Bug#832350: please honor ca-certificates when connecting to sources

Sun, 24 Jul 2016 06:42:42 -0700 

Subject: please honor ca-certificates when connecting to sources
Source: mini-buildd
Severity: wishlist
Tags: patch

When connecting via https, mini-buildd does not validate certificates
and instead generates an error.  The attached patch uses ca-
certificates to validate the source.

It might be even better if it were possible to specify the certificates
for a source explicitly.  But this patch seems like a simple and good
start.

Thanks for your work on mini-buildd!


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (1001, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- /usr/lib/python2.7/dist-packages/mini_buildd/models/source.py~      
2015-04-30 16:51:56.000000000 -0400
+++ /usr/lib/python2.7/dist-packages/mini_buildd/models/source.py       
2015-07-04 22:36:23.634922230 -0400
@@ -22,6 +22,8 @@
 from mini_buildd.models.msglog import MsgLog
 LOG = logging.getLogger(__name__)
 
+def urlopen(s):
+    return urllib2.urlopen(s, None, None, '/etc/ssl/certs/ca-certificates.crt')
 
 class Archive(mini_buildd.models.base.Model):
     url = django.db.models.URLField(primary_key=True, max_length=512,
@@ -92,7 +94,7 @@
         with tempfile.NamedTemporaryFile() as release_file:
             MsgLog(LOG, request).debug("Downloading '{u}' to 
'{t}'".format(u=url, t=release_file.name))
             try:
-                release_file.write(urllib2.urlopen(url).read())
+                release_file.write(urlopen(url).read())
             except urllib2.HTTPError as e:
                 if e.code == 404:
                     MsgLog(LOG, request).debug("{a}: '404 Not Found' on 
'{u}'".format(a=self, u=url))
@@ -110,7 +112,7 @@
             # Check signature
             with tempfile.NamedTemporaryFile() as signature:
                 MsgLog(LOG, request).debug("Downloading '{u}.gpg' to 
'{t}'".format(u=url, t=signature.name))
-                signature.write(urllib2.urlopen(url + ".gpg").read())
+                signature.write(urlopen(url + ".gpg").read())
                 signature.flush()
                 gnupg.verify(signature.name, release_file.name)
 
@@ -125,7 +127,7 @@
             # just fine, but not allow to access to base URL
             # (like ourselves ;). Any archive _must_ have dists/ anyway.
             try:
-                urllib2.urlopen("{u}/dists/".format(u=self.url))
+                urlopen("{u}/dists/".format(u=self.url))
             except urllib2.HTTPError as e:
                 # Allow HTTP 4xx client errors through; these might be valid 
use cases like:
                 # 404 Usage Information: apt-cacher-ng

Reply via email to