On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote:
But does that not mean anyone going to the same place with a browser or
command line downloading specific packages will get a "sorry, this cert
is not trusted" ? Thats not such a big deal for ostree's, but for rpms,
people do this all the time.
Yes, there are two things someone could do then:
1) Go to any of the many non-ca-pinned URLs
I wasn't proposing switching any of the existing URLs, but adding
a new one, and we should ensure that the exact same view is
available with a regular ca-certificates signed cert
2) Use curl --cafile or equivalent (or hack it with curl -k etc.)