Hi Jack, Thanks for pointing this out. We'll look into this asap.
Moses On Jun 25, 2014 11:42 AM, "Jack Singleton" <jack.s.single...@gmail.com> wrote: > > Lines in code that are hard coded to use the -k flag: > > https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/appdmg.rb#L63 > > https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/pkgdmg.rb#L84 > > > On Wednesday, June 25, 2014 12:02:51 AM UTC-7, Jack Singleton wrote: >> >> I just noticed the appdmg and pkgdmg package providers (used on osx) download packages using the curl flag "-k" aka "--insecure" which disables certificate checking. >> >> Is there any reason for this? >> >> At the very least there should be a way to turn insecure mode off. Really it should never be enabled by default. >> >> This introduces a pretty big security vulnerability to workstations set up with Boxen, as remote dmg downloads are encouraged. >> >> Jack > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a1c09705-9ed3-4163-a90a-436f66b07042%40googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B421WYDEkrXp1rTbG%3DE1BCOOQ3PnrzotLsU3Q%2BjD-o7nHZa3A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
