appdmg and pkgdmg providers download packages insecurely?

Jack Singleton

unread,

Jun 25, 2014, 3:02:51 AM6/25/14

to puppet...@googlegroups.com

I just noticed the appdmg and pkgdmg package providers (used on osx) download packages using the curl flag "-k" aka "--insecure" which disables certificate checking.

Is there any reason for this?

At the very least there should be a way to turn insecure mode off. Really it should never be enabled by default.

This introduces a pretty big security vulnerability to workstations set up with Boxen, as remote dmg downloads are encouraged.

Jack

Jack Singleton

unread,

Jun 25, 2014, 2:42:32 PM6/25/14

to puppet...@googlegroups.com

Lines in code that are hard coded to use the -k flag:

https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/appdmg.rb#L63

https://github.com/puppetlabs/puppet/blob/f1e9a7cb00a3ec01d938cd5c5b1406a82b63d5e7/lib/puppet/provider/package/pkgdmg.rb#L84

Moses Mendoza

unread,

Jun 27, 2014, 12:21:46 AM6/27/14

to puppet...@googlegroups.com

Hi Jack,

Thanks for pointing this out. We'll look into this asap.

Moses

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a1c09705-9ed3-4163-a90a-436f66b07042%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward