:: Re: [DNG] deb.devuan.org - bad cert…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: onefang
日付:  
To: dng
題目: Re: [DNG] deb.devuan.org - bad certificate?
On 2024-08-29 14:05:04, Dan Purgert via Dng wrote:
> On Aug 28, 2024, R A Montante, Ph.D. via Dng wrote:
> > Hello all,
> >
> > I'm having an issue  doing "sudo apt update" --- it runs very slowly and
> > gives the results below.  Does anyone know what's going on?  (There's a 2nd
> > copy-paste after this one, BTW).
> >
> >
> > Tried from my school just now (I've highlighted the first lines in red
> > because they're so surprising):
> >
> > > Err:5 http://deb.devuan.org/merged daedalus InRelease
> > > Err:6 http://deb.devuan.org/merged daedalus-security InRelease
> > > Err:7 http://deb.devuan.org/merged daedalus-updates InRelease
> > >  Temporary failure resolving 'deb.devuan.org'
>
> Your DNS resolver doesn't like deb.devuan.org for some reason or other.
>
> > So I tried/browsing/ to "deb.rr.devuan.org" (the CNAME) and got this error
> > message (I highlighted the certificate problem in red):
> >
> > >
> > > Warning: Potential Security Risk Ahead
> > >
> > > Firefox detected a potential security threat and did not continue to
> > > *deb.rr.devuan.org*. If you visit this site, attackers could try to
> > > steal information like your passwords, emails, or credit card details.
>
> Testing with FF here causes FF to whine because it's http:// not
> https:// (which is a non-issue for repos anyway, as packages are checked
> against GPG-signed hashes).
>
> IN OTHER WORDS -->> the big scary warning is fallout from the "HTTPS
> Everywhere" movement pushed by Google et. al. about a decade ago. Well,
> at least I think that was what people were calling it; quick check at
> wikipedia says it was just a plugin for browsers pushed by the EFF.
>
> If I force https:// ; then I get a cert error for a LE cert applied for
> various "rrq.au" domains. I'd assume it's just apache falling through
> to whatever cert it has available, rather than any malice.


deb.devuan.org is a DNS round robin (DNS-RR), mirror.rrq.au was recently
added to it. So sometimes you'll get the IPs of rrq's mirror when you
ask for deb.devuan.org, sometimes you'll get one of the other mirrors.

deb.devuan.org can't have a HTTPS cert, coz it would have to be shared
with all the package mirrors in the DNS-RR.

Last I checked rrq's mirror doesn't support HTTPS, but he may have
changed that.

> Pretty sure 'rrq' is a semi-frequent commenter here, so perhaps he'll
> see it and chime in.


rrq is one of our Devuan developers, and does indeed comment here.

--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.