[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Trustable "guix pull"

From: Thompson, David
Subject: bug#22883: Trustable "guix pull"
Date: Mon, 16 May 2016 13:55:54 -0400

On Sun, May 15, 2016 at 8:40 AM,  <address@hidden> wrote:
> Please, for the love of all/any gods!(if any)
> Fix this issue :)
> For example, you can get this https to work:
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> (it doesn't currently)
> $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> --2016-05-15 15:32:15--
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> Resolving git.savannah.gnu.org...
> Connecting to git.savannah.gnu.org||:443... connected.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> Unable to establish SSL connection.
> Chromium says:
> This site can’t provide a secure connection
> git.savannah.gnu.org sent an invalid response.
> Learn more about this problem.
> This works just fine though: https://savannah.gnu.org/ and https://gnu.org/
> and https://www.gnu.org/
> As a reminder, letsencrypt and startssl are a thing - both provide free
> certs. If that's the issue.

We *DO NOT* run Savannah, the FSF does.  Savannah absolutely should
allow cloning Git repositories over HTTPS, but we are the wrong people
to complain to about it.  You can send a polite message to
address@hidden instead.

> I want to be honest here: this bug is a show stopper for me! It makes me
> draw certain unfavorable conclusions about the mentality and seriousness of
> the guix project devs. I wish it wouldn't, but really can you blame me?

Yes, I can.  I think you should re-evaluate your conclusions.  All of
our official release tarballs are GPG signed, we have begun signing
all of our commits, all of our package recipes validate checksums for
the source code they download, and we patch CVEs in a pretty timely
manner for a such a small core team.  I can assure you that we are
very serious about security.  I recommend simply not using 'guix pull'
right now until we have something more trustable, which we are working
on!  This is beta software written by volunteers.  The problem will be
solved quicker with some more hands to help.  Would you like to join

- Dave

reply via email to

[Prev in Thread] Current Thread [Next in Thread]