chiark / gitweb /
TLS keys: Use ca-certificates on end user machines, introducing bug #790093 :-(
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 28 Jun 2015 15:04:13 +0000 (16:04 +0100)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 28 Jun 2015 15:04:18 +0000 (16:04 +0100)
debian/control
dgit

index 5a9d1cd..d37f5f7 100644 (file)
@@ -11,7 +11,7 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=dgit-repos/repos/dgit.git
 Package: dgit
 Depends: perl, libwww-perl, libdpkg-perl, git-core, devscripts, dpkg-dev,
          ${misc:Depends}, realpath, libdigest-sha-perl, dput, curl,
-         libjson-perl
+         libjson-perl, ca-certificates
 Recommends: ssh-client
 Suggests: sbuild
 Architecture: all
diff --git a/dgit b/dgit
index eea4dbc..f6bf3a7 100755 (executable)
--- a/dgit
+++ b/dgit
@@ -450,8 +450,11 @@ our %defcfg = ('dgit.default.distro' => 'debian',
               'dgit-distro.debian.git-path' => '/dgit/debian/repos',
               'dgit-distro.debian.git-check' => 'ssh-cmd',
  'dgit-distro.debian.archive-query-url', 'https://api.ftp-master.debian.org/',
- 'dgit-distro.debian.archive-query-tls-key',
-    '/etc/ssl/certs/%HOST%.pem:/etc/dgit/%HOST%.pem',
+# 'dgit-distro.debian.archive-query-tls-key',
+#    '/etc/ssl/certs/%HOST%.pem:/etc/dgit/%HOST%.pem',
+# ^ this does not work because curl is broken nowadays
+# Fixing #790093 properly will involve providing providing the key
+# in some pacagke and maybe updating these paths.
 #
 # 'dgit-distro.debian.archive-query-tls-curl-args',
 #   '--ca-path=/etc/ssl/ca-debian',
@@ -717,7 +720,12 @@ sub archive_api_query_cmd ($) {
                fail "for $url: stat $key: $!" unless $!==ENOENT;
                next;
            }
-           push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
+           fail "config requested specific TLS key but do not know".
+               " how to get curl to use exactly that EE key ($key)";
+#          push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
+#           # Sadly the above line does not work because of changes
+#           # to gnutls.   The real fix for #790093 may involve
+#           # new curl options.
            last;
        }
        # Fixing #790093 properly will involve providing a value