GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #34 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 16 May 2016 17:56:07 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon May 16 13:56:06 2016
Received: from localhost ([127.0.0.1]:54212 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1b2MkM-0001Au-T5
	for submit@debbugs.gnu.org; Mon, 16 May 2016 13:56:06 -0400
Received: from mail-yw0-f182.google.com ([209.85.161.182]:35799)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dthompson2@worcester.edu>) id 1b2MkK-0001AE-JN
 for 22883@debbugs.gnu.org; Mon, 16 May 2016 13:56:00 -0400
Received: by mail-yw0-f182.google.com with SMTP id g133so169392744ywb.2
 for <22883@debbugs.gnu.org>; Mon, 16 May 2016 10:56:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-transfer-encoding;
 bh=dhn5akf/3Rfvzuh64bDqmJ9JuSZTcw7jWqWfsUEhIzs=;
 b=CIwEg06Ab3cVOwY2Vi2+lAL2SOfaosOhKj8JxVtZ5tIE43dS3Rw5A5dM61Z43TsHIr
 sMsXwxYdIJu5ooqf15HJms5ZRJAQmiSCzetJReGFI7o+XmjDx6zY+MuJjgidNZfbjgEC
 LAH1BdDzrcul5oL45dsRuS5RpNzE0Jpznf9XCIXIwvW51KtxA5S/gI0fVuwfEIbQkmhL
 FJqJM3JgZ55ARoRd8Pu/UqSLsJX+3G6rbO/f3TaavJp9ltWTEE2wAhc4dVaSNMRpipqW
 eQmwYrQR6lFmFf9s17a+oKbm3TiiOA/AGnzD5h7cWA2qErQa1jvyWH/GLnixUwCRtdk6
 LvKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-transfer-encoding;
 bh=dhn5akf/3Rfvzuh64bDqmJ9JuSZTcw7jWqWfsUEhIzs=;
 b=Evo5EJcTyiqDgjRtzXKFlG+TPNeOk0meG99V1GLIE8lGWSAocZkt+D4aiW4ENtTNcN
 3l70vlVaK+w50OpG8+UbizoWiCFa0ZVm7XFVcAi4Eha1YTZdxpm/W2900SDiloOm5KFI
 bWFHqscvi9phIPppWCBk0daxAjPMRZH9JqRnhLdFGE50S2EueGFzk7Rwf8r5Af5eOsvd
 /Ukxh//qgDJdTGTVshkQpnnLjhMCD41dtkKhb2ODKGNEvi2PPou9/ll2ghrcDZYYW3UT
 sf5yeNW8Fmn5UwNgrG2ZR30bwWDFfme6PN0fsgUlrsyNEd4XlcobMAe3e7CbvsFOiaEw
 uVxg==
X-Gm-Message-State: AOPr4FWOOzBHKSOJmEEjj3POJBwdNUQoVzKRpXaXTWpmctqf7X6xOyy3HdOrN5lxHJzAKBS6ZS8D2iaSMcdfvifo
MIME-Version: 1.0
X-Received: by 10.129.147.71 with SMTP id k68mr16360671ywg.76.1463421355017;
 Mon, 16 May 2016 10:55:55 -0700 (PDT)
Received: by 10.37.8.5 with HTTP; Mon, 16 May 2016 10:55:54 -0700 (PDT)
In-Reply-To: <c9f22542d79aaf0503b68ba70f0ce912@openmailbox.org>
References: <87io14sqoa.fsf@dustycloud.org>
 <c9f22542d79aaf0503b68ba70f0ce912@openmailbox.org>
Date: Mon, 16 May 2016 13:55:54 -0400
Message-ID: <CAJ=RwfZ+pCHjrGE6hfQe9V5MtmhA5cwB346qA5qxOnA66FvoMg@mail.gmail.com>
Subject: Re: bug#22883: Trustable "guix pull"
From: "Thompson, David" <dthompson2@worcester.edu>
To: fluxboks@openmailbox.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Sun, May 15, 2016 at 8:40 AM,  <fluxboks@openmailbox.org> wrote:
> Please, for the love of all/any gods!(if any)
> Fix this issue :)
> For example, you can get this https to work:
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> (it doesn't currently)
>
> $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> --2016-05-15 15:32:15--
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> Resolving git.savannah.gnu.org... 208.118.235.72
> Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> Unable to establish SSL connection.
>
> Chromium says:
> This site can’t provide a secure connection
>
> git.savannah.gnu.org sent an invalid response.
> Learn more about this problem.
> ERR_SSL_PROTOCOL_ERROR
>
> This works just fine though: https://savannah.gnu.org/ and https://gnu.org/
> and https://www.gnu.org/
>
> As a reminder, letsencrypt and startssl are a thing - both provide free
> certs. If that's the issue.

We *DO NOT* run Savannah, the FSF does.  Savannah absolutely should
allow cloning Git repositories over HTTPS, but we are the wrong people
to complain to about it.  You can send a polite message to
sysadmin@gnu.org instead.

> I want to be honest here: this bug is a show stopper for me! It makes me
> draw certain unfavorable conclusions about the mentality and seriousness of
> the guix project devs. I wish it wouldn't, but really can you blame me?

Yes, I can.  I think you should re-evaluate your conclusions.  All of
our official release tarballs are GPG signed, we have begun signing
all of our commits, all of our package recipes validate checksums for
the source code they download, and we patch CVEs in a pretty timely
manner for a such a small core team.  I can assure you that we are
very serious about security.  I recommend simply not using 'guix pull'
right now until we have something more trustable, which we are working
on!  This is beta software written by volunteers.  The problem will be
solved quicker with some more hands to help.  Would you like to join
in?

- Dave

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:24:50 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.