subject:"Bug#787942\: wget\: https no longer works due to certificate error with rebuild against libnettle6"

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-16 Thread Vincent Lefevre

On 2015-06-16 15:34:10 +0200, Noël Köthe wrote:
> I will upload wget with the versioned dependency but this does not
> solve the problem in the future because the last wget upload was in
> March were everything worked and in the last weeks gnutls and libnettle
> changed without changed soname of the lib.

The libnettle soname changed:

/usr/lib/x86_64-linux-gnu/libnettle.so.4 for libnettle4.
/usr/lib/x86_64-linux-gnu/libnettle.so.6 for libnettle6.

AFAIK, what happened is that without the gnutls upgrade, wget
1.16.3-2+b2 was linked against both libnettle4 (via gnutls) and
libnettle6 (directly). Unfortunately, without symbol versioning
(which Nettle doesn't support), this does not work and this is not
a soname problem here. There are two ways to avoid this problem:

1. Use symbol versioning in the libraries (currently not done).

2. Add a manual dependency to make sure that the same libnettle is
   used on both sides. Since wget has been rebuilt against libnettle6,
   the solution is to force a gnutls version built against libnettle6
   too, i.e. add a versioned dependency on gnutls.

In the future, if symbol versioning is used in Nettle, everything
should be fine. Otherwise, if you rebuild wget against, say,
libnettle7, then you need to make sure to depend on a gnutls version
that is built against this version.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-16 Thread Noël Köthe

Hello Vincent,

Am Sonntag, den 14.06.2015, 22:14 +0200 schrieb Vincent Lefevre:

> Upgrading libgnutls-deb0-28 to 3.3.15-6 solves the problem. So, this 
> is
> due to a missing versioned dependency.

I will upload wget with the versioned dependency but this does not
solve the problem in the future because the last wget upload was in
March were everything worked and in the last weeks gnutls and libnettle
changed without changed soname of the lib.

Regards

Noël

-- 
Noël Köthe 
Debian GNU/Linux, www.debian.org

signature.asc
Description: This is a digitally signed message part

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-14 Thread Vincent Lefevre

Control: severity -1 serious
Control: tags -1 - moreinfo
Control: retitle -1 wget: does not work with libgnutls-deb0-28 built against 
libnettle4 - missing dependency

On 2015-06-09 11:02:27 +0200, Vincent Lefevre wrote:
> [*] I suppose that this has now been solved with curl 7.42.1-3,
> which has been rebuilt against libnettle6. libcurl3-gnutls 7.42.1-3
> has:
> 
> Depends: [...] libgnutls-deb0-28 (>= 3.3.15-5), [...] libnettle6, [...]
> 
> So, wget needs to have something similar.

Upgrading libgnutls-deb0-28 to 3.3.15-6 solves the problem. So, this is
due to a missing versioned dependency.

https://release.debian.org/testing/rc_policy.txt says:

Packages must include a "Depends:" line listing any other
packages they require for operation, unless those packages are
marked "Essential: yes". [...]

i.e. that's a RC bug.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-09 Thread Vincent Lefevre

On 2015-06-09 10:44:17 +0200, Sébastien Kalt wrote:
> 2015-06-09 10:14 GMT+02:00 Noël Köthe :
> > The gnutls dependency changed since Saturday and this would be the
> > reason for your reported problem:
> >
> > > Versions of packages wget depends on:
> > > ii  libc6  2.19-18
> > same
> > > ii  libgnutls-deb0-28  3.3.14-2
> > 3.3.15-5
> >
> I have version 3.3.15-2, all other packages have the same version as you do.
> 
> libgnutls-deb0-28 3.3.15-5 have bugs reporting segfault, see for example
> bug 787605 (1).
> 
> But version 3.3.15-2 is supposed to solve those segfaults, which explains
> why I didn't upgrade to this version.

I haven't upgraded to 3.3.15-5 either precisely because of these
segfaults[*]. That's why versioned dependencies are really important
when needed: having them allows one to block the buggy upgrade of
wget in such cases. This may also be important in case of problem
during a full upgrade, so that "apt-get install -f" works as
expected, if needed.

[*] I suppose that this has now been solved with curl 7.42.1-3,
which has been rebuilt against libnettle6. libcurl3-gnutls 7.42.1-3
has:

Depends: [...] libgnutls-deb0-28 (>= 3.3.15-5), [...] libnettle6, [...]

So, wget needs to have something similar.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-09 Thread Sébastien Kalt

Hi,

I'm also having this error :

$ wget https://www.vinc17.net/
--2015-06-09 10:30:49--  https://www.vinc17.net/
Resolving www.vinc17.net (www.vinc17.net)... 92.243.22.117,
2001:4b98:dc0:45:216:3eff:fe9b:eb2f
Connecting to www.vinc17.net (www.vinc17.net)|92.243.22.117|:443...
connected.
ERROR: The certificate of 'www.vinc17.net' is not trusted.

2015-06-09 10:14 GMT+02:00 Noël Köthe :

> > If I reinstall wget 1.16.3-2 (without doing anything else), the
> > problem disappears.
>
It also works for me.


> The gnutls dependency changed since Saturday and this would be the
> reason for your reported problem:
>
> > Versions of packages wget depends on:
> > ii  libc6  2.19-18
> same
> > ii  libgnutls-deb0-28  3.3.14-2
> 3.3.15-5
>
I have version 3.3.15-2, all other packages have the same version as you do.

libgnutls-deb0-28 3.3.15-5 have bugs reporting segfault, see for example
bug 787605 (1).

But version 3.3.15-2 is supposed to solve those segfaults, which explains
why I didn't upgrade to this version.

Installing libgnutls-deb0-28 3.3.15-5 solves wget segfault :

$ wget https://www.vinc17.net/
--2015-06-09 10:40:39--  https://www.vinc17.net/
Resolving www.vinc17.net (www.vinc17.net)... 92.243.22.117,
2001:4b98:dc0:45:216:3eff:fe9b:eb2f
Connecting to www.vinc17.net (www.vinc17.net)|92.243.22.117|:443...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 16390 (16K) [text/html]
Saving to: 'index.html'

index.html
 100%[===>]  16.01K
 --.-KB/s   in 0.09s

2015-06-09 10:40:41 (179 KB/s) - 'index.html' saved [16390/16390]

Regards,

Sébastien

1 :  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787605

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-09 Thread Vincent Lefevre

On 2015-06-09 10:14:28 +0200, Noël Köthe wrote:
> > ii  libgnutls-deb0-28  3.3.14-2
> 3.3.15-5

AFAIK, this is the problem. The reason is that libgnutls-deb0-28
3.3.14-2 is built against libnettle4 (ditto for 3.3.15-2), and
3.3.15-5 is built against libnettle6. So, if wget is built against
libnettle6, you need to put a versioned dependency on libgnutls-deb0-28
(>= 3.3.15-5) so that only the ones built against libnettle6 will be
used.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-09 Thread Noël Köthe

tags 787942 + moreinfo unreproducible
thanks

Hello Vincent,

Am Samstag, den 06.06.2015, 18:34 +0200 schrieb Vincent Lefevre:

> I get the following error:
> 
> $ wget -O - https://www.vinc17.net/
...
> ERROR: The certificate of ‘www.vinc17.net’ is not trusted.
...
> If I reinstall wget 1.16.3-2 (without doing anything else), the
> problem disappears.

With the same version it works yesterday/today:

$ wget https://www.vinc17.net/
--2015-06-09 10:07:40--  https://www.vinc17.net/
Resolving www.vinc17.net (www.vinc17.net)... 92.243.22.117, 
2001:4b98:dc0:45:216:3eff:fe9b:eb2f
Connecting to www.vinc17.net (www.vinc17.net)|92.243.22.117|:443... connected.
HTTP request sent, awaiting response... 200 OK

The gnutls dependency changed since Saturday and this would be the
reason for your reported problem:

> Versions of packages wget depends on:
> ii  libc6  2.19-18
same
> ii  libgnutls-deb0-28  3.3.14-2
3.3.15-5
> ii  libidn11   1.30-1
same
> ii  libnettle6 3.1.1-3
same
> ii  libpcre3   2:8.35-5
same
> ii  libpsl00.5.1-1
same
> ii  libuuid1   2.26.2-6
same
> ii  zlib1g 1:1.2.8.dfsg-2+b1
same

If you confirm wget is working again I will close this bug.

Regards

-- 
Noël Köthe 
Debian GNU/Linux, www.debian.org


signature.asc
Description: This is a digitally signed message part

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

2015-06-06 Thread Vincent Lefevre

Package: wget
Version: 1.16.3-2+b2
Severity: grave
Justification: renders package unusable

I get the following error:

$ wget -O - https://www.vinc17.net/
--2015-06-06 18:27:05--  https://www.vinc17.net/
Resolving www.vinc17.net (www.vinc17.net)... 92.243.22.117, 
2001:4b98:dc0:45:216:3eff:fe9b:eb2f
Connecting to www.vinc17.net (www.vinc17.net)|92.243.22.117|:443... connected.
ERROR: The certificate of ‘www.vinc17.net’ is not trusted.
zsh: exit 5 wget -O - https://www.vinc17.net/

If I reinstall wget 1.16.3-2 (without doing anything else), the
problem disappears.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages wget depends on:
ii  libc6  2.19-18
ii  libgnutls-deb0-28  3.3.14-2
ii  libidn11   1.30-1
ii  libnettle6 3.1.1-3
ii  libpcre3   2:8.35-5
ii  libpsl00.5.1-1
ii  libuuid1   2.26.2-6
ii  zlib1g 1:1.2.8.dfsg-2+b1

Versions of packages wget recommends:
ii  ca-certificates  20150426

wget suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

Bug#787942: wget: https no longer works due to certificate error with rebuild against libnettle6

8 matches

Site Navigation

Mail list logo

Footer information