vagga
vagga copied to clipboard
tailhook
Signed packages
Hi,
Currently, installing Ubuntu packages requires requires overwriting the security settings, by explicitly allowing to install unsigned/unauthenticated packages:
http://vagga.readthedocs.org/en/latest/installation.html#ubuntu
Would it be possible to have signed packages?
Thank you.
By the way, you can use the following in the apt-sources.list, to skip confirmation on each upgrade:
deb [arch=amd64 trusted=yes] http://ubuntu.zerogw.com vagga main
@tailhook Just one more request to either provide signed packages or (even through a gateway), provide HTTPS on ubuntu.zerogw.com (I assume it's running your zerogw server, so I can see how that could be difficult without a reverse proxy like Cloudflare :confused:).
With both HTTPS and package signing off, the current installation process is painfully insecure, to the point that I daren't even suggest it as an option in something low-priority (was going to try integrating it to the integer32 playpen), by this approach.
Yes, you're right. I'll try to move it to HTTPS in a week or so (should be a little bit easier than package signing).
Okay, https://ubuntu.zerogw.com is up and running. I'm not going to enable HSTS or redirects. I mean it will be accessible both by HTTP and HTTPS at least for some time.
Will upgrade files.zerogw.com (scripts and static binaries) shortly too.
Thanks! I guess I can understand not enabling HSTS/redirects for now, at least so people have time to migrate any existing uses of vagga (and since the docs are updated, for new users). Perhaps with enough time that can change, as you note.
Again, thanks for taking the time!
BTW, I'm curious about your integration with integer32 playpen. I would be cool if you share some details in chat or just contact me privately.