Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2019-01-30 Thread Maarten de Vries 
On Thu, 29 Nov 2018 at 19:42, Maarten de Vries  wrote:
>
> On 28-11-18 05:08, Allan McRae wrote:
> > On 15/11/18 2:37 am, Maarten de Vries wrote:
> >> These patches add support for client certificates to alpm and pacman.
> >>
> >> This can already be achieved currently by setting an XferCommand,
> >> but doing so significantly reduces the quality of the feedback pacman
> >> gives during the downloads. Especially annoying are the 404 errors on
> >> most database signature files, but that's not the only issue.
> >>
> >> I admit this is a bit of an edge case, but I find myself in the
> >> situation where I have to download packages from a private repository
> >> that requires a valid client certificate. I really want the nice regular
> >> pacman feedback back though, so I figured I'd hack it in myself.
> >>
> >> I tried to follow naming schemes and other conventions the best I could,
> >> but please let me know if I should change anything, or forgot something.
> > I am very, very reluctant to include this.  We have been quite strict on
> > which download options we have included in pacman in the past - it took
> > quite some time for DisableDownloadTimeout to be added and we still
> > don't have real speed limiting - although this was (still is?) due to
> > curl implementation limitation.  This is way too much of an edge case,
> > and we do have XferCommand for such things.
> >
> > Note, database signature file errors can be removed by adding "SigLevel
> > = DatabaseNone" to the relevant databases.
> >
> > Allan
>
> Well, all I can say is that for this at least curl support is excellent.
> And this does make pacman useful as package manager for internal company
> repositories that need authentication.
>
> I would love to see it in mainline pacman, but if you feel it's too much
> of an edge case, I understand. At any rate, thank you for looking at the
> patches.
>
>
> -- Maarten
>

For the archives, in case anyone else needs similar functionality: I
didn't wan't to maintain a forked pacman for this, and I really don't
like the implications of the XferCommand option, so I wrote a tool to
inject options in a CURL session of another program using LD_PRELOAD.
It can be found at https://github.com/de-vri-es/curl-inject-opt .

-- Maarten

Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2018-11-29 Thread Maarten de Vries 

On 28-11-18 05:08, Allan McRae wrote:

On 15/11/18 2:37 am, Maarten de Vries wrote:

These patches add support for client certificates to alpm and pacman.

This can already be achieved currently by setting an XferCommand,
but doing so significantly reduces the quality of the feedback pacman
gives during the downloads. Especially annoying are the 404 errors on
most database signature files, but that's not the only issue.

I admit this is a bit of an edge case, but I find myself in the
situation where I have to download packages from a private repository
that requires a valid client certificate. I really want the nice regular
pacman feedback back though, so I figured I'd hack it in myself.

I tried to follow naming schemes and other conventions the best I could,
but please let me know if I should change anything, or forgot something.

I am very, very reluctant to include this.  We have been quite strict on
which download options we have included in pacman in the past - it took
quite some time for DisableDownloadTimeout to be added and we still
don't have real speed limiting - although this was (still is?) due to
curl implementation limitation.  This is way too much of an edge case,
and we do have XferCommand for such things.

Note, database signature file errors can be removed by adding "SigLevel
= DatabaseNone" to the relevant databases.

Allan


Well, all I can say is that for this at least curl support is excellent. 
And this does make pacman useful as package manager for internal company 
repositories that need authentication.


I would love to see it in mainline pacman, but if you feel it's too much 
of an edge case, I understand. At any rate, thank you for looking at the 
patches.



-- Maarten

Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2018-11-27 Thread Allan McRae 
On 15/11/18 2:37 am, Maarten de Vries wrote:
> These patches add support for client certificates to alpm and pacman.
> 
> This can already be achieved currently by setting an XferCommand,
> but doing so significantly reduces the quality of the feedback pacman
> gives during the downloads. Especially annoying are the 404 errors on
> most database signature files, but that's not the only issue.
> 
> I admit this is a bit of an edge case, but I find myself in the
> situation where I have to download packages from a private repository
> that requires a valid client certificate. I really want the nice regular
> pacman feedback back though, so I figured I'd hack it in myself.
> 
> I tried to follow naming schemes and other conventions the best I could,
> but please let me know if I should change anything, or forgot something.

I am very, very reluctant to include this.  We have been quite strict on
which download options we have included in pacman in the past - it took
quite some time for DisableDownloadTimeout to be added and we still
don't have real speed limiting - although this was (still is?) due to
curl implementation limitation.  This is way too much of an edge case,
and we do have XferCommand for such things.

Note, database signature file errors can be removed by adding "SigLevel
= DatabaseNone" to the relevant databases.

Allan

Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2018-11-21 Thread Maarten de Vries 

On 14-11-2018 18:04, Maarten de Vries wrote:



On Wed, 14 Nov 2018 at 17:51, Eli Schwartz > wrote:


On 11/14/18 11:37 AM, Maarten de Vries wrote:
> These patches add support for client certificates to alpm and
pacman.
>
> This can already be achieved currently by setting an XferCommand,
> but doing so significantly reduces the quality of the feedback
pacman
> gives during the downloads. Especially annoying are the 404
errors on
> most database signature files, but that's not the only issue.
>
> I admit this is a bit of an edge case, but I find myself in the
> situation where I have to download packages from a private
repository
> that requires a valid client certificate. I really want the nice
regular
> pacman feedback back though, so I figured I'd hack it in myself.
Surely this can also be achieved by adding the certificate to your
system certificate store?


No, that would work if I want to verify a self signed server 
certificate (or a server certificate issues by a private CA). But I 
need to present a client certificate to the server.




So, any thoughts on adding support for client certificates?


Kind regards,

Maarten de Vries

Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2018-11-14 Thread Maarten de Vries 
On Wed, 14 Nov 2018 at 17:51, Eli Schwartz  wrote:

> On 11/14/18 11:37 AM, Maarten de Vries wrote:
> > These patches add support for client certificates to alpm and pacman.
> >
> > This can already be achieved currently by setting an XferCommand,
> > but doing so significantly reduces the quality of the feedback pacman
> > gives during the downloads. Especially annoying are the 404 errors on
> > most database signature files, but that's not the only issue.
> >
> > I admit this is a bit of an edge case, but I find myself in the
> > situation where I have to download packages from a private repository
> > that requires a valid client certificate. I really want the nice regular
> > pacman feedback back though, so I figured I'd hack it in myself.
> Surely this can also be achieved by adding the certificate to your
> system certificate store?
>
>
No, that would work if I want to verify a self signed server certificate
(or a server certificate issues by a private CA). But I need to present a
client certificate to the server.





> --
> Eli Schwartz
> Bug Wrangler and Trusted User
>
>

Re: [pacman-dev] [PATCH 1/2] libalpm: Add dlclientcert and dlclientkey options.

2018-11-14 Thread Eli Schwartz 
On 11/14/18 11:37 AM, Maarten de Vries wrote:
> These patches add support for client certificates to alpm and pacman.
> 
> This can already be achieved currently by setting an XferCommand,
> but doing so significantly reduces the quality of the feedback pacman
> gives during the downloads. Especially annoying are the 404 errors on
> most database signature files, but that's not the only issue.
> 
> I admit this is a bit of an edge case, but I find myself in the
> situation where I have to download packages from a private repository
> that requires a valid client certificate. I really want the nice regular
> pacman feedback back though, so I figured I'd hack it in myself.
Surely this can also be achieved by adding the certificate to your
system certificate store?

-- 
Eli Schwartz
Bug Wrangler and Trusted User



signature.asc
Description: OpenPGP digital signature