-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, Aug 26, 2014 at 12:36:47PM +0200, Vít Ondruch wrote: > $ gem fetch power_assert > ERROR: Could not find a valid gem 'power_assert' (>= 0), here is why: > Unable to download data from https://rubygems.org/ - > SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: > certificate verify failed > (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz) > > > Upstream RubyGems ships the certificates, but on your request, I removed > the bundled certificates [1]. Now, 3 months later are RubyGems broken in > F21+ due to this update. Luckily, I have never backported this commit to > F20, so this particular update is not harmful for stable Fedora release, > but what am I supposed to do with F21+? > > I don't feel like contacting Amazon. You claim that nothing should break > and Mozilla contacted everybody, so why not Amazon? Are they so negligible? > > Should I follow your advises or follow upstream? Sorry, but this puzzles > me ... Hmmm, according to SSLLabs[0] rubygems.org is using a 2048-bit certificate and chains all the way up to the CA with 2048-bit certificate. The s3.amazonaws.com URL also uses a 2048-bit cert and chains up to the CA with 2048-bit certs as well. If the "fix" to the CA trust file only removed CAs with weak (<2048-bit) certificates it would appear that the breakage you see wouldn't be affected by this. Out of curisity, did certificate verification get turned on in the F21 version? - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks@xxxxxxxxxxxxxxxxx - sparks@xxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJT/KEGAAoJEB/kgVGp2CYv0UoL/2xSiic1najZuVsrCNMkmbkm cH/7v/r9NAFFm0+yqjyl7Z1yweOb/VFIKTqBp2WuxEP2JFrclc/8MwG7vGymjDra 7wPxj+vF3vebHDWKW5MU6QFIE7LdumYTRqty5sSX/BfoFZIf1ZNI2zLPd5HglS+e A+KjfSHjRChUIdobD/hDqxdJc36h3w1rUMzqx/lywpNxWsL56JpxqjT139O8C9xA qIIdnjZJUtE2xK78rnRFjWgRZkUj2M2rjJfTpYwwcofsVkyNeh1nlTcmXnLyOyw3 zNoy8CpmfMFAOiVq6JZTl3gL77k76AjdnJ3Q+tT1uxZTx0lSxZz44iSB9s50ZLDb rR7lG08Je3kuk6S5afIeoo8PtFlQpxBVam1pBMiLjMXjCQP4VB2YldG2PBBuWIoz dyvDXjlSGJwDHjJRjw1tmN5VijqDjDIrAhDsm0ddzl2b9ZlfdqF5QHF50vA56lbG iCVd4QtM/eUGrx5nkn0sprhll2XIZZ+2jXNnRZEkTQ== =5t+O -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
