While working on some package updates, I found that the source code downloader will accept an X.509 certificate for an incorrect site.
Here is what happens: ------ $ ./pre-inst-env guix build -S opus-tools --check @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2 Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools-0.1.10.tar.gz From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... ….1.10.tar.gz 305KiB 822KiB/s 00:00 [####################] 100.0% warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz'; cross fingers /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz ------ Here is an example of what I think should happen in this case: ------ $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz curl: (51) SSL: certificate subject name (osuosl.org) does not match target host name 'downloads.xiph.org' ------ And this is what Firefox says: ------ downloads.xiph.org uses an invalid security certificate. The certificate is only valid for the following names: osuosl.org, *.osuosl.org Error code: SSL_ERROR_BAD_CERT_DOMAIN ------
signature.asc
Description: PGP signature