On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote: > > But does that not mean anyone going to the same place with a browser or > command line downloading specific packages will get a "sorry, this cert > is not trusted" ? Thats not such a big deal for ostree's, but for rpms, > people do this all the time.
Yes, there are two things someone could do then: 1) Go to any of the many non-ca-pinned URLs I wasn't proposing switching any of the existing URLs, but adding a new one, and we should ensure that the exact same view is available with a regular ca-certificates signed cert 2) Use curl --cafile or equivalent (or hack it with curl -k etc.) _______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected]
