On Tue, 13 Dec 2016 17:24:03 -0500
Colin Walters <walters(a)verbum.org> wrote:
Did we lose TLS-authenticated access to the pkg git?
Nope. It just changed.
now redirects http/https to
which is behind our proxies and uses a well known
I see on the cgit webpage:
It only offers anonymous transports without integrity (http://,
We missed fixing this when we made changes sunday night.
Oops. Thanks for pointing it out.
I have now done so, and it should only offer https://
Specifically for the CentOS Atomic Host SIG builds we
go out of our way to use ca-pinning:
However, this broke, and I am not immediately working out
the apparent cyclical redirects between src.fp.org
$ curl -L -v -k
< HTTP/1.1 302 Found < Location:
HTTP/1.1 404 Not Found
 Because I think CA pinning + GPG signatures on upstream source
is stronger and better than having humans manually upload
pkgs redirects http/https to src.fedoraproject.org
You should use https://src.fedoraproject.org/
and it's well known cert
now. (It's our digicert wildcard cert)
If you see anything else broken, please do let us know...