Hi Jack, Thanks for pointing this out. We'll look into this asap.
Moses On Jun 25, 2014 11:42 AM, "Jack Singleton" <[email protected]> wrote: > > Lines in code that are hard coded to use the -k flag: > > https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/appdmg.rb#L63 > > https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/pkgdmg.rb#L84 > > > On Wednesday, June 25, 2014 12:02:51 AM UTC-7, Jack Singleton wrote: >> >> I just noticed the appdmg and pkgdmg package providers (used on osx) download packages using the curl flag "-k" aka "--insecure" which disables certificate checking. >> >> Is there any reason for this? >> >> At the very least there should be a way to turn insecure mode off. Really it should never be enabled by default. >> >> This introduces a pretty big security vulnerability to workstations set up with Boxen, as remote dmg downloads are encouraged. >> >> Jack > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a1c09705-9ed3-4163-a90a-436f66b07042%40googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B421WYDEkrXp1rTbG%3DE1BCOOQ3PnrzotLsU3Q%2BjD-o7nHZa3A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
