Bug#882297: marked as done (tracker.debian.org: Get rid of InsecureRequestWarning)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 21 Nov 2017 16:16:49 +0100
with message-id <20171121151649.2yxfmp6d6s7efguq@home.ouaza.com>
and subject line Re: tracker.debian.org: Get rid of InsecureRequestWarning
has caused the Debian Bug report #882297,
regarding tracker.debian.org: Get rid of InsecureRequestWarning
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882297
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: tracker.debian.org: Get rid of InsecureRequestWarning
• From: Raphael Hertzog <hertzog@debian.org>
• Date: Tue, 21 Nov 2017 09:21:49 +0100
• Message-id: <[🔎] 20171121082149.3jka2lhfhvn2cqty@home.ouaza.com>

Package: tracker.debian.org
Severity: important

since we switched to Python 3 on tracker.debian.org, the cron tasks
are generating annoying warnings. The following commands (at least) are
affected:
./manage.py tracker_run_all_tasks
./manage.py tracker_update_pseudo_packages

The warning shown is this one:
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:845: InsecureRequestWarning: Unverified HTTPS
request is being made. Adding certificate verification is strongly advised. See:
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)

We need to investigate what code is causing this. I suspect one of the places
where it happens is within pysimplesoap so it might not be trivial to fix. We might
want to work-around by disabling this specific warning in the place where we use
pysimplesoap.

But in general this should be fixed as we want TLS certificates to be verified.

Or maybe the code is fine in the general case and we are only hit by the debian.org
way of managing TLS certificates:
https://wiki.debian.org/ServicesSSL

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

• To: 882297-done@bugs.debian.org
• Subject: Re: tracker.debian.org: Get rid of InsecureRequestWarning
• From: Raphael Hertzog <hertzog@debian.org>
• Date: Tue, 21 Nov 2017 16:16:49 +0100
• Message-id: <20171121151649.2yxfmp6d6s7efguq@home.ouaza.com>
• In-reply-to: <[🔎] 20171121082149.3jka2lhfhvn2cqty@home.ouaza.com>
• References: <[🔎] 20171121082149.3jka2lhfhvn2cqty@home.ouaza.com>

On Tue, 21 Nov 2017 09:21:49 +0100 Raphael Hertzog <hertzog@debian.org> wrote:
> /usr/lib/python3/dist-packages/urllib3/connectionpool.py:845: InsecureRequestWarning: Unverified HTTPS

It looks like they were all due requests.get()'s "verify" attribute being
set to False.

I changed it to true in 3cac00262e4287234c2e08e3b2b22f96dcd009a4 and then
added debian-specific code to use the global CA bundle in
eac12f2e8ca318cfa9be203e42f23121d74aaa34.

I did not have any other occurence of this warning so far.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

--- End Message ---