From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 18 21:15:20 2016
Received: (at submit) by debbugs.gnu.org; 19 Sep 2016 01:15:20 +0000
Received: from localhost ([127.0.0.1]:34650 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1blnB2-0007im-F3
	for submit@debbugs.gnu.org; Sun, 18 Sep 2016 21:15:20 -0400
Received: from eggs.gnu.org ([208.118.235.92]:38551)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1blnB1-0007iR-0R
 for submit@debbugs.gnu.org; Sun, 18 Sep 2016 21:15:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1blnAu-0006MV-FN
 for submit@debbugs.gnu.org; Sun, 18 Sep 2016 21:15:13 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:59236)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1blnAu-0006LW-9N
 for submit@debbugs.gnu.org; Sun, 18 Sep 2016 21:15:12 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57740)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1blnAs-00008E-27
 for bug-guix@gnu.org; Sun, 18 Sep 2016 21:15:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1blnAo-0006Hn-Me
 for bug-guix@gnu.org; Sun, 18 Sep 2016 21:15:09 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44829)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1blnAn-0006Fy-GI
 for bug-guix@gnu.org; Sun, 18 Sep 2016 21:15:06 -0400
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 99A562042D;
 Sun, 18 Sep 2016 21:14:55 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute7.internal (MEProxy); Sun, 18 Sep 2016 21:14:55 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 content-type:date:from:message-id:mime-version:subject:to
 :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=5nP1dWy9BBZt/cQMKRYZDuTIPs8
 =; b=pD2+jAKRDw2m7XdVAPRRBbmb0EIEGAp4K9DTvUVUJIOPy7aTuEx/k94PFIi
 s0iWe60tRPlhtRjwcCAf6idG2xPzQdTpgjw4jlc1rPdtz9n+m41l6rwRxg6qJFp7
 YsKZsypIQaTorCRwWZe3NuCo9PqIjoR0Yqsl4i2CdROX2/Ak=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=5n
 P1dWy9BBZt/cQMKRYZDuTIPs8=; b=upYlT63YK5orDh7nlp5rR82aNVSLYSlCDz
 Q4RpubP5YIS2AeviVDPjAugc2ksx+ZBzqA1vmSQw4BWuIw/tIyL/UrpHCmmN7FTC
 iDUZR9cwKOXUlK7c6ljcy5A2l20kbJE2RoaHJJZehMygIIE2bHsUMXmvibaSudih
 5+kjQJfCw=
X-Sasl-enc: Bhtz9DRB6gNc1dUfNkQVhfJh3wcs1jg73m56Wp7H2Tyf 1474247695
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
 by mail.messagingengine.com (Postfix) with ESMTPA id 5652FCCE9F
 for <bug-guix@gnu.org>; Sun, 18 Sep 2016 21:14:55 -0400 (EDT)
Date: Sun, 18 Sep 2016 21:14:54 -0400
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: `guix download` accepts expired TLS certificates
Message-ID: <20160919011454.GA6941@jasmine>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT"
Content-Disposition: inline
User-Agent: Mutt/1.7.0 (2016-08-17)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

While testing Nicolas's patch "Update giac-xcas", I found that `guix
download` accepts expired TLS certificates.

I tried visiting the upstream site in order to verify the hash of the
updated package, and my browsers (Firefox and Chromium) warned me that
the site's certificate had expired ~1 day ago.

However, `guix build -S` did not warn me or prevent me from downloading
the source code.

Perhaps it doesn't matter for the case of `guix build -S`, since we
already know what we expect to download. But, for `guix download`, this
is a bug.

[0]
http://lists.gnu.org/archive/html/guix-devel/2016-09/msg01460.html

--X1bOJ3K7DJ5YkBrT
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX3zwKAAoJECZG+jC6yn8IPAMQAMKc9B8hBVip+kPyp7zIQsOq
5VMZSPn+lPqnYSJ3OWOpYiLBHwAAvcbqFnhAazv5y2DiDTRezessD6y4zIk9T/qY
q6EwDuXDKOcoGkOsgf4theMshQ6JYH5eIhv07/rgtnMa4vUGFhg4TqvrJG0b8mU6
lhEgoMpHqsq459MP1pXivDsvc1fvbBgce3ZOFRUVyOzjzm5UGalsCnLhXkMgt/Mz
lgrGu3SLVekEGs/ezrYToiZeCaGBSEbgpEpQD3rjNZbSfGwPqL5ibYkydZborr11
AQDxljhjAhznKRueZtdjdCGSh7OXvX5S2a7x9j6eYBuzFWZRw2GonfBCBfHEYZbl
1JL+Y2b+mD2lzoKgFykdCYnm2riok6GkkMztSWw6TWsWrSDYyBkJacUxGf8WJfJD
7p0uKJnjMmtOSt8uarPK6/GQaZL90Q3W/QkNTA6MDBXDKrF2i8XWxc/SHzvUeeMQ
/+fNstdpdFTdm98w3BgUd1ZOSY+mPG5kBS9mN8EVYV4whqyrL/3kQgDtoLKtg9Ac
kPh+j+1EUpb9GKQdAIko4vDGyIe1JaS/+3gHKKfnYNeOgRIHm+BgsfW/1YlHosXw
KcWraLnUJ4eRs/pZbmvUJlv0pLb8vifZKX1cwIA53ay1bSEFPGjHOr90eDIunLhk
zrjyHDGgCeqzj9y8gFpn
=PDv+
-----END PGP SIGNATURE-----

--X1bOJ3K7DJ5YkBrT--




From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 07 17:45:37 2016
Received: (at 24466-done) by debbugs.gnu.org; 7 Nov 2016 22:45:37 +0000
Received: from localhost ([127.0.0.1]:48796 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1c3sfY-0000ut-SV
	for submit@debbugs.gnu.org; Mon, 07 Nov 2016 17:45:37 -0500
Received: from eggs.gnu.org ([208.118.235.92]:59268)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1c3sfW-0000uh-RR
 for 24466-done@debbugs.gnu.org; Mon, 07 Nov 2016 17:45:35 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1c3sfO-0007wH-LU
 for 24466-done@debbugs.gnu.org; Mon, 07 Nov 2016 17:45:29 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44009)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1c3sfO-0007wD-Hj; Mon, 07 Nov 2016 17:45:26 -0500
Received: from reverse-83.fdn.fr ([80.67.176.83]:50352 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1c3sfN-0003KR-LT; Mon, 07 Nov 2016 17:45:26 -0500
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#24466: `guix download` accepts expired TLS certificates
References: <20160919011454.GA6941@jasmine>
Date: Mon, 07 Nov 2016 23:45:23 +0100
In-Reply-To: <20160919011454.GA6941@jasmine> (Leo Famulari's message of "Sun, 
 18 Sep 2016 21:14:54 -0400")
Message-ID: <87bmxqvri4.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -7.9 (-------)
X-Debbugs-Envelope-To: 24466-done
Cc: 24466-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -7.9 (-------)

Leo Famulari <leo@famulari.name> skribis:

> While testing Nicolas's patch "Update giac-xcas", I found that `guix
> download` accepts expired TLS certificates.
>
> I tried visiting the upstream site in order to verify the hash of the
> updated package, and my browsers (Firefox and Chromium) warned me that
> the site's certificate had expired ~1 day ago.
>
> However, `guix build -S` did not warn me or prevent me from downloading
> the source code.
>
> Perhaps it doesn't matter for the case of `guix build -S`, since we
> already know what we expect to download. But, for `guix download`, this
> is a bug.

This is fixed by commit bc3c41ce36349ed4ec758c70b48a7059e363043a.

Now =E2=80=98guix download=E2=80=99 shows a message like this upon failure:

--8<---------------cut here---------------start------------->8---
$ SSL_CERT_DIR=3D/nowhere ./pre-inst-env guix download https://mirror.guixs=
d.org/index.html

Starting download of /tmp/guix-file.jT2WjA
>From https://mirror.guixsd.org/index.html...
ERROR: X.509 certificate of 'mirror.guixsd.org' could not be verified:
  signer-not-found
  invalid

failed to download "/tmp/guix-file.jT2WjA" from "https://mirror.guixsd.org/=
index.html"
--8<---------------cut here---------------end--------------->8---

The message is not optimal, but it convey the message that something is
wrong.

For fixed-output derivations (=E2=80=98guix build -S=E2=80=99, etc.), the b=
ehavior is
unchanged: server certificates are happily ignored.  This is IMO the
right thing because (1) we know the hash of the expected content, which
is the only authentication method that matters, and (2) checking
certificates would require having fixed-output derivations depend on
=E2=80=98nss=E2=80=99.

Thanks,
Ludo=E2=80=99.




From unknown Mon Aug 11 19:04:33 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 06 Dec 2016 12:24:04 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator