GNU bug report logs - #18860
24.4; packages don't download consistently from https

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Nic Ferrier <nferrier@HIDDEN>; Keywords: unreproducible; dated Mon, 27 Oct 2014 23:18:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Added tag(s) unreproducible. Request was from Noam Postavsky <npostavs@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 18860 <at> debbugs.gnu.org:


Received: (at 18860) by debbugs.gnu.org; 4 Nov 2014 21:20:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 04 16:20:00 2014
Received: from localhost ([127.0.0.1]:49268 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1XllWC-0005Xz-9J
	for submit <at> debbugs.gnu.org; Tue, 04 Nov 2014 16:20:00 -0500
Received: from mail-qa0-f50.google.com ([209.85.216.50]:46374)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@HIDDEN>) id 1XllW9-0005Xp-PZ
 for 18860 <at> debbugs.gnu.org; Tue, 04 Nov 2014 16:19:58 -0500
Received: by mail-qa0-f50.google.com with SMTP id bm13so8947012qab.9
 for <18860 <at> debbugs.gnu.org>; Tue, 04 Nov 2014 13:19:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=2nZ3BUA9/1NWQ1Xa6a+4/2AGJPb+h2Z+0jwqhFRQHgk=;
 b=Re8tg0KbvDlICW+PKc65fdAc/n843fOYGmNIEhwrOHkkKTb6BlkVcQ8H7z2zrdxrbq
 xNHOh1nWJSB3eH1QRXyY3AByk4vghfclahxcKBRr4zKicrsZ44F2UmOc309HjCszbMvs
 bZ8p9yfTXQK/VtN14sV3A/0TlLmMivVeTRoPk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=2nZ3BUA9/1NWQ1Xa6a+4/2AGJPb+h2Z+0jwqhFRQHgk=;
 b=fb9xkjOJAfDZScygjpGks4/7bwTmHiXvz3bllXetyyZFOHR8FzSXy4WD8ExhbCslTv
 RqK13QaglFfMc0zdLQqpPwf5sCoAo/C7q84A0TJ0y+h4QD9fHW0M8jAK8YdQ02tiQcUe
 RDYXgh8LQXL9B4ZQOmLRnDjHCof7/8/y2/EDRxsv9eZSl5HamTRY+r+RxmXVIEbOG3lq
 KTkrwSEF9MzCWCsMh+fEQ9KLy/xjlEwBtGnxRprkz2OgzV06Xha4zZwjMPE/l7c7SFp+
 7MS4R8Qf/OU3D/cdWSkT+X+mm101st4xiQP2OWBrT9Xlvc+EXNtr8DgGhHyNnizh/Ctl
 azBw==
X-Gm-Message-State: ALoCoQlWHVzyUAjPtzUIvdd0Gddf6JZNMitt2l+uxt5OGFEo6/jGFpe5R4SAyMEKJN9GVH4v8j5V
X-Received: by 10.224.130.135 with SMTP id t7mr9117858qas.95.1415135997347;
 Tue, 04 Nov 2014 13:19:57 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id w66sm1365620qgw.44.2014.11.04.13.19.56
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Tue, 04 Nov 2014 13:19:56 -0800 (PST)
From: Ted Zlatanov <tzz@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#18860: 24.4; packages don't download consistently from https
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <874mupf6hs.fsf@HIDDEN>
 <jwvd29dcaag.fsf-monnier+emacsbugs@HIDDEN>
 <mvm38a8r42x.fsf@HIDDEN>
 <jwvr3xsb9av.fsf-monnier+emacsbugs@HIDDEN>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 04 Nov 2014 16:20:11 -0500
In-Reply-To: <jwvr3xsb9av.fsf-monnier+emacsbugs@HIDDEN> (Stefan Monnier's
 message of "Tue, 28 Oct 2014 09:42:44 -0400")
Message-ID: <878ujq64tw.fsf@HIDDEN>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 18860
Cc: 18860 <at> debbugs.gnu.org, Andreas Schwab <schwab@HIDDEN>,
 Nic Ferrier <nferrier@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Tue, 28 Oct 2014 09:42:44 -0400 Stefan Monnier <monnier@HIDDEN> wrote: 

>>> This said, I haven't managed to reproduce the problem since, so
>>> I haven't been able to dig any further.  And in any case I'm not
>>> familiar enough with the HTTP protocol to be of much use there.
>> I don't think this has anything to do with the HTTP protocol.  We just
>> need to find the place and condition where a non-TLS connection is
>> opened to the https port.

SM> Right.  Maybe M-x trace-function RET open-network-stream RET
SM> will give better hints.

I ran the test with "emacs -q" and only saw connections to
"marmalade-repo.org:443". I'd love to find a way to replicate.

Thanks
Ted




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#18860; Package emacs. Full text available.

Message received at 18860 <at> debbugs.gnu.org:


Received: (at 18860) by debbugs.gnu.org; 28 Oct 2014 13:42:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 28 09:42:57 2014
Received: from localhost ([127.0.0.1]:37370 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Xj732-0000e9-KN
	for submit <at> debbugs.gnu.org; Tue, 28 Oct 2014 09:42:56 -0400
Received: from ironport2-out.teksavvy.com ([206.248.154.181]:59038)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Xj72z-0000du-ER
 for 18860 <at> debbugs.gnu.org; Tue, 28 Oct 2014 09:42:54 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvAMAOatTlRFpY87/2dsb2JhbABcgw5Ugw6GfstTBAICgRwXAQF8hAMBAQMBViMQCzQSFBgNJIhLCctyAQEBAQYBAQEBHpEIB4RLBbIggW+EFCGCegEBAQ
X-IPAS-Result: AvAMAOatTlRFpY87/2dsb2JhbABcgw5Ugw6GfstTBAICgRwXAQF8hAMBAQMBViMQCzQSFBgNJIhLCctyAQEBAQYBAQEBHpEIB4RLBbIggW+EFCGCegEBAQ
X-IronPort-AV: E=Sophos;i="5.04,797,1406606400"; d="scan'208";a="95416327"
Received: from 69-165-143-59.dsl.teksavvy.com (HELO pastel.home)
 ([69.165.143.59])
 by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
 28 Oct 2014 09:42:44 -0400
Received: by pastel.home (Postfix, from userid 20848)
 id 4549D62B8; Tue, 28 Oct 2014 09:42:44 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Andreas Schwab <schwab@HIDDEN>
Subject: Re: bug#18860: 24.4; packages don't download consistently from https
Message-ID: <jwvr3xsb9av.fsf-monnier+emacsbugs@HIDDEN>
References: <874mupf6hs.fsf@HIDDEN>
 <jwvd29dcaag.fsf-monnier+emacsbugs@HIDDEN>
 <mvm38a8r42x.fsf@HIDDEN>
Date: Tue, 28 Oct 2014 09:42:44 -0400
In-Reply-To: <mvm38a8r42x.fsf@HIDDEN> (Andreas Schwab's message of
 "Tue, 28 Oct 2014 09:28:06 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 18860
Cc: 18860 <at> debbugs.gnu.org, Nic Ferrier <nferrier@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

>> This said, I haven't managed to reproduce the problem since, so
>> I haven't been able to dig any further.  And in any case I'm not
>> familiar enough with the HTTP protocol to be of much use there.
> I don't think this has anything to do with the HTTP protocol.  We just
> need to find the place and condition where a non-TLS connection is
> opened to the https port.

Right.  Maybe M-x trace-function RET open-network-stream RET
will give better hints.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#18860; Package emacs. Full text available.

Message received at 18860 <at> debbugs.gnu.org:


Received: (at 18860) by debbugs.gnu.org; 28 Oct 2014 08:28:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 28 04:28:13 2014
Received: from localhost ([127.0.0.1]:37167 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Xj28S-0005k2-L7
	for submit <at> debbugs.gnu.org; Tue, 28 Oct 2014 04:28:13 -0400
Received: from cantor2.suse.de ([195.135.220.15]:40881 helo=mx2.suse.de)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <schwab@HIDDEN>) id 1Xj28P-0005jt-C0
 for 18860 <at> debbugs.gnu.org; Tue, 28 Oct 2014 04:28:10 -0400
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
 by mx2.suse.de (Postfix) with ESMTP id 66FBEAB43;
 Tue, 28 Oct 2014 08:28:07 +0000 (UTC)
From: Andreas Schwab <schwab@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#18860: 24.4; packages don't download consistently from https
References: <874mupf6hs.fsf@HIDDEN>
 <jwvd29dcaag.fsf-monnier+emacsbugs@HIDDEN>
X-Yow: I think I am an overnight sensation right now!!
Date: Tue, 28 Oct 2014 09:28:06 +0100
In-Reply-To: <jwvd29dcaag.fsf-monnier+emacsbugs@HIDDEN> (Stefan Monnier's
 message of "Mon, 27 Oct 2014 20:46:55 -0400")
Message-ID: <mvm38a8r42x.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -5.6 (-----)
X-Debbugs-Envelope-To: 18860
Cc: 18860 <at> debbugs.gnu.org, Nic Ferrier <nferrier@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.6 (-----)

Stefan Monnier <monnier@HIDDEN> writes:

> This said, I haven't managed to reproduce the problem since, so
> I haven't been able to dig any further.  And in any case I'm not
> familiar enough with the HTTP protocol to be of much use there.

I don't think this has anything to do with the HTTP protocol.  We just
need to find the place and condition where a non-TLS connection is
opened to the https port.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@HIDDEN
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#18860; Package emacs. Full text available.

Message received at 18860 <at> debbugs.gnu.org:


Received: (at 18860) by debbugs.gnu.org; 28 Oct 2014 00:47:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 27 20:47:04 2014
Received: from localhost ([127.0.0.1]:37069 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1XiuwC-0002Pp-7m
	for submit <at> debbugs.gnu.org; Mon, 27 Oct 2014 20:47:04 -0400
Received: from ironport2-out.teksavvy.com ([206.248.154.181]:49444)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Xiuw9-0002PL-T2
 for 18860 <at> debbugs.gnu.org; Mon, 27 Oct 2014 20:47:02 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvAMAOatTlRFpY87/2dsb2JhbABcgw5Ugw6GfstTBAICgRwXAQF8hAMBAQMBViMFCwsOJhIUGA0kiEsJy3IBAQEBBgEBAQEekQgHhEsFnxKQfYIRgW+EFCGCegEBAQ
X-IPAS-Result: AvAMAOatTlRFpY87/2dsb2JhbABcgw5Ugw6GfstTBAICgRwXAQF8hAMBAQMBViMFCwsOJhIUGA0kiEsJy3IBAQEBBgEBAQEekQgHhEsFnxKQfYIRgW+EFCGCegEBAQ
X-IronPort-AV: E=Sophos;i="5.04,797,1406606400"; d="scan'208";a="95372535"
Received: from 69-165-143-59.dsl.teksavvy.com (HELO pastel.home)
 ([69.165.143.59])
 by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
 27 Oct 2014 20:46:56 -0400
Received: by pastel.home (Postfix, from userid 20848)
 id D2C187CF7; Mon, 27 Oct 2014 20:46:55 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Nic Ferrier <nferrier@HIDDEN>
Subject: Re: bug#18860: 24.4; packages don't download consistently from https
Message-ID: <jwvd29dcaag.fsf-monnier+emacsbugs@HIDDEN>
References: <874mupf6hs.fsf@HIDDEN>
Date: Mon, 27 Oct 2014 20:46:55 -0400
In-Reply-To: <874mupf6hs.fsf@HIDDEN> (Nic Ferrier's message of "Mon, 27
 Oct 2014 23:16:47 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 18860
Cc: 18860 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

> Emacs 24.4's package system does something odd when the archive is on
> HTTPS.
> It seems as if dependencies are downloaded through HTTPS but the main
> package is attempted to be downloaded through HTTP.

I did

   M-x trace-function RET url-retrieve-synchronously RET

before running your test.  On my first test, it failed at
shadchen-1.2.el but the request still had the right "https:" prefix.
IOW the trace shows that the url passed from package.el does include the
"https:" and the problem is somewhere in the URL package.

This said, I haven't managed to reproduce the problem since, so
I haven't been able to dig any further.  And in any case I'm not
familiar enough with the HTTP protocol to be of much use there.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#18860; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 27 Oct 2014 23:17:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 27 19:17:19 2014
Received: from localhost ([127.0.0.1]:37031 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1XitXK-000075-Fu
	for submit <at> debbugs.gnu.org; Mon, 27 Oct 2014 19:17:19 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39904)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <nferrier@HIDDEN>) id 1XitXG-00006p-SS
 for submit <at> debbugs.gnu.org; Mon, 27 Oct 2014 19:17:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <nferrier@HIDDEN>) id 1XitX5-0007I0-72
 for submit <at> debbugs.gnu.org; Mon, 27 Oct 2014 19:17:09 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:41993)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <nferrier@HIDDEN>) id 1XitX5-0007Hw-3t
 for submit <at> debbugs.gnu.org; Mon, 27 Oct 2014 19:17:03 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41591)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <nferrier@HIDDEN>) id 1XitWz-0005wM-Af
 for bug-gnu-emacs@HIDDEN; Mon, 27 Oct 2014 19:17:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <nferrier@HIDDEN>) id 1XitWt-0007Fr-Og
 for bug-gnu-emacs@HIDDEN; Mon, 27 Oct 2014 19:16:57 -0400
Received: from static.17.66.46.78.clients.your-server.de ([78.46.66.17]:48273
 helo=po1.ferrier.me.uk) by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <nferrier@HIDDEN>) id 1XitWt-0007FS-J0
 for bug-gnu-emacs@HIDDEN; Mon, 27 Oct 2014 19:16:51 -0400
Received: from nicferrier-dell-xps (140.35.155.90.in-addr.arpa [90.155.35.140])
 by po1.ferrier.me.uk (Postfix) with ESMTPA id 856C7AC0498;
 Tue, 28 Oct 2014 00:34:15 +0100 (CET)
Received: from nicferrier-XPS13-9333 (localhost [127.0.0.1])
 by nicferrier-dell-xps (Postfix) with ESMTPS id 9551560354;
 Mon, 27 Oct 2014 23:16:47 +0000 (GMT)
From: Nic Ferrier <nferrier@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 24.4; packages don't download consistently from https
Date: Mon, 27 Oct 2014 23:16:47 +0000
Message-ID: <874mupf6hs.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.1 (----)



Emacs 24.4's package system does something odd when the archive is on
HTTPS.

It seems as if dependencies are downloaded through HTTPS but the main
package is attempted to be downloaded through HTTP.

Here's how to reproduce:

$ cat > test.el <<HERE
(let ((package-user-dir (make-temp-name "/tmp/emacs-package-bug")))
  (package-initialize)
  (add-to-list
   (quote package-archives)
   (quote ("marmalade" . "https://marmalade-repo.org/packages/")))
  (package-refresh-contents)
  (package-install (quote elpakit)))
HERE

$ emacs -batch -l test.el
Importing package-keyring.gpg...
Importing package-keyring.gpg...done
Contacting host: marmalade-repo.org:443
Contacting host: marmalade-repo.org:443
Contacting host: marmalade-repo.org:443
Making version-control local to s-autoloads.el while let-bound!
Generating autoloads for s.el...
Generating autoloads for s.el...done
Saving file /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el
Checking /tmp/emacs-package-bug2503RFt/s-1.9.0...
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s-autoloads.el...
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s-pkg.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s-pkg.elc
Compiling /tmp/emacs-package-bug2503RFt/s-1.9.0/s.el...
Wrote /tmp/emacs-package-bug2503RFt/s-1.9.0/s.elc
Done (Total of 2 files compiled, 1 skipped)
https://marmalade-repo.org/packages/noflet-0.0.14.el: Bad Request


It seems random which of these requests fail. But as soon as one is sent
over HTTP it fails (obviously).


marmalade-repo (which is currently the only repo doing https package
archives) could fix this problem, partially, on the server side. But we
can't protect the user that way. As soon as emacs makes an HTTP request
for something that should be signed the user is vulnerable to attack.

This is particularly egregious for a packaging system.




In GNU Emacs 24.4.1 (x86_64-unknown-linux-gnu, GTK+ Version 2.24.23)
 of 2014-10-20 on nicferrier-XPS13-9333
Windowing system distributor `The X.Org Foundation', version 11.0.11501000
System Description:	Ubuntu 14.04.1 LTS

Configured using:
 `configure --prefix=/home/nicferrier/emacs-24-4'

Important settings:
  value of $LANG: en_GB.UTF-8
  value of $XMODIFIERS: @im=ibus
  locale-coding-system: utf-8-unix




Acknowledgement sent to Nic Ferrier <nferrier@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#18860; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 26 Jun 2016 16:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.