Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598200 - [megacoffee] Repository URI unaccessible
Summary: [megacoffee] Repository URI unaccessible
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Overlays (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Daniel Neugebauer
URL: https://qa-reports.gentoo.org/output/...
Whiteboard:
Keywords:
Depends on:
Blocks: repository-qa-issues
  Show dependency tree
 
Reported: 2016-10-27 07:45 UTC by Michał Górny
Modified: 2016-10-30 17:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 07:45:42 UTC
Our automated repository checks [1] have detected that the 'megacoffee'
repository can not be synced.

The following URIs are listed for the repository:

  [mercurial] https://rhodecode.megacoffee.net/gentoo-overlay/main

  [mercurial] http://rhodecode.megacoffee.net/gentoo-overlay/main

Please verify that the server hosting the repository is working
correctly. If the repository has been moved to a new location or removed
altogether, please let us know to update the record appropriately.

We reserve the right to remove the repository if we do not receive any
reply within 2 weeks.

[1]:https://wiki.gentoo.org/wiki/Project:Repository_mirror_and_CI
Comment 1 Daniel Neugebauer 2016-10-27 08:04:41 UTC
I can clone our repository just fine and don't see any errors in our log.

Your log indicates an issue with SSL verification and there have been multiple other bug reports created at about the same time. We are using a certificate from CACert which was supposed to be trusted by default in Gentoo. Has this changed?
Comment 2 Daniel Neugebauer 2016-10-28 13:03:40 UTC
Okay, so it seems like cacert USE flag has indeed been unset by default. What's bad about that move (which is tracked as 580722) is that it breaks systems which used and relied on CACert before. I'll add that comment on 580722 as well...

For the moment we will be adding a note to our website as we just got emailed by one of our users complaining about not being able to access our repo for 2-3 weeks. We will (sadly) make a switch to Let's Encrypt but that will take at least a few days as I don't want to reissue certificates manually every 90 days, that's just to frequent...

So please bare with us and keep us in the overlay list, even if it should take longer than 2 weeks for us to resolve the issue. Can you please confirm? We will update this bug report as soon as we have changed the CA.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-28 13:29:48 UTC
Sure. As a side note, I think your http:// is redirecting to https://, so you may want to remove the redundant address.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-28 13:32:49 UTC
Besides, I suggest you try to obtain at least a temporary certificate ASAP because -- as you have noticed -- multiple users will lose access to the repo when upgrading. I can't say I like the way it's done, I could've just re-enabled cacert on the server but I've decided it's better to warn people about this.
Comment 5 Daniel Neugebauer 2016-10-28 13:47:43 UTC
Don't worry, I won't shoot the messenger. In fact, thanks for notifying us about that issue. :)

Concerning the redirect: That's still from when we first enabled HTTPS for our overlay and tried to smoothly "migrate" previous setups. I don't remember if that method ever worked reliably, so the HTTP URL could as well be removed now.

By the way, we were also discussing to move the repo to GitHub recently to ease collaborations with external users. AFAIK there is no mechanism to instruct layman to delete the old local overlay copy and instead clone from a new URL? So maybe we will add a GitHub URL later on and keep running our own (Mercurial-based) clone for legacy installations. What's especially bad is that not only the primary URL would change but also the VCS. Not entirely thought through yet...

Issuing a temporary LE certificate via "get HTTPS for free" would be an option (I did that before) but I'm not entirely sure if and how we can re-use the LE account authorization with an ACME client - whatever client we will choose...
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-28 14:25:44 UTC
(In reply to Daniel Neugebauer from comment #5)
> By the way, we were also discussing to move the repo to GitHub recently to
> ease collaborations with external users. AFAIK there is no mechanism to
> instruct layman to delete the old local overlay copy and instead clone from
> a new URL? So maybe we will add a GitHub URL later on and keep running our
> own (Mercurial-based) clone for legacy installations. What's especially bad
> is that not only the primary URL would change but also the VCS. Not entirely
> thought through yet...

I think that's not a major problem. As long as the name is the same, layman can detect the change and warn user somehow. If it's not doing that yet, it shouldn't be hard to change it.
Comment 7 Daniel Neugebauer 2016-10-30 15:31:27 UTC
I've sacrificed my afternoon and we now have an ACME client managing its first LE certificate on our server - the connectivity issue should now be resolved; could you please check again if it works from your test system as well?
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-30 17:09:55 UTC
The bug seems to be fixed in the repository. Closing.