From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 28 Jun 2015 15:04:13 +0000 (+0100)
Subject: TLS keys: Use ca-certificates on end user machines, introducing bug #790093 :-(
X-Git-Tag: debian/0.30~47
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=commitdiff_plain;h=1868619ffd6277eb01d676f816cba61b52083927

TLS keys: Use ca-certificates on end user machines, introducing bug #790093 :-(
---

diff --git a/debian/control b/debian/control
index 5a9d1cd7..d37f5f78 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=dgit-repos/repos/dgit.git
 Package: dgit
 Depends: perl, libwww-perl, libdpkg-perl, git-core, devscripts, dpkg-dev,
          ${misc:Depends}, realpath, libdigest-sha-perl, dput, curl,
-         libjson-perl
+         libjson-perl, ca-certificates
 Recommends: ssh-client
 Suggests: sbuild
 Architecture: all
diff --git a/dgit b/dgit
index eea4dbc5..f6bf3a7c 100755
--- a/dgit
+++ b/dgit
@@ -450,8 +450,11 @@ our %defcfg = ('dgit.default.distro' => 'debian',
 	       'dgit-distro.debian.git-path' => '/dgit/debian/repos',
 	       'dgit-distro.debian.git-check' => 'ssh-cmd',
  'dgit-distro.debian.archive-query-url', 'https://api.ftp-master.debian.org/',
- 'dgit-distro.debian.archive-query-tls-key',
-    '/etc/ssl/certs/%HOST%.pem:/etc/dgit/%HOST%.pem',
+# 'dgit-distro.debian.archive-query-tls-key',
+#    '/etc/ssl/certs/%HOST%.pem:/etc/dgit/%HOST%.pem',
+# ^ this does not work because curl is broken nowadays
+# Fixing #790093 properly will involve providing providing the key
+# in some pacagke and maybe updating these paths.
 #
 # 'dgit-distro.debian.archive-query-tls-curl-args',
 #   '--ca-path=/etc/ssl/ca-debian',
@@ -717,7 +720,12 @@ sub archive_api_query_cmd ($) {
 		fail "for $url: stat $key: $!" unless $!==ENOENT;
 		next;
 	    }
-	    push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
+	    fail "config requested specific TLS key but do not know".
+		" how to get curl to use exactly that EE key ($key)";
+#	    push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
+#           # Sadly the above line does not work because of changes
+#           # to gnutls.   The real fix for #790093 may involve
+#           # new curl options.
 	    last;
 	}
 	# Fixing #790093 properly will involve providing a value