From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Thompson, David" Subject: bug#22883: Trustable "guix pull" Date: Mon, 16 May 2016 13:55:54 -0400 Message-ID: References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45441) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b2MlP-0003LQ-60 for bug-guix@gnu.org; Mon, 16 May 2016 13:57:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b2MlK-0004Pw-SU for bug-guix@gnu.org; Mon, 16 May 2016 13:57:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:41875) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b2MlK-0004Pr-HV for bug-guix@gnu.org; Mon, 16 May 2016 13:57:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: fluxboks@openmailbox.org Cc: 22883@debbugs.gnu.org On Sun, May 15, 2016 at 8:40 AM, wrote: > Please, for the love of all/any gods!(if any) > Fix this issue :) > For example, you can get this https to work: > https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz > (it doesn't currently) > > $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz > --2016-05-15 15:32:15-- > https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz > Resolving git.savannah.gnu.org... 208.118.235.72 > Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected. > OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown proto= col > Unable to establish SSL connection. > > Chromium says: > This site can=E2=80=99t provide a secure connection > > git.savannah.gnu.org sent an invalid response. > Learn more about this problem. > ERR_SSL_PROTOCOL_ERROR > > This works just fine though: https://savannah.gnu.org/ and https://gnu.or= g/ > and https://www.gnu.org/ > > As a reminder, letsencrypt and startssl are a thing - both provide free > certs. If that's the issue. We *DO NOT* run Savannah, the FSF does. Savannah absolutely should allow cloning Git repositories over HTTPS, but we are the wrong people to complain to about it. You can send a polite message to sysadmin@gnu.org instead. > I want to be honest here: this bug is a show stopper for me! It makes me > draw certain unfavorable conclusions about the mentality and seriousness = of > the guix project devs. I wish it wouldn't, but really can you blame me? Yes, I can. I think you should re-evaluate your conclusions. All of our official release tarballs are GPG signed, we have begun signing all of our commits, all of our package recipes validate checksums for the source code they download, and we patch CVEs in a pretty timely manner for a such a small core team. I can assure you that we are very serious about security. I recommend simply not using 'guix pull' right now until we have something more trustable, which we are working on! This is beta software written by volunteers. The problem will be solved quicker with some more hands to help. Would you like to join in? - Dave