Your message dated Sun, 15 Jan 2017 19:48:30 +0000
with message-id <[email protected]>
and subject line Bug#826694: fixed in duck 0.12
has caused the Debian Bug report #826694,
regarding duck: Should not suggest a switch from HTTP to HTTPS if SSL
certificate is not verifiable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
826694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826694
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: duck
Version: 0.9
Severity: normal
Dear Maintainer,
http://repo.or.cz/ is one of the earliest if not the earliest free Git
hoster.
Some Debian packages refer to code hosted on that website.
The website is also reachable at http://repo.or.cz/, hence duck argues
about not using HTTPS:
I: debian/control: Vcs-Browser: http://repo.or.cz/w/conkeror.git: INFORMATION
(Certainty:certain)
The web page at http://repo.or.cz/w/conkeror.git works, but is also
available via https://repo.or.cz/w/conkeror.git, please consider switching to
HTTPS urls.
I: debian/copyright:4: URL: http://repo.or.cz/w/conkeror.git: INFORMATION
(Certainty:possible)
The web page at http://repo.or.cz/w/conkeror.git works, but is also
available via https://repo.or.cz/w/conkeror.git, please consider switching to
HTTPS urls.
But it uses a self-signed SSL certificate for HTTPS and hence the
suggested URLs causes a fat warning in every web browser and also in
OpenSSL:
$ echo QUIT | openssl s_client -connect repo.or.cz:443 | openssl x509 -in
/dev/stdin -noout -text
depth=1 serialNumber =
6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7, CN = girocco rorcz
root certificate
verify error:num=19:self signed certificate in certificate chain
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:27:b4:05:67:14:75:a2:bd:e1:e6:9f:61:ea:48:53:de:48:a6:e8
Signature Algorithm: sha256WithRSAEncryption
Issuer:
serialNumber=6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7,
CN=girocco rorcz root certificate
Validity
Not Before: Aug 11 00:00:00 1997 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: CN=repo.or.cz
[…]
IMHO, duck should only suggest to switch to HTTPS if the used SSL
certificate can be verified by the SSL certificates shipped in the
package ca-certificates. Probably for local runs of duck, only those
certificates should be taken into account, which are verifiable by
_enabled_ certificates from ca-certificates.
It's probably debatable if sites with SSL certificates verifiable with
the package ca-cacert installed or sites with a self-signed certificate
verifiable via TLSA/DANE should cause such a warning or not. I tend to
say no here, too.
-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages duck depends on:
ii devscripts 2.16.5
ii dpkg-dev 1.18.7
ii libconfig-inifiles-perl 2.89-1
ii libconfig-simple-perl 4.59-6
ii libdomain-publicsuffix-perl 0.10-1
ii libfile-which-perl 1.21-1
ii libmailtools-perl 2.13-1
ii libnet-dns-perl 1.05-2
ii libparse-debcontrol-perl 2.005-4
ii libpath-class-perl 0.36-1
ii libregexp-common-email-address-perl 1.01-4
ii libregexp-common-perl 2016060201-1
ii libstring-similarity-perl 1.04-1+b3
ii libwww-curl-perl 4.17-2+b1
ii libxml-xpath-perl 1.36-1
ii libyaml-libyaml-perl 0.41-6+b1
ii lynx 2.8.9dev9-1
ii perl 5.22.2-1
ii publicsuffix 20160525-1
duck recommends no packages.
Versions of packages duck suggests:
ii bzr 2.7.0-7
ii git 1:2.8.1-1
ii mercurial 3.8.3-1
ii subversion 1.9.4-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: duck
Source-Version: 0.12
We believe that the bug you reported is fixed in the latest version of
duck, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Kainz <[email protected]> (supplier of updated duck package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Dec 2016 21:35:55 +0100
Source: duck
Binary: duck
Architecture: source all
Version: 0.12
Distribution: unstable
Urgency: low
Maintainer: Simon Kainz <[email protected]>
Changed-By: Simon Kainz <[email protected]>
Description:
duck - checks URLs in debian/control and debian/upstream files
Closes: 826694 834520 838167 838169 843948
Changes:
duck (0.12) unstable; urgency=low
.
* Run checks in parallel.
.
* Add new parameter --tasks to specify how many checks may be
started in parallel - Default value is 24.
.
* Do not show colors on dumb terminals (e.g. M-x shell in Emacs)
(Closes: #843948)
.
* Do not use hardcoded /tmp/... path for temporary directories
(Closes: #838169)
.
* Fix parsing of appstream-metadata files, handle screenshot elements
with additional data. (Closes: #838167)
.
* Fix possible include path issues during build time.
Thanks to Dominic Hargreaves <[email protected]> for the patch.
(Closes: #834520)
.
* Verify SSL certificates against ca-certificates. (Closes: #826694)
.
* Add new command line option --no-check-certificate to enable ignoring
SSL failures on browser-style checks. (Closes: #826694)
Checksums-Sha1:
e23054fa12b699ac8e1bb8469dd98ec545b63fbc 1882 duck_0.12.dsc
4184ea76c95b95902fab8c7f09797a0e27d3903a 388188 duck_0.12.tar.xz
6485ac07fc0d645948f955d67119cb9659dac974 22354 duck_0.12_all.deb
Checksums-Sha256:
9fa3d71c9d59a8f0e8326d441599fa1cf7a5d1e9377d00dc92bfc495cfbef195 1882
duck_0.12.dsc
fdd628ad6cc42b08daad6884347d0a90fe9a62083f10b62e05497efcb7b6f8c3 388188
duck_0.12.tar.xz
cafe280f970e6891d5ee64d8ade71318aa00ae487c7850814a664de9df275df4 22354
duck_0.12_all.deb
Files:
bf56c28f921c35894b929acdfb00ad07 1882 devel optional duck_0.12.dsc
4d593262f0f8bc38eaa12d776a4cc04b 388188 devel optional duck_0.12.tar.xz
809d4f4d584c28dd89ef9f75b6f3adbc 22354 devel optional duck_0.12_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJYe85MAAoJEBy08PeN7K/pWo0P/jJ9wD6L/VDge0aeXStIIpRl
nKJVhLWPq5Gx0+C/3RMCF7vD/XdYcayuhK1hfnuz0iyvJaiNMtdLuPw0SyUCYlh8
0dcSPksKPTH10jVv4Yk7v2Cbx8MX8xSw23Bs07KFKWTh9DmPxand63rNDf3Eos9G
uXhijV9v4KO1wg+FCjFb7NMNBIY0pKSdK6rN/ZTi4qYwotDMnqNefxnxZSxmuND2
ULBkDMmNrbLvKx8zQJ6kg/WnOo4NADk/DU3CDy6I8dpIg5snyHm6BIPV5DzJe/EQ
gw1POEkByILmRhSh60cvS9SDYKWHMPRJhROpxsS23VRSJLgnwZc3JNwohFRYp+/Q
qg1h2VDwnuia6fhW+F+ewCGL+lo48tVNI/JRhVMe03e713pi91RAII8uw5xR2Aqr
bq0MM4y5uLlYCEA/iuldDGrO7sjK3vxQ2rUWY4Db0ZZq1LwIrMDZB5bd7qLbJqYG
MUL9Ue5l7Ys2+zD8m2ikpaNtx/PIy/2L9cfzwXwR7oE6g6V3evmZIvZUWKqnacck
TFFa6nsKjO4n5p/bizgBzcd9bqivOFCmJM2rHN9AGtU93vjWxPLklwnk1oXWiK0P
/YvPCqb6G7KkAGQrfeKcMz753jQMn/VPNvvs2h/WRNIkpZNxJb6kM8HCtBHL3YRQ
FwRrYvzNoKg5LdP8Ebe0
=MSag
-----END PGP SIGNATURE-----
--- End Message ---
