Ubuntu
devscripts package

dget/dgetlp should have ca-certificates in their Recommends field.

Bug #247157 reported by KarlGoetz
6
Affects Status Importance Assigned to Milestone
devscripts (Ubuntu)
Incomplete
Undecided
Unassigned
ubuntu-dev-tools (Ubuntu)
Fix Released
Wishlist
Jonathan Davies

Bug Description

Binary package hint: devscripts

When running dget on a host with bad ssl, you receive an error. in the error message an option is suggested to fix the problem. its actually the option to pass to *wget*, not to pass to *dget*.
Suggested (wget) option: --no-check-certificate
Actual (dget) option: --insecure

(HARDYCHROOT)kgoetz@hostname:~/ufw/clean$ dget https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
dget: retrieving https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
--02:55:41-- https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
           => `ufw_0.18.dsc'
Resolving launchpad.net... 91.189.90.211
Connecting to launchpad.net|91.189.90.211|:443... connected.
ERROR: Certificate verification error for launchpad.net: unable to get local issuer certificate
To connect to launchpad.net insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
dget: wget ufw_0.18.dsc https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc failed

(HARDYCHROOT)kgoetz@hostname:~/ufw/clean$ dget --no-check-certificate https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
Unknown option: no-check-certificate
dget: unrecognised option. Run dget --help for more details.

Revision history for this message
KarlGoetz (kgoetz) wrote :

When run with curl the problem is much clearer:

(HARDYCHROOT)kgoetz@fullmoon:~/ufw/clean$ dget https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc
dget: retrieving https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc

curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

dget: curl ufw_0.18.dsc https://launchpad.net/ubuntu/intrepid/+source/ufw/0.18/+files/ufw_0.18.dsc failed

Revision history for this message
KarlGoetz (kgoetz) wrote :

The fix here is to install ca-certificates.
I'm going to re-title the bug to actually reflect what the bug should be:
"dget and dgetlp should recommend ca-certificates"

Revision history for this message
KarlGoetz (kgoetz) wrote :
Revision history for this message
KarlGoetz (kgoetz) wrote :

And the one thats less likely to be accepted ...

Revision history for this message
Jonathan Davies (jpds) wrote :

Commited to ubuntu-dev-tools trunk as of revision 189.

Thanks,
Jonathan

Changed in ubuntu-dev-tools:
assignee: nobody → jpds
importance: Undecided → Wishlist
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-dev-tools - 0.43ubuntu1

---------------
ubuntu-dev-tools (0.43ubuntu1) intrepid; urgency=low

  * Bazaar revision 195.

  [ Jonathan Patrick Davies ]
  * common.py:
    - If loading a cookie file raises an exception exit.
    - Improve cookie file writing.
    - New function: isLPTeamMember() - checks if the user is a member of the
      Launchpad team using cookies for authentication.
    - New function: packageComponent() - returns which component a package in
      Ubuntu is in.
  * requestsync:
    - Return an error when the script is unable to connect to
      packages.debian.org (LP: #261916).
    - Adapt team checking with the function above.
  * buildd:
    - Adapt privilege checking code to the new function above.
    - Check which component the package is in.

  [ Ryan Kavanagh ]
  * dgetlp.1: New manpage
  * dgetlp: fix typo in usage
  * hugdaylist.1: New manpage
  * s/requestsync/pull-lp-source/g in doc/pull-lp-source.1
  * mk-sbuild-lv.1: New manpage

  [ Karl Goetz ]
  * Add a Recommends: on ca-certificates (LP: #247157).

 -- Jonathan Patrick Davies <email address hidden> Sun, 31 Aug 2008 11:40:30 +0200

Changed in ubuntu-dev-tools:
status: Fix Committed → Fix Released
Revision history for this message
Daniel Holbach (dholbach) wrote :

Subscribing ubuntu-main-sponsors.

Revision history for this message
Alexander Sack (asac) wrote :

 < slangasek> asac: ah. well, I would argue that relying on LP SSL to verify .dsc files is the wrong trust
                   model

I think this has a point. And while using ca-certificates in recommends is probably helpful, couldnt me also make dget just print a warning and ignore certificates? Note that .dsc files are verified by gpg anyway.

Changed in devscripts:
status: New → Incomplete
Revision history for this message
Alexander Sack (asac) wrote :

unsubscribed ubuntu-main-sponsores. please resubscribe that team when you have a new patch or have a good point of pulling in ca-certificates through recommends. You can also ping me on IRC.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.