[Sugar-devel] lack of XO security updates, was Unable to "git clone" on Fedora 18

D. Joe sugarlabs at etrumeus.com
Thu Aug 1 10:51:57 EDT 2019


I knew this is the sort of thing that would befall Fedora 18-based systems as soon as Fedora 18 reached the end of its supported lifetime.

In that light I decided we needed to stop using XOs in the classroom. 

I couldn't in good conscience promote an environment in which, for instance, students enter single-sign on network credentials. 

There may be work-arounds, but the additional burden of navigating safely the various security pitfalls seems to me unsustainable. 

I know I don't have the resources to track all the pitfalls of unmaintained software in Fedora 18.

I appreciate having this as a concrete example (however unfortunate) of this process at work.

Thanks for calling this out.



On Sat, Jul 20, 2019 at 06:08:29PM +1000, James Cameron wrote:
> My guess;
> 
> HTTPS uses OpenSSL.
> 
> Certain OpenSSL protocol versions are now insecure, because they have been broken, or are trivially decoded in flight.
> 
> GitHub correctly limits OpenSSL connections to secure protocol versions.
> 
> Fedora 18 does not support the modern secure protocol versions.
> 
> You may work around this in one of these ways;
> 
> - cloning over the GIT protocol,
>   git clone git://github.com/sugarlabs/sugar-datastore
> 
> - using an HTTPS to HTTP proxy,
> 
> - bare cloning on another system then preparing the clone for access by a web server, then clone over HTTP from that web server,
> 
> - cloning on another system then using scp to copy the directory and contents to the Fedora 18 system,
> 
> - exporting your clones over NFS and mounting them on the Fedora 18 system,
> 
> - building a more recent OpenSSL for Fedora 18.
> 
> Have fun!
> 
> On Sat, Jul 20, 2019 at 11:47:16AM +0530, Swarup N wrote:
> > Hello,
> > 
> > I was trying to setup Sugar v0.114 via native method on Fedora 18.
> > I installed git and ran sudo yum update.
> > When I try to clone sugar from [1]https://github.com/sugarlabs/sugar-datastore,
> > I get the following error.
> > 
> > error: peer reports incompatible or unsupported protocol version. while
> > accessing [2]https://github.com/sugarlabs/sugar-datastore.git/info/refs?service
> > =git-upload-pack
> > 
> > One of the fixes I read online was to run yum update -y nss curl libcurl, but
> > that didn't work.
> > 
> > Could anyone guide me on how to fix this?
> > 
> > Thanks
> > 
> > References:
> > 
> > [1] https://github.com/sugarlabs/sugar-datastore
> > [2] https://github.com/sugarlabs/sugar-datastore.git/info/refs?service=git-upload-pack
> 
> > _______________________________________________
> > Sugar-devel mailing list
> > Sugar-devel at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/sugar-devel
> 
> 
> -- 
> James Cameron
> http://quozl.netrek.org/
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel

-- 
-- 
Joe   On ceding power to tech companies: http://xkcd.com/1118/
man screen | grep -A2 weird
  A weird imagination is most useful to gain full advantage of
  all the features.


More information about the Sugar-devel mailing list