Did we lose TLS-authenticated access to the pkg git? I see on the cgit webpage: https://src.fedoraproject.org/cgit/rpms/golang-googlecode-go-crypto.git/ It only offers anonymous transports without integrity (http://, git://).
Specifically for the CentOS Atomic Host SIG builds we go out of our way to use ca-pinning[1]: https://github.com/CentOS/sig-atomic-buildscripts/blob/master/overlay.yml#L13 However, this broke, and I am not immediately working out the apparent cyclical redirects between src.fp.org and pkgs.fp.org. Trying e.g.: $ curl -L -v -k https://pkgs.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ < HTTP/1.1 302 Found < Location: https://src.fedoraproject.org/git/rpms/golang-googlecode-go-crypto/ < HTTP/1.1 404 Not Found [1] Because I think CA pinning + GPG signatures on upstream source is stronger and better than having humans manually upload tarballs _______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected]
