108016 – ebuild fails to download the new version of realplayer

Bug 108016 - ebuild fails to download the new version of realplayer

Summary: ebuild fails to download the new version of realplayer

Status:	RESOLVED DUPLICATE of bug 101457

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-10-03 14:07 UTC by Ben
Modified:	2005-11-05 20:17 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ben 2005-10-03 14:07:15 UTC

When updating realplayer (came out today) wget fails to download the source when
it is called by portage due to a security problem. 

I resolved The problem by downloading the file from the same source using firefox.


Reproducible: Always
Steps to Reproduce:
1.emerge -u realplayer or emerge -u world
2.
3.

Actual Results:  
>>> emerge (3 of 10) media-video/realplayer-10.0.6 to /
>>> Downloading
https://helixcommunity.org/download.php/1589/RealPlayer-10.0.6.776-20050915.i586.rpm
--16:55:46-- 
https://helixcommunity.org/download.php/1589/RealPlayer-10.0.6.776-20050915.i586.rpm
           => `/usr/portage/distfiles/RealPlayer-10.0.6.776-20050915.i586.rpm'
Resolving helixcommunity.org... 207.188.25.135
Connecting to helixcommunity.org|207.188.25.135|:443... connected.
ERROR: Certificate verification error for helixcommunity.org: unable to get
local issuer certificate
To connect to helixcommunity.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
!!! Couldn't download RealPlayer-10.0.6.776-20050915.i586.rpm. Aborting.


Expected Results:  
Downloaded RealPlayer-10.0.6.776-20050915.i586.rpm  and happily installed it. 

 emerge info
Portage 2.0.53_rc3 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r1,
2.6.12-nitro5 i686)
=================================================================
System uname: 2.6.12-nitro5 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.0_pre8
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O3 -pipe -funroll-loops"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env
/usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=athlon-xp -O3 -pipe -funroll-loops"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sfperms strict"
GENTOO_MIRRORS="ftp://gentoo.chem.wisc.edu/gentoo/
http://mirror.datapipe.net/gentoo http://gentoo.chem.wisc.edu/gentoo/
ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://130.207.108.134/pub/gentoo
http://mirror.datapipe.net/gentoo http://gentoo.mirrors.tds.net/gentoo
ftp://130.207.108.136/pub/gentoo ftp://130.207.108.135/pub/gentoo
http://gentoo.mirrors.easynews.com/linux/gentoo/"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow 3ds X a52 aac aim alsa ansi apache2 apm arts artworkextra async
atlas audiofile avantgo avi bash-completion beepmp bitmap-fonts blender-game
calendar cddb cdparanoia cdr cdrom cgi chroot clanJavaScript clanVoice codecs
cpdflib crypt css cups curl devfs26 dga dhcp directfb divx4linux dts dv dvd dvdr
dvdread dvdrw editor edl eds emboss encode erandom esd ethereal evo evo2
evolution exif fam fame festival ffmpeg firefox flac flash fmod foomaticdb
fortran fpx freetts freetype freetype-version-1 ftp gb gcj gd gif gimp gimpprint
gkrellm glut gnokii gnome gphoto2 gpm gs gsm gstreamer gtk gtk+ gtk2 guile hald
howl icq ieee1394 image imagekits imagemagick imap imlib ipv6 j2ee jabber java
javascript joystick jp2 jpeg jpeg2k junit kadu-modules kadu-voice kde
koffice-plugin lcms ldap libcaca libg++ libsamplerate libwww live lm_sensors lzo
lzw lzw-tiff mad mapeditor maps matroska mikmod mime ming mjpeg mmx mng monkey
motif mozdevelop mozilla mozsvg mp3 mpeg mplayer mppe-mppc msn music mysql nas
ncurses network nls nptl nvidia objc ogg oggvorbis openal opengl oscar oss pam
pda pdf pdfkit pdflib perl php png python qt quicktime readline real samba sasl
scanner sdl slang soundtouch speedo speex spell sse ssl svg svga tcltk tcpd
tetex tiff transcode truetype truetype-fonts type1 type1-fonts usb v4l v4l2
vorbis win32codecs wmf xine xinerama xml xml2 xmms xpm xscreensaver xv xvid xvmc
yahoo zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2005-10-03 14:09:47 UTC


*** This bug has been marked as a duplicate of 101457 ***

Comment 2 Erik Strack 2005-11-05 20:17:44 UTC

(In reply to comment #0, and duplicate status)

I don't believe this, and bugs 110734, 107317 are exactly duplicates of 101457.

However, if 101457 is resolved in a manner suggested by many comments,
resolution of 101457 may affectively make this "bug" go away too.

Examining the certificate used by the https server at helixcommunity.org, it is
signed by Equifax_Secure_Global_eBusiness_CA-1, which is a commercial CA I
believe.  So helixcommunity.org's cert is in fact not a self-signed certificate
if I got this right.

In fact, downloading from Equifax.com Equifax_Secure_Global_eBusiness_CA-1 and
adding it to my local indexed OpenSSL cert store enabled the RealPlayer to be
downloaded and emerged just fine, with wget operating in it's default mode which
is to verify the certs.

I was thinking it would be nice to have the ebuild push the required CA cert
down to the client and have wget use this CA cert temporarily to verify the
https server cert.

In this manner, the security of using https in the first place would remain
largely uncompromised assuming the CA cert comes from a trusted source. 
(Gentoo.org server)

But, I suppose the MD5 sums provide enough validation of package authenticicy
anyways, so perhaps this is all uncessary and the proposed resolution of 101457
of having wget simply skip validation of the server cert is sufficient.

Therefore, I'm not questioning this being marked as a dup.  :)

Y'all are probably thinking I've wasted your time - I occasionally deal with
security at work and I believe trust is going to become very important to
software distribution in the not-so-distant future.  Apologize for being a
Gentoo newbie and not understanding the trust and package verification system.