unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: 16791@debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Mon, 4 Jan 2016 01:19:32 -0500	[thread overview]
Message-ID: <20160104061932.GA4210@jasmine> (raw)
In-Reply-To: <20160103022030.GA16788@jasmine>

On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote:
> I looked into how Debian does it. They bundle a configuration file that
> sets the correct options.
> 
> If you download the "debian" file [0], which includes all of their
> packaging for w3m, you can view the file at 'debian/w3mconfig'.
> 
> The relevant option is "ssl_verify_server", and it must be set to "1" in
> order for w3m to perform verification.
> 
> Example with a domain whose certificate is expired:
> $ w3m -o ssl_verify_server 1 fmrl.me
> 
> Do we ever bundle configuration files in this manner?
> 
> Can a wrapper set command-line variables?
> 
> I will investigate whether these options can be set at build time.
> 
> I don't think we should ship a browser in this state, even if users are
> able to configure it properly after installation. w3m is used by other
> programs like mutt to render html "under the hood".
> 
> [0]
> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
> 

This particular issue was resolved in October 2014 in this commit
(tested):
http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654

It looks like there is a lot of development activity happening within
Debian, beyond simple packaging [0]. Even what seems to be the official
SourceForge page seems to be tracking the Debian work [1].

The Debian developers are regularly issuing release tags but not release
tarballs. I built from the latest one and it seems to work.

I think we should use the Debian repo as the source for our w3m package.
What does everyone else think?

[0]
http://anonscm.debian.org/cgit/collab-maint/w3m.git/

[1]
http://sourceforge.net/p/w3m/patches/71/

  reply	other threads:[~2016-01-04  6:20 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-18  8:58 bug#16791: w3m fails to do any SSL certificate checking Mark H Weaver
2014-02-18 19:23 ` Andreas Enge
2014-02-18 19:32   ` Andreas Enge
2016-01-03  2:20 ` Leo Famulari
2016-01-04  6:19   ` Leo Famulari [this message]
2016-01-04 19:12     ` Leo Famulari
2016-01-04 23:35     ` Ludovic Courtès
2016-01-05 16:32       ` Leo Famulari
2016-01-08  4:55         ` Leo Famulari
2016-02-10 21:16           ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160104061932.GA4210@jasmine \
    --to=leo@famulari.name \
    --cc=16791@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).