Sandor, Why is it reasonable to use the Puppet certificates to make this connection? Wouldn't this be using Puppet's CA cert to try to validate connections to wherever you're getting the dmg? And even if this was valid, why set both capath and cacert?
Why bother with the fallback to insecure if the secure connection fails? I know in the ticket Nigel suggested this so that we don't break backward compatibility, but the change doesn't seem worth making if we do that. This undermines the whole purpose of using the secure connection. Matt On Tue, Nov 9, 2010 at 2:26 PM, Sandor Szuecs <[email protected]> wrote: > The curl option -k was used in order to download a source file using the > pkgdmg package provider. > Now it validates certs first and if this fails it fallbacks to the old style > after logging a warn message. > > Signed-off-by: Sandor Szuecs <[email protected]> > --- > lib/puppet/provider/package/pkgdmg.rb | 10 ++++++++-- > 1 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/lib/puppet/provider/package/pkgdmg.rb > b/lib/puppet/provider/package/pkgdmg.rb > index ed3bd03..42c5f52 100644 > --- a/lib/puppet/provider/package/pkgdmg.rb > +++ b/lib/puppet/provider/package/pkgdmg.rb > @@ -100,8 +100,14 @@ Puppet::Type.type(:package).provide :pkgdmg, :parent => > Puppet::Provider::Packag > end > > def try_curl(cached_source, source, name) > - curl "-o", cached_source, "-C", "-", "-k", "-s", "--url", source > - Puppet.debug "Success: curl transfered [#{name}]" > + begin > + curl "-o", cached_source, "-C", "-", "--capath", Puppet[:certdir], > "--cacert", Puppet[:localcacert], "-s", "-S", "--url", source > + Puppet.debug "Success: curl cert validated transfer [#{name}]" > + rescue Puppet::ExecutionFailure > + Puppet.warning "Transfer with curl will not being validated > [#{name}]" > + curl "-o", cached_source, "-C", "-", "-k", "-s", "--url", source > + Puppet.debug "Success: curl insecure transfer [#{name}]" > + end > end > > def install_dmg(cached_source, source, name) > -- > 1.7.3.2 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
