GNU bug report logs - #27795
Issues with upstream source for guile-emacs

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 22 Jul 2017 23:20:01 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27795 in the body.
You can then email your comments to 27795 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#27795; Package guix. (Sat, 22 Jul 2017 23:20:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 22 Jul 2017 23:20:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Issues with upstream source for guile-emacs
Date: Sat, 22 Jul 2017 19:19:04 -0400

[Message part 1 (text/plain, inline)]
While working on the bug 'Changing package source URLs from git:// to
https://' [0], I noticed an issue with the sources for guile-emacs.

We currently fetch this source code over the unauthenticated GIT
protocol. It is also available over HTTPS. However, these two protocols
are returning different Git repos for some reason. For example, with the
diff shown below [1]:

------
% ./pre-inst-env guix build -S --no-grafts --no-substitutes guile-emacs
The following derivation will be built:
   /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv
@ build-started /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv - x86_64-linux /var/log/guix/drvs/1f//wh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv.bz2
Cloning into '/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'...
fatal: reference is not a tree: 41120e0f595b16387eebfbf731fff70481de1b4b
environment variable `PATH' unset
r:sha256 hash mismatch for output path `/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'
  expected: 0lvcvsz0f4mawj04db35p1dvkffdqkz8pkhc0jzh9j9x2i63kcz6
  actual:   1qish7cgck6brag4i4bgy31nzjrylwgmiai04ddzl5z2025a3shd
@ build-failed /gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv - 1 r:sha256 hash mismatch for output path `/gnu/store/jlkhs6ypnlvbzl4jassp871v0z86199y-git-checkout'
  expected: 0lvcvsz0f4mawj04db35p1dvkffdqkz8pkhc0jzh9j9x2i63kcz6
  actual:   1qish7cgck6brag4i4bgy31nzjrylwgmiai04ddzl5z2025a3shd
guix build: error: build failed: build of `/gnu/store/1fwh26ssbzkw38k2ih3cvmfk7zch2bdb-git-checkout.drv' failed
------

[0]
https://bugs.gnu.org/27778

[1]
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 43de13057..9d44d82ab 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -262,7 +262,7 @@ editor (without an X toolkit)" )
     (source (origin
               (method git-fetch)
               (uri (git-reference
-                    (url "git://git.hcoop.net/git/bpt/emacs.git")
+                    (url "https://git.hcoop.net/git/bpt/emacs.git")
                     (commit "41120e0f595b16387eebfbf731fff70481de1b4b")))
               (sha256

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#27795; Package guix. (Sun, 23 Jul 2017 12:33:01 GMT) Full text and rfc822 format available.

Message #8 received at 27795 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27795 <at> debbugs.gnu.org
Subject: Re: bug#27795: Issues with upstream source for guile-emacs
Date: Sun, 23 Jul 2017 14:32:24 +0200

Leo Famulari <leo <at> famulari.name> writes:

> While working on the bug 'Changing package source URLs from git:// to
> https://' [0], I noticed an issue with the sources for guile-emacs.
>
> We currently fetch this source code over the unauthenticated GIT
> protocol. It is also available over HTTPS. However, these two protocols
> are returning different Git repos for some reason.

The clone times out for me:

--8<---------------cut here---------------start------------->8---
git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
Cloning into 'guile-emacs-over-https'...
^C
--8<---------------cut here---------------end--------------->8---

But the clone from git:// works fine.

Is the repository actually served over HTTPS?

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded to bug-guix <at> gnu.org:
bug#27795; Package guix. (Sun, 23 Jul 2017 14:23:02 GMT) Full text and rfc822 format available.

Message #11 received at 27795 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27795 <at> debbugs.gnu.org
Subject: Re: bug#27795: Issues with upstream source for guile-emacs
Date: Sun, 23 Jul 2017 16:22:06 +0200

Ricardo Wurmus <rekado <at> elephly.net> writes:

> Leo Famulari <leo <at> famulari.name> writes:
>
>> While working on the bug 'Changing package source URLs from git:// to
>> https://' [0], I noticed an issue with the sources for guile-emacs.
>>
>> We currently fetch this source code over the unauthenticated GIT
>> protocol. It is also available over HTTPS. However, these two protocols
>> are returning different Git repos for some reason.
>
> The clone times out for me:
>
> --8<---------------cut here---------------start------------->8---
> git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
> Cloning into 'guile-emacs-over-https'...
> ^C
> --8<---------------cut here---------------end--------------->8---
>
> But the clone from git:// works fine.
>
> Is the repository actually served over HTTPS?

Don’t mind me.  It eventually worked.  The repositories have different
histories, and the https-repo looks like it is two commits behind.
Looks like an older rebase.

I’d say we should leave it with the current git:// URL.

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded to bug-guix <at> gnu.org:
bug#27795; Package guix. (Sun, 23 Jul 2017 16:06:02 GMT) Full text and rfc822 format available.

Message #14 received at 27795 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 27795 <at> debbugs.gnu.org
Subject: Re: bug#27795: Issues with upstream source for guile-emacs
Date: Sun, 23 Jul 2017 12:05:22 -0400

[Message part 1 (text/plain, inline)]
On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
> 
> Ricardo Wurmus <rekado <at> elephly.net> writes:
> 
> > Leo Famulari <leo <at> famulari.name> writes:
> >
> >> While working on the bug 'Changing package source URLs from git:// to
> >> https://' [0], I noticed an issue with the sources for guile-emacs.
> >>
> >> We currently fetch this source code over the unauthenticated GIT
> >> protocol. It is also available over HTTPS. However, these two protocols
> >> are returning different Git repos for some reason.
> >
> > The clone times out for me:
> >
> > --8<---------------cut here---------------start------------->8---
> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
> > Cloning into 'guile-emacs-over-https'...
> > ^C
> > --8<---------------cut here---------------end--------------->8---
> >
> > But the clone from git:// works fine.
> >
> > Is the repository actually served over HTTPS?
> 
> Don’t mind me.  It eventually worked.  The repositories have different
> histories, and the https-repo looks like it is two commits behind.
> Looks like an older rebase.
> 
> I’d say we should leave it with the current git:// URL.

The thing is, since the git:// protocol is unauthenticated, we could
assume that those extra two commits are added by a MitM :/

Somebody who is interested in guile-emacs should really ask upstream
what is going on.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#27795; Package guix. (Sat, 29 Jul 2017 16:21:02 GMT) Full text and rfc822 format available.

Message #17 received at 27795 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 27795 <at> debbugs.gnu.org
Subject: Re: bug#27795: Issues with upstream source for guile-emacs
Date: Sat, 29 Jul 2017 11:20:19 -0500

Leo Famulari writes:

> On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
>>
>> Ricardo Wurmus <rekado <at> elephly.net> writes:
>>
>> > Leo Famulari <leo <at> famulari.name> writes:
>> >
>> >> While working on the bug 'Changing package source URLs from git:// to
>> >> https://' [0], I noticed an issue with the sources for guile-emacs.
>> >>
>> >> We currently fetch this source code over the unauthenticated GIT
>> >> protocol. It is also available over HTTPS. However, these two protocols
>> >> are returning different Git repos for some reason.
>> >
>> > The clone times out for me:
>> >
>> > --8<---------------cut here---------------start------------->8---
>> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
>> > Cloning into 'guile-emacs-over-https'...
>> > ^C
>> > --8<---------------cut here---------------end--------------->8---
>> >
>> > But the clone from git:// works fine.
>> >
>> > Is the repository actually served over HTTPS?
>>
>> Don’t mind me.  It eventually worked.  The repositories have different
>> histories, and the https-repo looks like it is two commits behind.
>> Looks like an older rebase.
>>
>> I’d say we should leave it with the current git:// URL.
>
> The thing is, since the git:// protocol is unauthenticated, we could
> assume that those extra two commits are added by a MitM :/
>
> Somebody who is interested in guile-emacs should really ask upstream
> what is going on.

Since we hash the checkout's contents, an attacker would have to be very
consistently adding those two commits for both the original packager
(me) and all subsequent users... a possible attack, but I think it's not
the biggest thing to worry about.
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Mon, 25 Feb 2019 23:26:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Mon, 25 Feb 2019 23:26:02 GMT) Full text and rfc822 format available.

Message #22 received at 27795-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
Cc: 27795-done <at> debbugs.gnu.org
Subject: Re: bug#27795: Issues with upstream source for guile-emacs
Date: Mon, 25 Feb 2019 18:25:49 -0500

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> While working on the bug 'Changing package source URLs from git:// to
> https://' [0], I noticed an issue with the sources for guile-emacs.
>
> We currently fetch this source code over the unauthenticated GIT
> protocol. It is also available over HTTPS. However, these two protocols
> are returning different Git repos for some reason.

The issue seems to have been resolved upstream, because HTTPS and git://
clones now return the same repo. I adjusted our guile-emacs package
accordingly in commit ef5fa91ccc5d6ff7a5ce21df19541b57b98db4c7

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 26 Mar 2019 11:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 26 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.