unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#18860: 24.4; packages don't download consistently from https
@ 2014-10-27 23:16 Nic Ferrier
  2014-10-28  0:46 ` Stefan Monnier
  0 siblings, 1 reply; 6+ messages in thread
From: Nic Ferrier @ 2014-10-27 23:16 UTC (permalink / raw)
  To: 18860



Emacs 24.4's package system does something odd when the archive is on
HTTPS.

It seems as if dependencies are downloaded through HTTPS but the main
package is attempted to be downloaded through HTTP.

Here's how to reproduce:

$ cat > test.el <<HERE
(let ((package-user-dir (make-temp-name "/tmp/emacs-package-bug")))
  (package-initialize)
  (add-to-list
   (quote package-archives)
   (quote ("marmalade" . "https://marmalade-repo.org/packages/")))
  (package-refresh-contents)
  (package-install (quote elpakit)))
HERE

$ emacs -batch -l test.el
Importing package-keyring.gpg...
Importing package-keyring.gpg...done
Contacting host: marmalade-repo.org:443
Contacting host: marmalade-repo.org:443
Contacting host: marmalade-repo.org:443
Making version-control local to s-autoloads.el while let-bound!
Generating autoloads for s.el...
Generating autoloads for s.el...done
Saving file /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el
Checking /tmp/emacs-package-bug2503RFt/s-1.9.0...
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el...
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s-pkg.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s-pkg.elc
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s.elc
Done (Total of 2 files compiled, 1 skipped)
https://marmalade-repo.org/packages/noflet-0.0.14.el: Bad Request


It seems random which of these requests fail. But as soon as one is sent
over HTTP it fails (obviously).


marmalade-repo (which is currently the only repo doing https package
archives) could fix this problem, partially, on the server side. But we
can't protect the user that way. As soon as emacs makes an HTTP request
for something that should be signed the user is vulnerable to attack.

This is particularly egregious for a packaging system.




In GNU Emacs 24.4.1 (x86_64-unknown-linux-gnu, GTK+ Version 2.24.23)
 of 2014-10-20 on nicferrier-XPS13-9333
Windowing system distributor `The X.Org Foundation', version 11.0.11501000
System Description:	Ubuntu 14.04.1 LTS

Configured using:
 `configure --prefix=/home/nicferrier/emacs-24-4'

Important settings:
  value of $LANG: en_GB.UTF-8
  value of $XMODIFIERS: @im=ibus
  locale-coding-system: utf-8-unix





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#18860: 24.4; packages don't download consistently from https
  2014-10-27 23:16 bug#18860: 24.4; packages don't download consistently from https Nic Ferrier
@ 2014-10-28  0:46 ` Stefan Monnier
  2014-10-28  8:28   ` Andreas Schwab
  0 siblings, 1 reply; 6+ messages in thread
From: Stefan Monnier @ 2014-10-28  0:46 UTC (permalink / raw)
  To: Nic Ferrier; +Cc: 18860

> Emacs 24.4's package system does something odd when the archive is on
> HTTPS.
> It seems as if dependencies are downloaded through HTTPS but the main
> package is attempted to be downloaded through HTTP.

I did

   M-x trace-function RET url-retrieve-synchronously RET

before running your test.  On my first test, it failed at
shadchen-1.2.el but the request still had the right "https:" prefix.
IOW the trace shows that the url passed from package.el does include the
"https:" and the problem is somewhere in the URL package.

This said, I haven't managed to reproduce the problem since, so
I haven't been able to dig any further.  And in any case I'm not
familiar enough with the HTTP protocol to be of much use there.


        Stefan





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#18860: 24.4; packages don't download consistently from https
  2014-10-28  0:46 ` Stefan Monnier
@ 2014-10-28  8:28   ` Andreas Schwab
  2014-10-28 13:42     ` Stefan Monnier
  0 siblings, 1 reply; 6+ messages in thread
From: Andreas Schwab @ 2014-10-28  8:28 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: 18860, Nic Ferrier

Stefan Monnier <monnier@iro.umontreal.ca> writes:

> This said, I haven't managed to reproduce the problem since, so
> I haven't been able to dig any further.  And in any case I'm not
> familiar enough with the HTTP protocol to be of much use there.

I don't think this has anything to do with the HTTP protocol.  We just
need to find the place and condition where a non-TLS connection is
opened to the https port.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#18860: 24.4; packages don't download consistently from https
  2014-10-28  8:28   ` Andreas Schwab
@ 2014-10-28 13:42     ` Stefan Monnier
  2014-11-04 21:20       ` Ted Zlatanov
  0 siblings, 1 reply; 6+ messages in thread
From: Stefan Monnier @ 2014-10-28 13:42 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: 18860, Nic Ferrier

>> This said, I haven't managed to reproduce the problem since, so
>> I haven't been able to dig any further.  And in any case I'm not
>> familiar enough with the HTTP protocol to be of much use there.
> I don't think this has anything to do with the HTTP protocol.  We just
> need to find the place and condition where a non-TLS connection is
> opened to the https port.

Right.  Maybe M-x trace-function RET open-network-stream RET
will give better hints.


        Stefan





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#18860: 24.4; packages don't download consistently from https
  2014-10-28 13:42     ` Stefan Monnier
@ 2014-11-04 21:20       ` Ted Zlatanov
  2019-09-24  8:01         ` Lars Ingebrigtsen
  0 siblings, 1 reply; 6+ messages in thread
From: Ted Zlatanov @ 2014-11-04 21:20 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: 18860, Andreas Schwab, Nic Ferrier

On Tue, 28 Oct 2014 09:42:44 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

>>> This said, I haven't managed to reproduce the problem since, so
>>> I haven't been able to dig any further.  And in any case I'm not
>>> familiar enough with the HTTP protocol to be of much use there.
>> I don't think this has anything to do with the HTTP protocol.  We just
>> need to find the place and condition where a non-TLS connection is
>> opened to the https port.

SM> Right.  Maybe M-x trace-function RET open-network-stream RET
SM> will give better hints.

I ran the test with "emacs -q" and only saw connections to
"marmalade-repo.org:443". I'd love to find a way to replicate.

Thanks
Ted





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#18860: 24.4; packages don't download consistently from https
  2014-11-04 21:20       ` Ted Zlatanov
@ 2019-09-24  8:01         ` Lars Ingebrigtsen
  0 siblings, 0 replies; 6+ messages in thread
From: Lars Ingebrigtsen @ 2019-09-24  8:01 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: 18860, Andreas Schwab, Nic Ferrier

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Tue, 28 Oct 2014 09:42:44 -0400 Stefan Monnier
> <monnier@iro.umontreal.ca> wrote:
>
>>>> This said, I haven't managed to reproduce the problem since, so
>>>> I haven't been able to dig any further.  And in any case I'm not
>>>> familiar enough with the HTTP protocol to be of much use there.
>>> I don't think this has anything to do with the HTTP protocol.  We just
>>> need to find the place and condition where a non-TLS connection is
>>> opened to the https port.
>
> SM> Right.  Maybe M-x trace-function RET open-network-stream RET
> SM> will give better hints.
>
> I ran the test with "emacs -q" and only saw connections to
> "marmalade-repo.org:443". I'd love to find a way to replicate.

This old bug seemed to be unreproducible and things seem to work, so I'm
closing this bug report.  Please reopen if this is still an issue.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-09-24  8:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-27 23:16 bug#18860: 24.4; packages don't download consistently from https Nic Ferrier
2014-10-28  0:46 ` Stefan Monnier
2014-10-28  8:28   ` Andreas Schwab
2014-10-28 13:42     ` Stefan Monnier
2014-11-04 21:20       ` Ted Zlatanov
2019-09-24  8:01         ` Lars Ingebrigtsen

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).