bug#27795: Issues with upstream source for guile-emacs

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#27795: Issues with upstream source for guile-emacs
@ 2017-07-22 23:19 Leo Famulari
  2017-07-23 12:32 ` Ricardo Wurmus
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2017-07-22 23:19 UTC (permalink / raw)
  To: 27795

[-- Attachment #1: Type: text/plain, Size: 2126 bytes --]

While working on the bug 'Changing package source URLs from git:// to
https://' [0], I noticed an issue with the sources for guile-emacs.

We currently fetch this source code over the unauthenticated GIT
protocol. It is also available over HTTPS. However, these two protocols
are returning different Git repos for some reason. For example, with the
diff shown below [1]:

------
% ./pre-inst-env guix build -S --no-grafts --no-substitutes guile-emacs
The following derivation will be built:
   /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv
@ build-started /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv - x86_64-linux /var/log/guix/drvs/1f//wh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv.bz2
Cloning into '/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'...
fatal: reference is not a tree: 41120e0f595b16387eebfbf731fff70481de1b4b
environment variable `PATH' unset
r:sha256 hash mismatch for output path `/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'
  expected: 0lvcvsz0f4mawj04db35p1dvkffdqkz8pkhc0jzh9j9x2i63kcz6
  actual:   1qish7cgck6brag4i4bgy31nzjrylwgmiai04ddzl5z2025a3shd
@ build-failed /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv - 1 r:sha256 hash mismatch for output path `/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'
  expected: 0lvcvsz0f4mawj04db35p1dvkffdqkz8pkhc0jzh9j9x2i63kcz6
  actual:   1qish7cgck6brag4i4bgy31nzjrylwgmiai04ddzl5z2025a3shd
guix build: error: build failed: build of `/gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv' failed
------

[0]
https://bugs.gnu.org/27778

[1]
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 43de13057..9d44d82ab 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -262,7 +262,7 @@ editor (without an X toolkit)" )
     (source (origin
               (method git-fetch)
               (uri (git-reference
-                    (url "git://git.hcoop.net/git/bpt/emacs.git")
+                    (url "https://git.hcoop.net/git/bpt/emacs.git")
                     (commit "41120e0f595b16387eebfbf731fff70481de1b4b")))
               (sha256

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* bug#27795: Issues with upstream source for guile-emacs
  2017-07-22 23:19 bug#27795: Issues with upstream source for guile-emacs Leo Famulari
@ 2017-07-23 12:32 ` Ricardo Wurmus
  2017-07-23 14:22   ` Ricardo Wurmus
  2019-02-25 23:25   ` Leo Famulari
  0 siblings, 2 replies; 6+ messages in thread
From: Ricardo Wurmus @ 2017-07-23 12:32 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 27795


Leo Famulari <leo@famulari.name> writes:

> While working on the bug 'Changing package source URLs from git:// to
> https://' [0], I noticed an issue with the sources for guile-emacs.
>
> We currently fetch this source code over the unauthenticated GIT
> protocol. It is also available over HTTPS. However, these two protocols
> are returning different Git repos for some reason.

The clone times out for me:

--8<---------------cut here---------------start------------->8---
git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
Cloning into 'guile-emacs-over-https'...
^C
--8<---------------cut here---------------end--------------->8---

But the clone from git:// works fine.

Is the repository actually served over HTTPS?

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#27795: Issues with upstream source for guile-emacs
  2017-07-23 12:32 ` Ricardo Wurmus
@ 2017-07-23 14:22   ` Ricardo Wurmus
  2017-07-23 16:05     ` Leo Famulari
  2019-02-25 23:25   ` Leo Famulari
  1 sibling, 1 reply; 6+ messages in thread
From: Ricardo Wurmus @ 2017-07-23 14:22 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 27795


Ricardo Wurmus <rekado@elephly.net> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> While working on the bug 'Changing package source URLs from git:// to
>> https://' [0], I noticed an issue with the sources for guile-emacs.
>>
>> We currently fetch this source code over the unauthenticated GIT
>> protocol. It is also available over HTTPS. However, these two protocols
>> are returning different Git repos for some reason.
>
> The clone times out for me:
>
> --8<---------------cut here---------------start------------->8---
> git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
> Cloning into 'guile-emacs-over-https'...
> ^C
> --8<---------------cut here---------------end--------------->8---
>
> But the clone from git:// works fine.
>
> Is the repository actually served over HTTPS?

Don’t mind me.  It eventually worked.  The repositories have different
histories, and the https-repo looks like it is two commits behind.
Looks like an older rebase.

I’d say we should leave it with the current git:// URL.

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#27795: Issues with upstream source for guile-emacs
  2017-07-23 14:22   ` Ricardo Wurmus
@ 2017-07-23 16:05     ` Leo Famulari
  2017-07-29 16:20       ` Christopher Allan Webber
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2017-07-23 16:05 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 27795

[-- Attachment #1: Type: text/plain, Size: 1423 bytes --]

On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
> 
> Ricardo Wurmus <rekado@elephly.net> writes:
> 
> > Leo Famulari <leo@famulari.name> writes:
> >
> >> While working on the bug 'Changing package source URLs from git:// to
> >> https://' [0], I noticed an issue with the sources for guile-emacs.
> >>
> >> We currently fetch this source code over the unauthenticated GIT
> >> protocol. It is also available over HTTPS. However, these two protocols
> >> are returning different Git repos for some reason.
> >
> > The clone times out for me:
> >
> > --8<---------------cut here---------------start------------->8---
> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
> > Cloning into 'guile-emacs-over-https'...
> > ^C
> > --8<---------------cut here---------------end--------------->8---
> >
> > But the clone from git:// works fine.
> >
> > Is the repository actually served over HTTPS?
> 
> Don’t mind me.  It eventually worked.  The repositories have different
> histories, and the https-repo looks like it is two commits behind.
> Looks like an older rebase.
> 
> I’d say we should leave it with the current git:// URL.

The thing is, since the git:// protocol is unauthenticated, we could
assume that those extra two commits are added by a MitM :/

Somebody who is interested in guile-emacs should really ask upstream
what is going on.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#27795: Issues with upstream source for guile-emacs
  2017-07-23 16:05     ` Leo Famulari
@ 2017-07-29 16:20       ` Christopher Allan Webber
  0 siblings, 0 replies; 6+ messages in thread
From: Christopher Allan Webber @ 2017-07-29 16:20 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 27795

Leo Famulari writes:

> On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
>>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>> > Leo Famulari <leo@famulari.name> writes:
>> >
>> >> While working on the bug 'Changing package source URLs from git:// to
>> >> https://' [0], I noticed an issue with the sources for guile-emacs.
>> >>
>> >> We currently fetch this source code over the unauthenticated GIT
>> >> protocol. It is also available over HTTPS. However, these two protocols
>> >> are returning different Git repos for some reason.
>> >
>> > The clone times out for me:
>> >
>> > --8<---------------cut here---------------start------------->8---
>> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
>> > Cloning into 'guile-emacs-over-https'...
>> > ^C
>> > --8<---------------cut here---------------end--------------->8---
>> >
>> > But the clone from git:// works fine.
>> >
>> > Is the repository actually served over HTTPS?
>>
>> Don’t mind me.  It eventually worked.  The repositories have different
>> histories, and the https-repo looks like it is two commits behind.
>> Looks like an older rebase.
>>
>> I’d say we should leave it with the current git:// URL.
>
> The thing is, since the git:// protocol is unauthenticated, we could
> assume that those extra two commits are added by a MitM :/
>
> Somebody who is interested in guile-emacs should really ask upstream
> what is going on.

Since we hash the checkout's contents, an attacker would have to be very
consistently adding those two commits for both the original packager
(me) and all subsequent users... a possible attack, but I think it's not
the biggest thing to worry about.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#27795: Issues with upstream source for guile-emacs
  2017-07-23 12:32 ` Ricardo Wurmus
  2017-07-23 14:22   ` Ricardo Wurmus
@ 2019-02-25 23:25   ` Leo Famulari
  1 sibling, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2019-02-25 23:25 UTC (permalink / raw)
  Cc: 27795-done

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

Leo Famulari <leo@famulari.name> writes:
> While working on the bug 'Changing package source URLs from git:// to
> https://' [0], I noticed an issue with the sources for guile-emacs.
>
> We currently fetch this source code over the unauthenticated GIT
> protocol. It is also available over HTTPS. However, these two protocols
> are returning different Git repos for some reason.

The issue seems to have been resolved upstream, because HTTPS and git://
clones now return the same repo. I adjusted our guile-emacs package
accordingly in commit ef5fa91ccc5d6ff7a5ce21df19541b57b98db4c7

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-02-25 23:26 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-22 23:19 bug#27795: Issues with upstream source for guile-emacs Leo Famulari
2017-07-23 12:32 ` Ricardo Wurmus
2017-07-23 14:22   ` Ricardo Wurmus
2017-07-23 16:05     ` Leo Famulari
2017-07-29 16:20       ` Christopher Allan Webber
2019-02-25 23:25   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).