* Dan Price <[EMAIL PROTECTED]> [2008-04-08 21:47]: > On Tue 08 Apr 2008 at 02:06PM, Stephen Hahn wrote: > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-04-08 20:41]: > > > We need rudimentary SSL support in the pkg client for our upcoming > > > release. This set of changes adds basic SSL support to the client and > > > fixes > > > a bunch of other bugs I created in my last few putbacks. > > > > > > Webrev is available here: > > > > > > http://cr.opensolaris.org/~johansen/pkg-sslcli/ > > > > client.py: > > > > *. Since we don't have mirror support, let's not have the -m option > > yet. > > > > ssl-headers.conf: > > > > *. I hadn't finished this piece yet. Probably best to drop it for > > now. > > > > Let me see if I can whip up some pkg(1) diffs for you. > > Question 1: in image-create, we specify authorities using -a, and > in the form authority=http://path/to/authority > > In these new commands the syntax seems to be different. Why is that? > I sort of expected this to look something like: > > pkg add-authority -a test1=http://test1 > pkg del-authority test1 > pkg prefer-authority test1 > > The confusing thing for me about using "set" in this context is that > it sort of implies that there's only one thing we're setting. Instead, > we're maintaining a list of things. Since you broke out prefer-authority, where would you manipulate other authority properties, once the authority existed?
> I'd also like to see a more thorough vetting of the functionality > in the test cases-- there's a lot of error paths you have which aren't > being tested: > > SSL key specified > SSL key specified, file doesn't exist > > Cert specified > Cert doesn't exist > > Origin URL missing for new authority > > More than one authority given (i.e. the error message on line > 864 of client.py) > > Attempted removal of preferred authority > > Listing a specific authority > Listing a specific authority which does not exist For the key/certificate needs to exist, I have a minimal CA module/script that we could integrate. It requires pyOpenSSL, so we would be carrying a prerequisite for testing. Since we're presently relying on Apache's mod_ssl as a frontend, I can commit my initial configuration for that as well. - Stephen -- [EMAIL PROTECTED] http://blogs.sun.com/sch/ _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
