diff options
| author | Ben Hutchings <ben.hutchings@codethink.co.uk> | 2020-08-07 00:59:52 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben.hutchings@codethink.co.uk> | 2020-08-12 14:34:26 +0100 |
| commit | bdfa301998218e879281de58e1ab8097d34d6f08 (patch) | |
| tree | 7fbb7f8588fad90e40870fa9e3231a18b22ad702 /README.md | |
| parent | e24858ad11582082f0a329650325c1f8b0fda277 (diff) | |
| download | lorry-bdfa301998218e879281de58e1ab8097d34d6f08.tar.gz | |
lorry: Enable TLS server certificate validation by default
Lorry is not only used in Baserock, and it's reasonable to assume that
there is normally a useful CA certificate store available. It's also
no longer common for open source projects to avoid the "CA cartel" by
using self-signed or CAcert certificates.
* Enable validation by default for Bazaar, Git, and Mercurial
* Add a configuration option to disable it
* Add and document a .lorry keyword to disable it
We already validate server certificates for file downloads since the
Python standard library enabled it by default. We also never disabled
validation for Subversion. Since this seems to have worked OK, don't
add the option to disable it for these upstream types.
Closes #9.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -98,6 +98,12 @@ all of them will be processed by lorry. The following shows two repositories. Lorry can import other version control systems into git. +When the URL uses the `https:` scheme, Lorry will validate the SSL/TLS +server certificate by default. If necessary, this can be disabled for +a Bazaar, Git, and Mercurial server by adding the key: + + "check-certificates": false + ### Mercurial Mercurial is very similar to git, just change the type field to "hg" |