| 1 |
On Mon, Jan 09, 2006 at 05:28:04PM +0100, Andrea Barisani wrote: |
| 2 |
> On Mon, Jan 09, 2006 at 05:21:42PM +0100, Jakub Moc wrote: |
| 3 |
> > |
| 4 |
> > 9.1.2006, 17:12:31, Andrea Barisani wrote: |
| 5 |
> > |
| 6 |
> > > On Mon, Jan 09, 2006 at 11:08:38AM -0500, solar wrote: |
| 7 |
> > |
| 8 |
> > >> |
| 9 |
> > >> Do you think the PDEPEND of the ca-certs should be tied to a USE= flag? |
| 10 |
> > >> If so should it be a 'no*certs' flag or a USE=cacerts ? |
| 11 |
> > |
| 12 |
> > > USE=cacerts sounds the proper course of action to me. |
| 13 |
> > |
| 14 |
> > NOT until use-based deps are in place, plzktnxbye!!! Don't break the damned |
| 15 |
> > realplayer thing again. |
| 16 |
> |
| 17 |
> It's the realplayer thing that should be fixed. Can't believe that |
| 18 |
> ca-certificates got relatively quiet as a PDEPEND because of that ;). |
| 19 |
|
| 20 |
I bitched for exactly that; we can't mirror their files, and having |
| 21 |
the package non fetch restricted is questionable from a license |
| 22 |
standpoint anyways. |
| 23 |
|
| 24 |
Either way, one thing that *should* be noted here is that this still |
| 25 |
doesn't totally fix the issue for realplayer. Curl won't honor/use |
| 26 |
the cacerts package for example, so we still have the same bug, just |
| 27 |
different fetcher. |
| 28 |
|
| 29 |
Adding cacerts to the pdepend effectively is expansion of allowed |
| 30 |
SRC_URI targets- right now we require all uri to be on standards ports |
| 31 |
(443, 80) for restricted networks. Now, via this change, we require |
| 32 |
FETCHCOMMAND to be a binary that supports cacerts. |
| 33 |
|
| 34 |
We also require any https proxy to support/allow cacerts also, if my |
| 35 |
understanding of https proxying is correct. |
| 36 |
|
| 37 |
Finally, this also requires infra to now run with cacerts on for the |
| 38 |
master mirroring box. |
| 39 |
|
| 40 |
Basically... I'm still against this change. We require fetchers that |
| 41 |
support http, and support the standard chain of trust for https. I |
| 42 |
don't like changing the restrictions just for a (bluntly) stupid |
| 43 |
upstream that forces downloads through https. |
| 44 |
|
| 45 |
~harring |
Archives