Using live mercrurial (BitBucket) ebuild I'm getting this: warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) that should be solvable by adding certificates to ~/.hgrc but portage is not simple user... what we have discussed so far: <zmedico> nCdy: you could try copying the files into the temporary $HOME inside a /etc/portage/bashrc hook, like pre_pkg_setup <ryao> nCdy: This is bitbucket. I am sure that we have plenty of live ebuilds in the tree that fetch from it. If you are having this issue, then those ebuilds have this issue. It is a security vulnerability. <ryao> In fact, we probably shouldn't permit the fetch to function unless a chain of trust is established. <nCdy> ryao: this sercificates is here: /etc/ssl/certs/ca-certificates.crt the only thing I need (looks like) is just point /etc/mercurial/hgrc to it Please move this ebuild in correct section if this one is wrong.
*** This bug has been marked as a duplicate of bug 429470 ***
Ah, sorry, didn't see that this was a security bug.
We could install `/etc/mercurial/hgrc.d/cacerts.rc`: [web] cacerts = /etc/ssl/certs/ca-certificates.crt This makes Mercurial use system certificates.
Strange, mercurial.eclass (source of src_unpack) uses: [[ -f ${EPREFIX}/etc/ssl/certs/ca-certificates.crt ]] && cert_opt=( --config "web.cacerts=${EPREFIX}/etc/ssl/certs/ca-certificates.crt" )
This issue is resolved at this point through changes to both mercurial eclass and default .hgrc in mercurial package itself. Not a glsa issue.