Page MenuHomePhabricator
Create Task
Maniphest T153842

Download of composer cweiske/php-sqllint requires to disable https security
Closed, ResolvedPublic
Actions

Description

To lint SQL files (T132641) the labs/tools/heritage added a composer dependency upon cweiske/php-sqllint. That downloads the package from git://git.cweiske.de/php-sqllint.git which is not a secure protocol. Hence compose bails out:

$ composer require cweiske/php-sqllint
...
  - Installing cweiske/php-sqllint (v0.1.3)
    Cloning ad7dac068d29c9bd9b07c4e908914448950aec30

Installation failed, deleting ./composer.json.

                                                                               
  [Composer\Downloader\TransportException]                                     
  Your configuration does not allow connections to git://git.cweiske.de/php-s  
  qllint.git. See https://getcomposer.org/doc/06-config.md#secure-http for de  
  tails.

The git.cweiske.de respond to https with a certificate from Let's Encrypt. Unfortunately the name is mail.cweiske.de.

$ openssl s_client -showcerts -servername git.cweiske.de -connect git.cweiske.de:443
Certificate chain
 0 s:/CN=mail.cweiske.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3


Server certificate
subject=/CN=mail.cweiske.de
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

We want to reach out to the host to:

  • get a valid certificate on git.cweiske.de
  • expose the git repositories over https
  • update packagist :}

Then we can remove the composer option in https://gerrit.wikimedia.org/r/#/c/315226/2/composer.json

Details

SubjectRepoBranchLines +/-
composer: enable secure httplabs/tools/heritagemaster+0 -3
Customize query in gerrit

Related Objects

Event Timeline

hashar created this task.Dec 21 2016, 10:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 21 2016, 10:00 AM
Lokal_Profil subscribed.EditedDec 21 2016, 10:05 AM

I'm reaching out to inform the host.

JeanFred added a comment.Dec 21 2016, 10:11 AM

Makes sense. Thanks @hashar for flagging this and @Lokal_Profil for trackling this :)

hashar added a comment.Dec 21 2016, 10:14 AM

I have mailed the author to the email listed on http://cweiske.de/feedback.htm

hashar mentioned this in T132641: Standardise SQL formatting and lint .sql files at CI.Dec 21 2016, 10:16 AM
hashar added a comment.Dec 21 2016, 11:01 AM

@Lokal_Profil I filled this task and then sent him an email. It seems you did the same, at worse he will get two emails :-}

hashar added a comment.Dec 23 2016, 3:17 PM

Got a reply from the author Christian Weiske:

However on packagist.org it is registered with the git protocol which
cause composer to complain because it is not secure (for good reason):

I've added HTTPS cloning support to my git repositories and changed the
php-sqllint repository on packagist.

And indeed:

$ composer info cweiske/php-sqllint|grep source
source   : [git] https://git.cweiske.de/php-sqllint.git 
                 ^^^^^

git.cweiske.de now has a certificate name with the proper server name:

$ openssl s_client -showcerts -servername git.cweiske.de -connect git.cweiske.de:443
Certificate chain
 0 s:/CN=git.cweiske.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
subject=/CN=git.cweiske.de
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
gerritbot subscribed.Dec 23 2016, 3:21 PM

Change 328914 had a related patch set uploaded (by Hashar):
composer: enable secure http

https://gerrit.wikimedia.org/r/328914

gerritbot added a project: Patch-For-Review.Dec 23 2016, 3:21 PM

Change 328914 merged by jenkins-bot:
composer: enable secure http

https://gerrit.wikimedia.org/r/328914

hashar closed this task as Resolved.Dec 23 2016, 3:23 PM
hashar claimed this task.

Aced!

JeanFred added a comment.Dec 23 2016, 3:25 PM

*high-five*

hashar added a comment.Dec 23 2016, 3:29 PM

antoine-approve

Stashbot mentioned this in T153746: ErfgoedBot categorisation process should ignore hidden categories.Jan 9 2017, 9:57 PM
Stashbot subscribed.

Mentioned in SAL (#wikimedia-labs) [2017-01-09T21:57:16Z] <JeanFred> Deploy latest from Git master: 3639bb0 (T153746), daee265 (T153842), 282b912, 6fd681c, e00ba31 (T154857)

Stashbot mentioned this in T154857: Fix Nepal in monuments database.Jan 9 2017, 9:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL