Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Martin Jansa]

On Thu, Aug 05, 2010 at 06:44:53AM +0000, git version control wrote:
> Module: openembedded.git
> Branch: org.openembedded.dev
> Commit: 64b73f5d3bc4516de7deaf2c3647a96a1d5285e1
> URL:    http://gitweb.openembedded.net/?p=openembedded.git&a=commit;h=64b73f5d3bc4516de7deaf2c3647a96a1d5285e1
> 
> Author: Roman I Khimov <khimov@altell.ru>
> Date:   Thu Aug  5 10:16:54 2010 +0400
> 
> bitbake.conf: trust server certificate when doing svn over https
> 
> Fixes fetching from https:// svn repos with self-signed certs.

Maybe we should add also
--accept theirs-full (just in case)
--force (to force overwrite of existing files)

ie 
matchbox-panel-2-icon-themes_0.0.1.bb
matchbox-panel-2_svn.bb
are checkouting/updating tiwo different SRCREVs and every few builds you
end up removing svn checkout from downloads dir, just because it
refuses to upgrade to newer revision (applets dir already exists there).

Any objections (someone intentionaly keeping dirty checkouts in his
DL_DIR)?

Regards,
-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Roman I Khimov]

В сообщении от Четверг 05 августа 2010 11:12:01 автор Martin Jansa написал:
> Maybe we should add also
> --accept theirs-full (just in case)
> --force (to force overwrite of existing files)
> 
> ie
> matchbox-panel-2-icon-themes_0.0.1.bb
> matchbox-panel-2_svn.bb
> are checkouting/updating tiwo different SRCREVs and every few builds you
> end up removing svn checkout from downloads dir, just because it
> refuses to upgrade to newer revision (applets dir already exists there).
> 
> Any objections (someone intentionaly keeping dirty checkouts in his
> DL_DIR)?

No objections here.

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Martin Jansa]

On Thu, Aug 05, 2010 at 11:38:00AM +0400, Roman I Khimov wrote:
> В сообщении от Четверг 05 августа 2010 11:12:01 автор Martin Jansa написал:
> > Maybe we should add also
> > --accept theirs-full (just in case)
> > --force (to force overwrite of existing files)
> > 
> > ie
> > matchbox-panel-2-icon-themes_0.0.1.bb
> > matchbox-panel-2_svn.bb
> > are checkouting/updating tiwo different SRCREVs and every few builds you
> > end up removing svn checkout from downloads dir, just because it
> > refuses to upgrade to newer revision (applets dir already exists there).
> > 
> > Any objections (someone intentionaly keeping dirty checkouts in his
> > DL_DIR)?
> 
> No objections here.

On older buildhost I noticed that
svn, version 1.5.1 (r32289)
doesn't support --trust-server-cert

Added in 1.6 http://subversion.apache.org/docs/release-notes/1.6.html

I don't know if it's worth it to force builders to upgrade subversion or
add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.

I'll send patch removing --trust-server-cert and adding force+accept.

Regards,

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Roman I Khimov]

В сообщении от Четверг 05 августа 2010 12:24:40 автор Martin Jansa написал:
> On Thu, Aug 05, 2010 at 11:38:00AM +0400, Roman I Khimov wrote:
> > В сообщении от Четверг 05 августа 2010 11:12:01 автор Martin Jansa 
написал:
> > > Maybe we should add also
> > > --accept theirs-full (just in case)
> > > --force (to force overwrite of existing files)
> > >
> > > ie
> > > matchbox-panel-2-icon-themes_0.0.1.bb
> > > matchbox-panel-2_svn.bb
> > > are checkouting/updating tiwo different SRCREVs and every few builds
> > > you end up removing svn checkout from downloads dir, just because it
> > > refuses to upgrade to newer revision (applets dir already exists
> > > there).
> > >
> > > Any objections (someone intentionaly keeping dirty checkouts in his
> > > DL_DIR)?
> >
> > No objections here.
> 
> On older buildhost I noticed that
> svn, version 1.5.1 (r32289)
> doesn't support --trust-server-cert

Argh. Certainly, not my day. Usually I use Debian lenny as a build machine and 
that really has 1.5.1 with no "--trust-server-cert" option. And that pf_ring 
recipe that does svn over https worked there just because I've had that repo 
checked out before packaging it in OE.

Then as usually I've cherry-picked the patch to another machine with different 
machine/distro build configuration (surprisingly how often seem-to-be-good 
recipes fail after that) running under OpenSUSE 11.2. Immediately seen svn 
checkout error and figured out that it's "trivial" to fix (with OpenSUSE's svn 
1.6.6).

Turns out, not that much. Sorry. Feel free to revert it as I would only be 
able to do that some 8-9 hours later.

> I don't know if it's worth it to force builders to upgrade subversion or
> add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.

IMO we should not break support for major stable (or LTS) distros, so my patch 
is broken.

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Frans Meulenbroeks]

2010/8/5 Roman I Khimov <khimov@altell.ru>:
> В сообщении от Четверг 05 августа 2010 12:24:40 автор Martin Jansa написал:

>
>> I don't know if it's worth it to force builders to upgrade subversion or
>> add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.
>
> IMO we should not break support for major stable (or LTS) distros, so my patch
> is broken.
>
I agree that we should not break support for major distros. but
without your patch some of the recipes cannot be build easily.
The solution of Martin seems a good inbetween.

Frans

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Roman I Khimov]

В сообщении от Четверг 05 августа 2010 12:55:05 автор Frans Meulenbroeks написал:
> 2010/8/5 Roman I Khimov <khimov@altell.ru>:
> > В сообщении от Четверг 05 августа 2010 12:24:40 автор Martin Jansa написал:
> >> I don't know if it's worth it to force builders to upgrade subversion or
> >> add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.
> >
> > IMO we should not break support for major stable (or LTS) distros, so my
> > patch is broken.
> 
> I agree that we should not break support for major distros. but
> without your patch some of the recipes cannot be build easily.
> The solution of Martin seems a good inbetween.

Unfortunately, "--force" wouldn't solve untrusted certificate problem:

build@build2:~$ svn --non-interactive --force co https://svn.ntop.org/svn/ntop/trunk/PF_RING
svn: OPTIONS of 'https://svn.ntop.org/svn/ntop/trunk/PF_RING': Server certificate verification failed: issuer is not trusted (https://svn.ntop.org)
build@build2:~$ svn --version |grep \ version
svn, version 1.5.1 (r32289)

So it either stays as it is or we need svn-native to really fix the problem.

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Martin Jansa]

On Thu, Aug 05, 2010 at 10:55:05AM +0200, Frans Meulenbroeks wrote:
> 2010/8/5 Roman I Khimov <khimov@altell.ru>:
> > В сообщении от Четверг 05 августа 2010 12:24:40 автор Martin Jansa написал:
> 
> >
> >> I don't know if it's worth it to force builders to upgrade subversion or
> >> add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.
> >
> > IMO we should not break support for major stable (or LTS) distros, so my patch
> > is broken.
> >
> I agree that we should not break support for major distros. but
> without your patch some of the recipes cannot be build easily.
> The solution of Martin seems a good inbetween.
> 
> Frans

I've pushed my patch removing --trust-server-cert and adding --accept,
but --accept is only for >=1.5

If we want to support svn older than that ie:
svn, version 1.1.1 (r11581) in RHEL4
maybe we should add subversion-native and drop ASSUME_PROVIDED?

Regards,

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

Re: [oe-commits] Roman I Khimov : bitbake.conf: trust server certificate when doing svn over https

[Tom Rini]

Frans Meulenbroeks wrote:
> 2010/8/5 Roman I Khimov <khimov@altell.ru>:
>> В сообщении от Четверг 05 августа 2010 12:24:40 автор Martin Jansa написал:
> 
>>> I don't know if it's worth it to force builders to upgrade subversion or
>>> add their FETCHCOMMAND_svn UPDATECOMMAND_svn to local.conf.
>> IMO we should not break support for major stable (or LTS) distros, so my patch
>> is broken.
>>
> I agree that we should not break support for major distros. but
> without your patch some of the recipes cannot be build easily.
> The solution of Martin seems a good inbetween.

Adding subversion-native isn't hard, I've got one around locally for 
RHEL4 :) It's svn 1.6.5.  Also got the logic to add svn-native for any 
svn:// uris.

-- 
Tom Rini
Mentor Graphics Corporation