Source file audit - 2013-11-17

Ville Skyttä ville.skytta at
Wed Nov 20 21:39:13 UTC 2013

On Wed, Nov 20, 2013 at 6:44 PM, Till Maas <opensource at> wrote:
> On Wed, Nov 20, 2013 at 11:50:17AM +0200, Ville Skyttä wrote:
>> I think I'll make spectool tell curl not to verify SSL certs by
>> default in the next release. If you want it already now for your local
>> spectool, do for example this: "echo --insecure >>
>> /etc/rpmdevtools/curlrc"
> IMHO the default should be to check certificates

I kind of guessed you'd disagree here as you didn't like the patch I
added to cnucnu disabling the certificate check :)

BTW IMNSHO the certificate check should still be disabled in cnucnu as
well. I don't think it makes sense to fail the entire purpose of the
tool (to notify people who have subscribed to notifications about
updates) because of certificate check failures (and in a silent way so
that the subscribers will probably never know).

> especially since
> spectool is the usual tool to update source files in dist-git. Only if
> there is no need to check the certificate, this should be disabled.

I don't think there's any need for the connection where publicly
available sources are fetched from without supplying any credentials
to be encrypted in the first place. Checking the downloaded content
matters, and that has nothing to do with whether the certificate of
the transfer connection is expired or not or if it's issued by a
trusted party or not or if it passes common name/hostname checks.
spectool is not a source verification tool nor a certificate
validation one, and I'm not going to help people get the misconception
that it might be something like that.

More information about the devel mailing list