From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#16791: w3m fails to do any SSL certificate checking Date: Thu, 7 Jan 2016 23:55:12 -0500 Message-ID: <20160108045512.GA30445@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> <87y4c4x6hu.fsf@gnu.org> <20160105163214.GA23764@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aHP5p-0004sJ-EX for bug-guix@gnu.org; Thu, 07 Jan 2016 23:56:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aHP5m-0008Pf-7a for bug-guix@gnu.org; Thu, 07 Jan 2016 23:56:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:53921) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aHP5m-0008Pa-4K for bug-guix@gnu.org; Thu, 07 Jan 2016 23:56:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20160105163214.GA23764@jasmine> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 16791@debbugs.gnu.org On Tue, Jan 05, 2016 at 11:32:14AM -0500, Leo Famulari wrote: > On Tue, Jan 05, 2016 at 12:35:57AM +0100, Ludovic Courtès wrote: > > Leo Famulari skribis: > > > > > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: > > >> I looked into how Debian does it. They bundle a configuration file that > > >> sets the correct options. > > >> > > >> If you download the "debian" file [0], which includes all of their > > >> packaging for w3m, you can view the file at 'debian/w3mconfig'. > > >> > > >> The relevant option is "ssl_verify_server", and it must be set to "1" in > > >> order for w3m to perform verification. > > >> > > >> Example with a domain whose certificate is expired: > > >> $ w3m -o ssl_verify_server 1 fmrl.me > > >> > > >> Do we ever bundle configuration files in this manner? > > >> > > >> Can a wrapper set command-line variables? > > >> > > >> I will investigate whether these options can be set at build time. > > >> > > >> I don't think we should ship a browser in this state, even if users are > > >> able to configure it properly after installation. w3m is used by other > > >> programs like mutt to render html "under the hood". > > >> > > >> [0] > > >> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz > > >> > > > > > > This particular issue was resolved in October 2014 in this commit > > > (tested): > > > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 > > > > Looks like applying this patch would fix the bug right away, right? > > > > > It looks like there is a lot of development activity happening within > > > Debian, beyond simple packaging [0]. Even what seems to be the official > > > SourceForge page seems to be tracking the Debian work [1]. > > > > > > The Debian developers are regularly issuing release tags but not release > > > tarballs. I built from the latest one and it seems to work. > > > > > > I think we should use the Debian repo as the source for our w3m package. > > > What does everyone else think? > > > > Unless upstream is really dead, we should track it. I think it’s not > > the distro’s job to do non-trivial development. > > I'm trying to reach the people that used to work on w3m to ask if they > are still active or if they have abandoned it. They haven't been around > in ~4 years from what I have seen. > > > > > What about using the latest upstream tarball, along with the patch > > above and probably the one that disables SSLv{2,3}? > > I'll try that. Mark, can you check if commit 62339e2d49 fixes this bug for you? > > > > > Thanks, > > Ludo’. > > >