[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#36363: let's encrypt hash mismatch

From: Chris Marusich
Subject: bug#36363: let's encrypt hash mismatch
Date: Sun, 21 Jul 2019 16:12:25 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Ludovic Courtès <address@hidden> writes:

> Julien Lepiller <address@hidden> skribis:
>>  expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>  actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>  hash mismatch for store item
>>  '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
> I believe you’d be fine if substitutes were enabled, but they’re not.
> In the meantime, you can fetch those files with something like:
>   wget -O /tmp/isrgrootx1.pem \
> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>   guix download file:///tmp/isrgrootx1.pem
> But yeah, like Tobias writes, it’s a bit of a problem.  Should we mirror
> them somewhere?  Does Let’s Encrypt have them under a versioned URL
> elsewhere?

What is Guix using these files for?  I realize it's got something to do
with TLS, but it isn't clear to me why Guix downloads these certs.

I don't have the full context, so please forgive me if my comments are
unhelpful, but before deciding to use stale versions, I think it's worth
asking, "Could using a stale version introduce any security risk?"
Maybe there's a reason why LE doesn't publish the old versions.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]