When compiling =net-im/pidgin-2.5.1 with gnutls flag, loading an MSN account produces the following error: The certificate chain presented by rsi.hotmail.com does not have a valid digital signature from the Certificate Authority from which it claims to have a signature. MSN works, and is usable, but some features are disabled; and getting a pop-up every day is annoying. Putting this flag off (and rebuilding) pushes this message away. People from IRC confirm that ssl-gnutls is nasty, and should be removed feature. Maybe the guy who think this should report to Pidgin's BTS to disable support for it; but, i come here to propose ban of the gnutls USE flag sensibility for this ebuild (and maybe all future versions).
Created attachment 165065 [details] /tmp/emerge--info
gnutls supports some additional protocols, http://www.gnu.org/software/gnutls/comparison.html but perhaps none of them are needed by pidgin, in which case sticking with the more stable nss library sounds like a good idea. Let's see what the net-im maintainers think...
Upstream bug: http://developer.pidgin.im/ticket/6680. TThere's also a certificate which can be used to work around the bug.
Created attachment 165098 [details, diff] Update Microsoft_Secure_Server_Authority.pem As I just commented on the upstream bug, one of the certificates shipped with pidgin should be updated. This patch here accomplishes the update, and can be applied using epatch. Alternatively you could fetch the certificate from the upstream bug report and drop it into the fiels dir as is, simply copying in the ebuild. This would require the ebuild to mention the path of the destination, and might be a less common approach than simply calling epatch. On the other hand, this would allow you to handle the file using openssl command line tools, e.g. in order to verify it. Steps to verify this certificate from its root, GTE CyberTrust Global Root, are described in the upstream bug report. So you don't have to trust me in order to trust this updated certificate.
same for net-im/pidgin-2.5.2 ... and same fix :)
*** Bug 251016 has been marked as a duplicate of this bug. ***
Comment on attachment 165098 [details, diff] Update Microsoft_Secure_Server_Authority.pem My patch is obsolete, as the certificates have changed yet again. See also http://developer.pidgin.im/ticket/6680#comment:22
*** Bug 251059 has been marked as a duplicate of this bug. ***
According to upstream ChangeLog[1] this issue is fixed in 2.5.3. Can we bump? 1: http://developer.pidgin.im/wiki/ChangeLog
(In reply to comment #3) > Upstream bug: http://developer.pidgin.im/ticket/6680. TThere's also a > certificate which can be used to work around the bug. > As of today: > Changed 2 months ago by khc ¶ > > * status changed from new to closed > * resolution set to fixed > >Actually I fixed it once, and for some reason I don't really remember, > disapproved the change. I just disapproved my disapproval, so things should > work in the next release. Thanks for reminding me and bringing it up again. So, bumping will fix ! Is maintainance team net-im@gentoo.org still alive ? I consider Pidgin as a major application, and, to my despair, MSN as a major protocol (widely used), thus, we need a rapid fix. If maintainers do not show up (at least make a comment, and explain why they don't bump) within 2 weeks, I will ask for reassign.
Already bumped... Dude... waiting 3 days over the xmas holiday isn't a lot...
Problem is that I have the bug in stable x86 ... so, to get my original problem fixed, we need 2.5.2 to be stable ... so, the root problem is not fixed yet ...
... problem only fixed when bug 241374 is cloed.
mistake: depends on 248137 (not on 241374 )
A bug is FIXED if it is in the tree. File a bug for stabilization in 30 days if you want this stabilized.