From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5211CC636D7 for ; Thu, 9 Feb 2023 16:05:24 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.492720.762434 (Exim 4.92) (envelope-from ) id 1pQ9QB-0006AZ-Kh; Thu, 09 Feb 2023 16:05:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 492720.762434; Thu, 09 Feb 2023 16:05:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pQ9QB-0006AS-Ff; Thu, 09 Feb 2023 16:05:15 +0000 Received: by outflank-mailman (input) for mailman id 492720; Thu, 09 Feb 2023 16:05:14 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pQ9QA-00067S-Cl for xen-devel@lists.xenproject.org; Thu, 09 Feb 2023 16:05:14 +0000 Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [2a00:1450:4864:20::134]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 86c3e662-a893-11ed-93b5-47a8fe42b414; Thu, 09 Feb 2023 17:05:09 +0100 (CET) Received: by mail-lf1-x134.google.com with SMTP id j17so3818972lfr.3 for ; Thu, 09 Feb 2023 08:05:09 -0800 (PST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 86c3e662-a893-11ed-93b5-47a8fe42b414 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uU5XW1oBviPYVXjF6pnAUE1uhzLd8k2qXYASLluuumw=; b=lRk98YwJow6YTwLEXa2koWXSbFNO5LXYaT1AdH0/OuDHfuudolrRxTMnOXrTCALf64 BvHviFbxfFWDQJcMfsJRKXodcBa+Iv0C2zUELg+tAuZDNk1QI5S3Iy0uUrqGXmUld48C 6Qq+2oy5zgsz5KDkdESou3LJnqKwEP4obOdVo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uU5XW1oBviPYVXjF6pnAUE1uhzLd8k2qXYASLluuumw=; b=hKszUZ06Kf33GFNrwLsmUqygydrXztr6wp1BQMxPrEzxr1F1hGREgVP67P1B506s/D 0CHistK65jnCOUwr2fNxLVRpmARmBsMc0WMhC5aikLcmodCOvkjfTcL1//aQNuJ6pmE2 oZC5BgQ+9/N4ORb9OKfS/Cd/KBNDehIi+2g+JNkEEoX2oDcynG+lWSx3TpRZ/nDNteGE yeJ6QrvH4qzX4Wca3wsS8sVJf+HI4WDdxS2ZimTvzLOBv9U/K3KqHjl9kz4jLYbyXNBh vPvb/DJR+VkB5H8+D9Wx7kAy6hmj88FqRxCD8fW572PPOIE9d1/QCV2N7luKezvB53z8 OwwA== X-Gm-Message-State: AO0yUKW8zEtGi7EIzmlpobRxzWRqfmMyICggpMG/J6TuljcS2vBddbMu T4P5LytBEJeYxVauBbSyH2hE2RWOipD2v9okoQfA01iWE6z9zA== X-Google-Smtp-Source: AK7set8e+D3Y3Vo+sWYXLOkH6j/6C+3fvDGLGu/oPiUTpx4BPdNjK6Va+XwZmmxFPJ7rkJm1Q+TEnvuURhee0Yhchmo= X-Received: by 2002:ac2:4830:0:b0:4d3:f1f7:9632 with SMTP id 16-20020ac24830000000b004d3f1f79632mr2322816lft.51.1675958708419; Thu, 09 Feb 2023 08:05:08 -0800 (PST) MIME-Version: 1.0 References: <75d91def8234bceb41548147ee8af5fea52bd1d6.1675889602.git.demi@invisiblethingslab.com> In-Reply-To: From: George Dunlap Date: Thu, 9 Feb 2023 16:04:57 +0000 Message-ID: Subject: Re: [PATCH v2 1/4] Build system: Replace git:// and http:// with https:// To: Anthony PERARD Cc: Demi Marie Obenour , xen-devel@lists.xenproject.org, Andrew Cooper , George Dunlap , Jan Beulich , Julien Grall , Stefano Stabellini , Wei Liu , Samuel Thibault Content-Type: multipart/alternative; boundary="000000000000795ff905f4468b09" --000000000000795ff905f4468b09 Content-Type: text/plain; charset="UTF-8" On Thu, Feb 9, 2023 at 3:05 PM Anthony PERARD wrote: > On Thu, Feb 09, 2023 at 02:01:52PM +0000, George Dunlap wrote: > > On Wed, Feb 8, 2023 at 8:58 PM Demi Marie Obenour < > > demi@invisiblethingslab.com> wrote: > > > > > Obtaining code over an insecure transport is a terrible idea for > > > blatently obvious reasons. Even for non-executable data, insecure > > > transports are considered deprecated. > > > > > > This patch enforces the use of secure transports in the build system. > > > > > > Signed-off-by: Demi Marie Obenour > > > > > > > Hey Demi, > > > > Thanks for this series -- we definitely want the build system to use > secure > > transports when available. Can you confirm that you've tested the "+s" > > versions of all the URLs in this patch, and verified that they actually > > work? > > :'( -> https://gitlab.com/xen-project/patchew/xen/-/pipelines/771746628/ > > Our GitLab tests are very unhappy with the switch to TLS. Too many > containers aren't recent enough, and don't have the right certificates > (Let's encrypt I guess). > > I've only looked at two failures: > ubuntu-focal-clang: > fatal: unable to access ' > https://xenbits.xen.org/git-http/qemu-xen.git/': server certificate > verification failed. CAfile: none CRLfile: none > ubuntu-xenial-gcc: > ERROR: cannot verify xenbits.xen.org's certificate, issued by > 'CN=R3,O=Let\'s Encrypt,C=US': > > I'll try to have a look at updating those containers. > Just to clarify: This isn't an argument against the patch; only perhaps an argument to delay it being checked in until we get the containers fixed. Another advantage of this patch may be that it will naturally prod us to update the containers whenever the root certificates expire. :-D -George --000000000000795ff905f4468b09 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Feb 9, 2023 at 3:05 PM Anthon= y PERARD <anthony.perard@ci= trix.com> wrote:
On Thu, Feb 09, 2023 at 02:01:52PM +0000, George Dunlap wrote:
> On Wed, Feb 8, 2023 at 8:58 PM Demi Marie Obenour <
> demi@= invisiblethingslab.com> wrote:
>
> > Obtaining code over an insecure transport is a terrible idea for<= br> > > blatently obvious reasons.=C2=A0 Even for non-executable data, in= secure
> > transports are considered deprecated.
> >
> > This patch enforces the use of secure transports in the build sys= tem.
> >
> > Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> > >
>
> Hey Demi,
>
> Thanks for this series -- we definitely want the build system to use s= ecure
> transports when available.=C2=A0 Can you confirm that you've teste= d the "+s"
> versions of all the URLs in this patch, and verified that they actuall= y
> work?

:'(=C2=A0 =C2=A0-> https://g= itlab.com/xen-project/patchew/xen/-/pipelines/771746628/

Our GitLab tests are very unhappy with the switch to TLS. Too many
containers aren't recent enough, and don't have the right certifica= tes
(Let's encrypt I guess).

I've only looked at two failures:
=C2=A0 =C2=A0 ubuntu-focal-clang:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 fatal: unable to access 'https://xenbits.xen.org/git-http/qemu-xen.git/': server certific= ate verification failed. CAfile: none CRLfile: none
=C2=A0 =C2=A0 ubuntu-xenial-gcc:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ERROR: cannot verify xenbits.xen.org's cer= tificate, issued by 'CN=3DR3,O=3DLet\'s Encrypt,C=3DUS':

I'll try to have a look at updating those containers.
<= div>
Just to clarify: This isn't an argument against the = patch; only perhaps an argument to delay it being checked in until we get t= he containers fixed.

Another advantage of this pat= ch may be that it will naturally prod us to update the containers whenever = the root certificates expire. :-D

=C2=A0-George=C2= =A0
--000000000000795ff905f4468b09--