Closed
Bug 798025
Opened 12 years ago
Closed 5 years ago
stop using --no-check-certificate with wget
Categories
(Infrastructure & Operations :: RelOps: General, task, P2)
Infrastructure & Operations
RelOps: General
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: bhearsum, Unassigned)
References
Details
(Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/2583] )
We should be configuring it to actually verify certificates rather than ignoring them.
|
Reporter | |
Updated•11 years ago
|
Component: Release Engineering → Release Engineering: Platform Support
|
||
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
|
||
Updated•11 years ago
|
Component: Platform Support → Build Config
Product: Release Engineering → Core
Version: other → Trunk
|
|
||
Comment 1•11 years ago
|
||
Context: On for example https://developer.mozilla.org/en-US/docs/Simple_Firefox_build/Linux_and_MacOS_build_preparation we recommend to use --no-check-certificate in case wget gives a certificate validation error. This can happen if the root certificates that shipped with the OS or with wget (?) do not include the root or intermediate for hg.mozilla.org. I agree that this is a bad practice. Instead of telling people to ignore the error, they should really get their linux distribution or installation of wget up to date. Note that the suggestion to use --no-check-certificate is bogus anyway because if wget fails then a hg clone will most likely also fail with the same error.
|
|
||
Comment 2•11 years ago
|
||
Oh maybe Ben actually filed a bug for a releng component. I moved it to Core/Build Config but maybe that means I have hijacked his bug? :-)
|
||
Comment 3•11 years ago
|
||
--no-check-certificate references in the tree: testing/release/common/download_builds.sh testing/release/common/download_mars.sh testing/release/updates/verify.sh testing/tools/grabber/getpages.sh
|
|
Reporter | |
Comment 4•11 years ago
|
||
(In reply to Gregory Szorc [:gps] from comment #3) > --no-check-certificate references in the tree: > > testing/release/common/download_builds.sh > testing/release/common/download_mars.sh > testing/release/updates/verify.sh These three aren't used anymore - they got moved to hg.mozilla.org/build/tools. They still use this option though, and there's some other references to it in RelEng repos: https://mxr.mozilla.org/build-central/search?string=--no-check-certificate
|
||
Comment 5•11 years ago
|
||
(In reply to Stefan Arentz [:st3fan] from comment #1) > Context: On for example > https://developer.mozilla.org/en-US/docs/Simple_Firefox_build/ > Linux_and_MacOS_build_preparation we recommend to use --no-check-certificate > in case wget gives a certificate validation error. This can happen if the > root certificates that shipped with the OS or with wget (?) do not include > the root or intermediate for hg.mozilla.org. Can you file a separate bug on this? I agree that this is terrible, but I'm also sympathetic to having it there because it's probably the difference between "got a working build environment" and "spent 4 hours getting wget working with SSL".
Component: Build Config → Platform Support
Product: Core → Release Engineering
Version: Trunk → unspecified
|
||
Comment 6•10 years ago
|
||
Was about to file this bug again ... whoops. Bug 1066403 upgraded wget on linux, and we don't get cert warnings on hg/ftp/aus3 any more. Mac is OK too, but windows still has 1.10.2 and (presumably) a stale cert bundle. Bug 971157 would get us a newer wget, at which point we may be able to start verifying certs when doing things like update verify.
Depends on: 971157
|
||
Updated•10 years ago
|
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/2583]
|
||
Comment 7•7 years ago
|
||
Still an issue, still should be fixed (bug 1391275#c3 etc). https://dxr.mozilla.org/build-central/search?q=no-check-cert&redirect=false
Windows has OpenSSL 0.9 as well, for the record, which may or may not contribute to this problem.
|
||
Updated•7 years ago
|
Priority: -- → P2
|
|
||
Updated•6 years ago
|
Component: Platform Support → Buildduty
Product: Release Engineering → Infrastructure & Operations
|
||
Comment 9•5 years ago
|
||
Mark, can you please take a look ?
Assignee: nobody → relops
Component: CIDuty → RelOps: General
Flags: needinfo?(mcornmesser)
|
||
Comment 10•5 years ago
|
||
This was an issues specific to buildbot Windows workers because of an old version of Mozilla Build and Python. This should be closed.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mcornmesser)
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•