dget/dgetlp should have ca-certificates in their Recommends field.

Bug #247157 reported by KarlGoetz on 2008-07-10
6
Affects Status Importance Assigned to Milestone
devscripts (Ubuntu)
Undecided
Unassigned
ubuntu-dev-tools (Ubuntu)
Wishlist
Jonathan Davies

Bug Description

Binary package hint: devscripts

When running dget on a host with bad ssl, you receive an error. in the error message an option is suggested to fix the problem. its actually the option to pass to *wget*, not to pass to *dget*.
Suggested (wget) option: --no-check-certificate
Actual (dget) option: --insecure

(HARDYCHROOT)kgoetz@hostname:~/ufw/clean$ dget https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
dget: retrieving https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
--02:55:41-- https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
           => `ufw_0.18.dsc'
Resolving launchpad.net... 91.189.90.211
Connecting to launchpad.net|91.189.90.211|:443... connected.
ERROR: Certificate verification error for launchpad.net: unable to get local issuer certificate
To connect to launchpad.net insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
dget: wget ufw_0.18.dsc https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc failed

(HARDYCHROOT)kgoetz@hostname:~/ufw/clean$ dget --no-check-certificate https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
Unknown option: no-check-certificate
dget: unrecognised option. Run dget --help for more details.

KarlGoetz (kgoetz) wrote :

When run with curl the problem is much clearer:

(HARDYCHROOT)kgoetz@fullmoon:~/ufw/clean$ dget https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
dget: retrieving https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc

curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

dget: curl ufw_0.18.dsc https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc failed

KarlGoetz (kgoetz) wrote :

The fix here is to install ca-certificates.
I'm going to re-title the bug to actually reflect what the bug should be:
"dget and dgetlp should recommend ca-certificates"

KarlGoetz (kgoetz) wrote :
KarlGoetz (kgoetz) wrote :

And the one thats less likely to be accepted ...

Jonathan Davies (jpds) wrote :

Commited to ubuntu-dev-tools trunk as of revision 189.

Thanks,
Jonathan

Changed in ubuntu-dev-tools:
assignee: nobody → jpds
importance: Undecided → Wishlist
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-dev-tools - 0.43ubuntu1

---------------
ubuntu-dev-tools (0.43ubuntu1) intrepid; urgency=low

  * Bazaar revision 195.

  [ Jonathan Patrick Davies ]
  * common.py:
    - If loading a cookie file raises an exception exit.
    - Improve cookie file writing.
    - New function: isLPTeamMember() - checks if the user is a member of the
      Launchpad team using cookies for authentication.
    - New function: packageComponent() - returns which component a package in
      Ubuntu is in.
  * requestsync:
    - Return an error when the script is unable to connect to
      packages.debian.org (LP: #261916).
    - Adapt team checking with the function above.
  * buildd:
    - Adapt privilege checking code to the new function above.
    - Check which component the package is in.

  [ Ryan Kavanagh ]
  * dgetlp.1: New manpage
  * dgetlp: fix typo in usage
  * hugdaylist.1: New manpage
  * s/requestsync/pull-lp-source/g in doc/pull-lp-source.1
  * mk-sbuild-lv.1: New manpage

  [ Karl Goetz ]
  * Add a Recommends: on ca-certificates (LP: #247157).

 -- Jonathan Patrick Davies <email address hidden> Sun, 31 Aug 2008 11:40:30 +0200

Changed in ubuntu-dev-tools:
status: Fix Committed → Fix Released
Daniel Holbach (dholbach) wrote :

Subscribing ubuntu-main-sponsors.

Alexander Sack (asac) wrote :

 < slangasek> asac: ah. well, I would argue that relying on LP SSL to verify .dsc files is the wrong trust
                   model

I think this has a point. And while using ca-certificates in recommends is probably helpful, couldnt me also make dget just print a warning and ignore certificates? Note that .dsc files are verified by gpg anyway.

Changed in devscripts:
status: New → Incomplete
Alexander Sack (asac) wrote :

unsubscribed ubuntu-main-sponsores. please resubscribe that team when you have a new patch or have a good point of pulling in ca-certificates through recommends. You can also ping me on IRC.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers