[Sugar-devel] lack of XO security updates, was Unable to "git clone" on Fedora 18

James Cameron quozl at laptop.org
Thu Aug 1 23:26:11 EDT 2019


No worries.  I've known for years.  And don't have the resources to
fix it.

On Thu, Aug 01, 2019 at 02:51:57PM +0000, D. Joe wrote:
> 
> I knew this is the sort of thing that would befall Fedora 18-based systems as soon as Fedora 18 reached the end of its supported lifetime.
> 
> In that light I decided we needed to stop using XOs in the classroom. 
> 
> I couldn't in good conscience promote an environment in which, for instance, students enter single-sign on network credentials. 
> 
> There may be work-arounds, but the additional burden of navigating safely the various security pitfalls seems to me unsustainable. 
> 
> I know I don't have the resources to track all the pitfalls of unmaintained software in Fedora 18.
> 
> I appreciate having this as a concrete example (however unfortunate) of this process at work.
> 
> Thanks for calling this out.
> 
> 
> 
> On Sat, Jul 20, 2019 at 06:08:29PM +1000, James Cameron wrote:
> > My guess;
> > 
> > HTTPS uses OpenSSL.
> > 
> > Certain OpenSSL protocol versions are now insecure, because they have been broken, or are trivially decoded in flight.
> > 
> > GitHub correctly limits OpenSSL connections to secure protocol versions.
> > 
> > Fedora 18 does not support the modern secure protocol versions.
> > 
> > You may work around this in one of these ways;
> > 
> > - cloning over the GIT protocol,
> >   git clone git://github.com/sugarlabs/sugar-datastore
> > 
> > - using an HTTPS to HTTP proxy,
> > 
> > - bare cloning on another system then preparing the clone for access by a web server, then clone over HTTP from that web server,
> > 
> > - cloning on another system then using scp to copy the directory and contents to the Fedora 18 system,
> > 
> > - exporting your clones over NFS and mounting them on the Fedora 18 system,
> > 
> > - building a more recent OpenSSL for Fedora 18.
> > 
> > Have fun!
> > 
> > On Sat, Jul 20, 2019 at 11:47:16AM +0530, Swarup N wrote:
> > > Hello,
> > > 
> > > I was trying to setup Sugar v0.114 via native method on Fedora 18.
> > > I installed git and ran sudo yum update.
> > > When I try to clone sugar from [1]https://github.com/sugarlabs/sugar-datastore,
> > > I get the following error.
> > > 
> > > error: peer reports incompatible or unsupported protocol version. while
> > > accessing [2]https://github.com/sugarlabs/sugar-datastore.git/info/refs?service
> > > =git-upload-pack
> > > 
> > > One of the fixes I read online was to run yum update -y nss curl libcurl, but
> > > that didn't work.
> > > 
> > > Could anyone guide me on how to fix this?
> > > 
> > > Thanks
> > > 
> > > References:
> > > 
> > > [1] https://github.com/sugarlabs/sugar-datastore
> > > [2] https://github.com/sugarlabs/sugar-datastore.git/info/refs?service=git-upload-pack
> > 
> > > _______________________________________________
> > > Sugar-devel mailing list
> > > Sugar-devel at lists.sugarlabs.org
> > > http://lists.sugarlabs.org/listinfo/sugar-devel
> > 
> > 
> > -- 
> > James Cameron
> > http://quozl.netrek.org/
> > _______________________________________________
> > Sugar-devel mailing list
> > Sugar-devel at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/sugar-devel
> 
> -- 
> -- 
> Joe   On ceding power to tech companies: http://xkcd.com/1118/
> man screen | grep -A2 weird
>   A weird imagination is most useful to gain full advantage of
>   all the features.
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel

-- 
James Cameron
http://quozl.netrek.org/


More information about the Sugar-devel mailing list