Opened 11 months ago
Closed 11 months ago
#68932 closed defect (fixed)
GitLab SSL certificate changed so we can no longer mirror its files
Reported by: | NucleaPeon (Dann) | Owned by: | admin@… |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | server/hosting | Version: | 2.8.1 |
Keywords: | Cc: | ||
Port: |
Description (last modified by ryandesign (Ryan Carsten Schmidt))
I recently installed youtube-dl based on a macport installation that hasn't been updated in a while. It completed successfully. I then went to do a selfupdate and the corresponding 'sudo port upgrade outdated' command which failed when it attempted to download a version of svt-av1 that apparently doesn't exist on many servers. It eventually gave up and failed.
While data is in the log I'm attaching, basic info is this:
MacPorts 2.8.1
OS: OS X 10.6.8
Attachments (2)
Change History (14)
Changed 11 months ago by NucleaPeon (Dann)
Attachment: | svt-av1.log added |
---|
Changed 11 months ago by NucleaPeon (Dann)
Attachment: | port-svt-av1-fail.tiff added |
---|
screenshot of terminal when failure occurs
comment:1 Changed 11 months ago by NucleaPeon (Dann)
I cannot install an older version either, so downgrading is not an option and I'm currently stuck. I'm attempting to package up youtube-dl and openssh using mpkg for a project.
comment:2 Changed 11 months ago by NucleaPeon (Dann)
I tried replacing the svt-av1 file with the available 1.8.0 version but the hashes don't match.
comment:3 follow-up: 12 Changed 11 months ago by ryandesign (Ryan Carsten Schmidt)
Component: | ports → server/hosting |
---|---|
Description: | modified (diff) |
Keywords: | svt-av1 404 removed |
Owner: | set to admin@… |
Port: | sv1-av1 removed |
Status: | new → assigned |
Summary: | svt-av1 attempts to download version 1.8.0_1 but 404's every mirror it tries. Cannot find newer version but 1.8.0_1 is only available version → GitLab SSL certificate changed so we can no longer mirror its files |
Yes, I noticed this today. svt-av1 is hosted on GitLab. GitLab changed their SSL certificate a couple days ago and it is now no longer possible to connect to GitLab using the version of curl that comes with OS X 10.11 or earlier. This shouldn't have been a problem for users because we mirror the files on our server, so you should have been able to get it from our mirrors, but the machine that does the mirroring runs OS X 10.11 so it is not able to mirror this file or any other files from GitLab anymore. Upgrading the mirroring machine to a new OS version has the potential to introduce more problems so I plan to fix the problem with a smaller change: changing the MacPorts installation that the mirroring process uses so that it uses MacPorts curl instead of macOS curl, since MacPorts curl uses a newer SSL library that is able to connect to all servers.
comment:4 Changed 11 months ago by ryandesign (Ryan Carsten Schmidt)
Oh, and about youtube-dl, yes, it has not been updated in awhile because there has been no release of youtube-dl in awhile. We offer the latest version that is available. If they release a new version, of course I will update the port. You could use yt-dlp instead which has more recent releases.
comment:6 Changed 11 months ago by ryandesign (Ryan Carsten Schmidt)
It may be a couple days before I can do it; the buildbot is very busy right now building hundreds of ports after the icu update and I don't want to try to make changes while builds are in progress.
comment:7 Changed 11 months ago by raimue (Rainer Müller)
You can use the port distfiles <port>
command to get the exact path where the file is expected and the list of mirror URLs which will be tried for download. If fetch is broken due to the SSL certificate on older macOS releases, as a workaround you could still download it manually with your browser and place it into that path in /opt/local/var/macports/distfiles/
manually.
comment:8 Changed 11 months ago by ryandesign (Ryan Carsten Schmidt)
Only if the browser supports the newer certificate. The user is on Snow Leopard for which current browsers are not available so that may not work either.
I've manually mirrored the new svt-av1 1.8.0 file to solve the immediate problem. It should be available within an hour.
comment:9 Changed 11 months ago by kencu (Ken)
I helped write a version of TenFourFox that runs on MacOSX 10.4+ Intel, that can download most current things.
It has some deficiencies -- there is no async/await functionality so some sites won't work, as outlined here: https://github.com/classilla/tenfourfox/issues/653
but it is useful. I use it every day on 10.6.
I built the current version from the github repo as well for my own use, but I didn't upload that to SourceForge like I did the other releases when Cameron was actively maintaining it.
comment:10 Changed 11 months ago by NucleaPeon (Dann)
Updated my machine today and it didn't fail on svt-av1. I'm seeing an issue with py311-numpy, but I don't think that is hiding the problem as yt-dlp installed and mpkg ran fine (but I had to symlink /Developer/usr/bin/packagebuild to /usr/bin as exporting path didn't work)
@kencu On Snow Leopard, I have Firefox 48.0.2, Firefox Nightly, Spidermonkey and Arctic Fox installed and Spidermonkey seems to be the best for most sites and large numbers of tabs. I can give tenfourfox a test drive though, thanks!
comment:11 Changed 11 months ago by NucleaPeon (Dann)
I really do appreciate that you still support Snow Leopard; being able to have the latest openssh and git has made it way more functional. I aim to have most of my software projects support 10.6.8.
comment:12 Changed 11 months ago by ryandesign (Ryan Carsten Schmidt)
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Replying to ryandesign:
I plan to fix the problem with a smaller change: changing the MacPorts installation that the mirroring process uses so that it uses MacPorts curl instead of macOS curl, since MacPorts curl uses a newer SSL library that is able to connect to all servers.
Instead, I installed the USERTrust RSA Certification Authority certificate into the Keychain on the build machine and on the OS X 10.11 El Capitan and older build workers. (Install it into the System keychain, not the login keychain. If prompted, choose Always Trust. If not prompted, find the certificate in the list, double-click it to open it, click the triangle to the left of Trust, and in the When using this certificate menu, choose Always Trust.) (This is similar to what we suggest for Let's Encrypt.) This worked for me on OS X 10.9, 10.10, and 10.11. It did not work on 10.8 and earlier but now that the build machine can mirror these files again that should suffice for users on 10.8 and earlier.
main.log file of svt-av1