1 |
On Mon, Jan 09, 2006 at 05:28:04PM +0100, Andrea Barisani wrote: |
2 |
> On Mon, Jan 09, 2006 at 05:21:42PM +0100, Jakub Moc wrote: |
3 |
> > |
4 |
> > 9.1.2006, 17:12:31, Andrea Barisani wrote: |
5 |
> > |
6 |
> > > On Mon, Jan 09, 2006 at 11:08:38AM -0500, solar wrote: |
7 |
> > |
8 |
> > >> |
9 |
> > >> Do you think the PDEPEND of the ca-certs should be tied to a USE= flag? |
10 |
> > >> If so should it be a 'no*certs' flag or a USE=cacerts ? |
11 |
> > |
12 |
> > > USE=cacerts sounds the proper course of action to me. |
13 |
> > |
14 |
> > NOT until use-based deps are in place, plzktnxbye!!! Don't break the damned |
15 |
> > realplayer thing again. |
16 |
> |
17 |
> It's the realplayer thing that should be fixed. Can't believe that |
18 |
> ca-certificates got relatively quiet as a PDEPEND because of that ;). |
19 |
|
20 |
I bitched for exactly that; we can't mirror their files, and having |
21 |
the package non fetch restricted is questionable from a license |
22 |
standpoint anyways. |
23 |
|
24 |
Either way, one thing that *should* be noted here is that this still |
25 |
doesn't totally fix the issue for realplayer. Curl won't honor/use |
26 |
the cacerts package for example, so we still have the same bug, just |
27 |
different fetcher. |
28 |
|
29 |
Adding cacerts to the pdepend effectively is expansion of allowed |
30 |
SRC_URI targets- right now we require all uri to be on standards ports |
31 |
(443, 80) for restricted networks. Now, via this change, we require |
32 |
FETCHCOMMAND to be a binary that supports cacerts. |
33 |
|
34 |
We also require any https proxy to support/allow cacerts also, if my |
35 |
understanding of https proxying is correct. |
36 |
|
37 |
Finally, this also requires infra to now run with cacerts on for the |
38 |
master mirroring box. |
39 |
|
40 |
Basically... I'm still against this change. We require fetchers that |
41 |
support http, and support the standard chain of trust for https. I |
42 |
don't like changing the restrictions just for a (bluntly) stupid |
43 |
upstream that forces downloads through https. |
44 |
|
45 |
~harring |