Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use --insecure to download ca-certificates source where necessary #12172

Merged
merged 1 commit into from
Oct 4, 2021
Merged

Use --insecure to download ca-certificates source where necessary #12172

merged 1 commit into from
Oct 4, 2021

Conversation

Bo98
Copy link
Member

@Bo98 Bo98 commented Oct 4, 2021

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

We've not been able to provide a HTTP mirror for this, so the second best solution is to pass --insecure while downloading, so it can indeed be downloaded when system CA certs are broken.

@Bo98 Bo98 added the critical Critical change which should be shipped as soon as possible. label Oct 4, 2021
@BrewTestBot
Copy link
Member

Review period skipped due to critical label.

@Bo98 Bo98 force-pushed the cacert-insecure branch 4 times, most recently from 21ec17d to babc97e Compare October 4, 2021 13:52
@MikeMcQuaid
Copy link
Member

@Bo98 Maybe provide some big warning here?

@Bo98
Copy link
Member Author

Bo98 commented Oct 4, 2021

@Bo98 Maybe provide some big warning here?

Given the user can do nothing about it, I'm not sure what that will really add. We don't warn when using plain HTTP mirrors, and we still verify the download via sha256 checksumming.

@MikeMcQuaid
Copy link
Member

Given the user can do nothing about it, I'm not sure what that will really add. We don't warn when using plain HTTP mirrors, and we still verify the download via sha256 checksumming.

I think it's good practise to let them know that we are passing --insecure and why we are doing so.

@Bo98
Copy link
Member Author

Bo98 commented Oct 4, 2021
edited
Loading

Oh right a notification type rather than "you're doing something bad".

@MikeMcQuaid
Copy link
Member

@Bo98 Yeh, something like opoo "Using --insecure with curl because we need it to download anything else securely"

@carlocab
Copy link
Member

carlocab commented Oct 4, 2021

Maybe error out too if I'm on old macOS and have HOMEBREW_NO_INSECURE_REDIRECT set? (Or does this already do that?)

@Bo98
Copy link
Member Author

Bo98 commented Oct 4, 2021
edited
Loading

HOMEBREW_NO_INSECURE_REDIRECT only affects HTTPS -> HTTP redirects so it doesn't affect anything right now, but I could make setting --insecure conditional on that if it makes sense.

@carlocab
Copy link
Member

carlocab commented Oct 4, 2021

I could make setting --insecure conditional on that if it makes sense.

Makes sense, yea 👍

@Bo98 Bo98 force-pushed the cacert-insecure branch from babc97e to 76c6b52 Compare October 4, 2021 15:33
@Bo98 Bo98 force-pushed the cacert-insecure branch from 76c6b52 to 5dc46a9 Compare October 4, 2021 15:37
MikeMcQuaid
MikeMcQuaid approved these changes Oct 4, 2021
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks. Feel feel free to create a release when this stuff drops 👍🏻

@Bo98 Bo98 merged commit 243794b into Homebrew:master Oct 4, 2021
@Bo98 Bo98 deleted the cacert-insecure branch October 4, 2021 16:14
carlocab
carlocab reviewed Oct 4, 2021
View reviewed changes
Library/Homebrew/download_strategy.rb
"because we need it installed to download securely."
@insecure_warning_shown = true
end
args += ["--insecure"] if meta[:insecure]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
args += ["--insecure"] if meta[:insecure]
args += ["--insecure"]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, will fix that.

This was referenced Oct 4, 2021
Closed
Merged
carlocab added a commit to carlocab/homebrew-core that referenced this pull request Oct 4, 2021
@carlocab
ca-certificates: remove mirror
379355c 
This is no longer necessary as of Homebrew/brew#12172.
BrewTestBot pushed a commit to Homebrew/homebrew-core that referenced this pull request Oct 4, 2021
@carlocab @BrewTestBot
ca-certificates: remove mirror
1fdb8a2 
This is no longer necessary as of Homebrew/brew#12172.

Closes #86415.

Signed-off-by: Bo Anderson <[email protected]>
Signed-off-by: BrewTestBot <[email protected]>
Rylan12
Rylan12 reviewed Oct 4, 2021
View reviewed changes
Library/Homebrew/download_strategy.rb
Comment on lines +549 to +550
opoo "Using --insecure with curl to download `ca-certificates` " \
"because we need it installed to download securely."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think it's required (and it might be too late anyway) but I wonder if it's worth adding a line that says something letting the user know that checksums are still being checked. I worry that this reads too much like "hey we're going to download some stuff that might not be safe we don't know 🤷" when in reality we're a lot more confident that this is actually going to be okay.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I agree: #12182

@Bo98 Bo98 mentioned this pull request Oct 4, 2021
Merged
7 tasks
@Bo98 Bo98 mentioned this pull request Oct 5, 2021
Closed
2 tasks
@github-actions github-actions bot added the outdated PR was locked due to age label Nov 4, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Rylan12 Rylan12 Rylan12 left review comments

@carlocab carlocab carlocab approved these changes

@BrewTestBot BrewTestBot BrewTestBot approved these changes

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees
No one assigned
Labels
critical Critical change which should be shipped as soon as possible. outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Bo98 @BrewTestBot @MikeMcQuaid @carlocab @Rylan12