Issue #4928 has been updated by Nigel Kersten. Status changed from Needs design decision to Needs more information
Sandor, I'm concerned about this change breaking existing setups for people. I'd be happy with a major version change introducing this change in behavior, because it is better, however I'm concerned about pushing this out without a deprecation warning for people. What about an alternative that tries the secure path first, provides a deprecation warning if it fails, and falls back to the insecure path until the next major version? I don't really want to add another parameter to the package provider just for this case. ---------------------------------------- Feature #4928: SSL cert check for pkgdmg package provider http://projects.puppetlabs.com/issues/4928 Author: Sandor Szücs Status: Needs more information Priority: Normal Assignee: Nigel Kersten Category: OSX Target version: Affected version: Keywords: pkgdmg package provider ssl Branch: The curl option -k is used in order to download a source file using the pkgdmg package provider. This can be attacked by men-in-the-middle. In order to defend from mitm you have to validate certs with curl. Puppet has :certdir and :localcert configuration that you can use with curl. The patch provided fix this issue. I have tested it with a patched 0.25.4 puppet installation on Mac OSX 10.6.4. 0.25.x, 2.6.x and development HEAD are effected to this, possibly versions <0.25 are effected, too. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
