From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: 16791@debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Tue, 05 Jan 2016 00:35:57 +0100 [thread overview]
Message-ID: <87y4c4x6hu.fsf@gnu.org> (raw)
In-Reply-To: <20160104061932.GA4210@jasmine> (Leo Famulari's message of "Mon, 4 Jan 2016 01:19:32 -0500")
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote:
>> I looked into how Debian does it. They bundle a configuration file that
>> sets the correct options.
>>
>> If you download the "debian" file [0], which includes all of their
>> packaging for w3m, you can view the file at 'debian/w3mconfig'.
>>
>> The relevant option is "ssl_verify_server", and it must be set to "1" in
>> order for w3m to perform verification.
>>
>> Example with a domain whose certificate is expired:
>> $ w3m -o ssl_verify_server 1 fmrl.me
>>
>> Do we ever bundle configuration files in this manner?
>>
>> Can a wrapper set command-line variables?
>>
>> I will investigate whether these options can be set at build time.
>>
>> I don't think we should ship a browser in this state, even if users are
>> able to configure it properly after installation. w3m is used by other
>> programs like mutt to render html "under the hood".
>>
>> [0]
>> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
>>
>
> This particular issue was resolved in October 2014 in this commit
> (tested):
> http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654
Looks like applying this patch would fix the bug right away, right?
> It looks like there is a lot of development activity happening within
> Debian, beyond simple packaging [0]. Even what seems to be the official
> SourceForge page seems to be tracking the Debian work [1].
>
> The Debian developers are regularly issuing release tags but not release
> tarballs. I built from the latest one and it seems to work.
>
> I think we should use the Debian repo as the source for our w3m package.
> What does everyone else think?
Unless upstream is really dead, we should track it. I think it’s not
the distro’s job to do non-trivial development.
What about using the latest upstream tarball, along with the patch
above and probably the one that disables SSLv{2,3}?
Thanks,
Ludo’.
next prev parent reply other threads:[~2016-01-04 23:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-18 8:58 bug#16791: w3m fails to do any SSL certificate checking Mark H Weaver
2014-02-18 19:23 ` Andreas Enge
2014-02-18 19:32 ` Andreas Enge
2016-01-03 2:20 ` Leo Famulari
2016-01-04 6:19 ` Leo Famulari
2016-01-04 19:12 ` Leo Famulari
2016-01-04 23:35 ` Ludovic Courtès [this message]
2016-01-05 16:32 ` Leo Famulari
2016-01-08 4:55 ` Leo Famulari
2016-02-10 21:16 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y4c4x6hu.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=16791@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.