Re: [PATCH v2 1/4] Build system: Replace git:// and http:// with https://

[George Dunlap <george.dunlap@xxxxxxxxx>]

On Thu, Feb 9, 2023 at 3:05 PM Anthony PERARD <anthony.perard@xxxxxxxxxx> wrote:

On Thu, Feb 09, 2023 at 02:01:52PM +0000, George Dunlap wrote:
> On Wed, Feb 8, 2023 at 8:58 PM Demi Marie Obenour <
> demi@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> > Obtaining code over an insecure transport is a terrible idea for
> > blatently obvious reasons.  Even for non-executable data, insecure
> > transports are considered deprecated.
> >
> > This patch enforces the use of secure transports in the build system.
> >
> > Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
> >
>
> Hey Demi,
>
> Thanks for this series -- we definitely want the build system to use secure
> transports when available.  Can you confirm that you've tested the "+s"
> versions of all the URLs in this patch, and verified that they actually
> work?

:'(   -> https://gitlab.com/xen-project/patchew/xen/-/pipelines/771746628/

Our GitLab tests are very unhappy with the switch to TLS. Too many
containers aren't recent enough, and don't have the right certificates
(Let's encrypt I guess).

I've only looked at two failures:
    ubuntu-focal-clang:
        fatal: unable to access 'https://xenbits.xen.org/git-http/qemu-xen.git/': server certificate verification failed. CAfile: none CRLfile: none
    ubuntu-xenial-gcc:
        ERROR: cannot verify xenbits.xen.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':

I'll try to have a look at updating those containers.

Just to clarify: This isn't an argument against the patch; only perhaps an argument to delay it being checked in until we get the containers fixed.

Another advantage of this patch may be that it will naturally prod us to update the containers whenever the root certificates expire. :-D

 -George