Lines in code that are hard coded to use the -k flag: https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/appdmg.rb#L63
https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/pkgdmg.rb#L84 On Wednesday, June 25, 2014 12:02:51 AM UTC-7, Jack Singleton wrote: > > I just noticed the appdmg and pkgdmg package providers (used on osx) > download packages using the curl flag "-k" aka "--insecure" which disables > certificate checking. > > Is there any reason for this? > > At the very least there should be a way to turn insecure mode off. Really > it should never be enabled by default. > > This introduces a pretty big security vulnerability to workstations set up > with Boxen, as remote dmg downloads are encouraged. > > Jack > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a1c09705-9ed3-4163-a90a-436f66b07042%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
