us know...
kevin