kde3-amarok, add the following repository: http://ftp.skynet.be/pub/packman/suse/kde3/11.2/packman-kde3.repo
Monday, November 23, 2009
openSUSE 11.2 doesn't ship KDE3 anymore, because it is barely maintained upstream. But you may still install and use KDE3 as your desktop environment as the packages are available in the openSUSE Build Service. Which is why we decided to set up an additional repository that contains the Packman packages that require KDE3. If you want e.g.
Friday, November 20, 2009
» osc and self-signed certificates the secure way
Obviously, a much more secure option to use the
oscBuild Service command-line client with your own server instances that have a self-signed certificate is to actually add that server certificate to the list of blessed ones. To do so, do as follows, all of that as root in a shell:
umask 0033 cd /etc/ssl/certs echo | openssl s_client -showcerts \ -connect YOUR.SERVER:SSL_PORT \ 2>&1 |sed -n '/^-----BEGIN/,/^-----END/p' \ > SOME_FILENAME.pem c_rehash .Once you've done the above,
oscwill no longer complain about an invalid (server) peer certificate, as the certificate of your Build Service instance server is now accepted as a valid one. Note that in order to be really secure, you need to ask an administrator of the server what the fingerprint (also called a hash) of the server certificate actually is, in order to compare and make sure you're not blessing an already compromised server or are already subject to a man-in-the-middle attack. To do so, an user who has root access to the server should run the following command, obviously as root, and then give you the output of that command, ideally through a secure communication channel, or through several channels (e.g. SMS mobile text message and/or a signed email and/or IRC from a registered nickname):
cat /etc/ssl/private/lighttpd.pem\ | sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'\ | sha1sum | cut -f1 -d" "You can then run the following command and compare the output with what that trusted user has given you:
fp=$(sha1sum /etc/ssl/certs/SOME_FILENAME.pem\ | cut -f1 -d" ") server="...paste what the trusted user has given you here..." test "$fp" = "$server" && echo OK || echo COMPROMISEDIf you have already patched your
oscclient as I described in my previous post, you can undo that patch with the following code (again, as root in a shell):
umask 0077 cd $(dirname $(rpm -ql osc|grep /conf.py\$)) mv conf.py.orig conf.py chmod 0644 conf.py
If you are using your own Build Service instance as we do at Packman and if you are using a self-signed certificates for HTTPS, then this patch might come handy for you as well. Note that it disables the peer certificate validation in
osc, so don't use that with Build Service instances you down trust, and only if you are willing to take the risk of not detecting man-in-the-middle attacks. In order to apply the patch, simply copy and paste the following block of shell code in a terminal where you are running as root:
cd $(dirname $(rpm -ql osc|grep /conf.py\$)) umask 0077 curl -s -o /tmp/o.patch \ http://linux01.gwdg.de/~pbleser/files/osc/\ osc-disable-peer-cert-check.diff test $(sha1sum /tmp/o.patch | cut -f1 -d" ") = \ 9812ef2a18c02799b9e33d1402509c3217c39194 \ && patch -p1 -b -z.orig -i /tmp/o.patchUPDATE: note that in my following blog-post I describe a secure option.