search

ericpaulbishop / gargoyle

Gargoyle Router Management Utility
http://www.gargoyle-router.com
468 stars 221 forks source link

Enable HTTPS for Gargoyle packages repo #821

Closed rootkea closed 5 years ago

rootkea commented 5 years ago

Hello!

It seems that the Gargoyle package repo http://www.gargoyle-router.com/packages/gargoyle-1.10/ar71xx/default is not served over HTTPS since when I change the url scheme to https it says "no plugins found".

Please support the secure SSL repo url.

Thanks!

lantis1008 commented 5 years ago

The correct link to the repository is: http://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default Note, you have missed the .0. This repository works fine over HTTPS.

I do not have a device running 1.10.0 at the moment so i'm not able to test this specific scenario. That being said, i have tested it and it works fine on 1.11.0. As there won't be any further bug fixes or maintenance done to the 1.10.x branch, and the current advise is to upgrade to 1.11.x (where it does work), I don't see any action required here.

What I will do however, is look at changing the feeds to use HTTPS instead of HTTP by default.

rootkea commented 5 years ago

The correct link to the repository is: http://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default Note, you have missed the .0.

I didn't change a thing. http://www.gargoyle-router.com/packages/gargoyle-1.10/ar71xx/default (without .0) is the default one.

Gargoyle version 1.10.X (Built 20180430-1934 git@ab16f958) here.

This repository works fine over HTTPS.

Umm.. no, it doesn't. I tried both https://www.gargoyle-router.com/packages/gargoyle-1.10/ar71xx/default and https://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default (with and without .0) "Plugin List" says "Packages not found. Refresh plugins list." even after clicking "Refresh Plugins"

However, when I tried both (with and without .0) the above urls without HTTPS scheme they seem to work.

As there won't be any further bug fixes or maintenance done to the 1.10.x branch, and the current advise is to upgrade to 1.11.x (where it does work), I don't see any action required here.

When the "Download" page labels 1.11 as "experimental" and 1.10 as "Stable" thus making 1.10 the highest "Stable" version offered on Gargoyle Download page, I don't think this is the apt thing to do.

What I will do however, is look at changing the feeds to use HTTPS instead of HTTP by default.

+1

rootkea commented 5 years ago

I have set https for all the repos inclusing openwrt's and they seem to work well. Here's my opkg.conf:

# cat /etc/opkg.conf 
src/gz chaos_calmer_base https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base
src/gz chaos_calmer_management https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management
src/gz chaos_calmer_packages https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages
src/gz chaos_calmer_routing https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing
src/gz chaos_calmer_telephony https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony
src/gz chaos_calmer_luci https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci

src/gz gargoyle https://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default

dest root /
dest ram /tmp
dest plugin_root /plugin_root
lists_dir ext /var/opkg-lists
option overlay_root /overlay
#

This is what opkg update says:

# opkg update
Downloading package list for chaos_calmer_base source...
Package list for chaos_calmer_base downloaded successfully.

Downloading package list for gargoyle source...
WARNING: Could not retrieve package list for gargoyle.

Downloading package list for chaos_calmer_packages source...
Package list for chaos_calmer_packages downloaded successfully.

Downloading package list for chaos_calmer_telephony source...
Package list for chaos_calmer_telephony downloaded successfully.

Downloading package list for chaos_calmer_routing source...
Package list for chaos_calmer_routing downloaded successfully.

Downloading package list for chaos_calmer_management source...
Package list for chaos_calmer_management downloaded successfully.

Downloading package list for chaos_calmer_luci source...
Package list for chaos_calmer_luci downloaded successfully.

#
lantis1008 commented 5 years ago

What is the output of? ewget https://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default/Packages

That is the default repo on a non-standard build. Like I said to you, it works fine on a 1.11.x system. I did stipulate that there may be an error in how HTTPS is negotiated, which may be causing the issue.

1.10.x is EOL with many significant security vulnerabilities. The code set is too far out of date to have patches backported.

“Experimental” and “stable” are just labels if we are being honest. The most development occurs on the experimental branch by its definition. This means that while it may start unstable, it rapidly matured and becomes better than the previous stable. At some point it “graduates” to a stable branch.

rootkea commented 5 years ago

What is the output of? ewget https://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default/Packages

# ewget https://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default/Packages
Could Not Fetch URL
# ewget https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
#

Looks like a configuration issue on our part on https://www.gargoyle-router.com

1.10.x is EOL with many significant security vulnerabilities. The code set is too far out of date to have patches backported.

Oh. In that case I better clone and build the 11.x branch. Thanks for the info! :)

“Experimental” and “stable” are just labels if we are being honest. The most development occurs on the experimental branch by its definition. This means that while it may start unstable, it rapidly matured and becomes better than the previous stable. At some point it “graduates” to a stable branch.

Ah, so has "Experimental" matured enough? I mean, is using "Experimental" going to cause hiccups? I use Debian as a primary OS and it has clear distinction between "Stable", "Unstable" and "Testing". So I stick with the latest "Stable".

May be eoling the latest "Stable" not a good idea? Latest "Stable" can be marked "eol" when "Experimental" has graduated to "Stable" thus serving the users who want to use latest "Stable" with no hiccups and at the same time having the freedom for devs to develop next "Stable" by working on "Experimental".

rootkea commented 5 years ago

Continuing above edited comment: Meanwhile, backporting the security fixes and other important fixes to "Stable" till the "Experimental" graduates to "Stable" and marks the previous "Stable" eol.

lantis1008 commented 5 years ago

The same command works fine on 1.11.x, so the problem is therefore resolved as of some time between those two branches. It is possibly solved by an update to OpenSSL, or the inclusion of additional negotiation protocols. I don't know, but it is solved. Note: There are still some HTTPS websites that ewget on 1.11.x does not negotiate correctly with.

Yes 1.11.x is mature. There are plenty of people on the forum who run it daily and have been doing so for 6 months or more.

I understand your concern, and in an ideal world yes this is how the stable and experimental development would occur. That being said, due to a number of factors (split and remerge of Openwrt being the main one) the Gargoyle codeset fell behind Openwrt by a significant length of time. We skipped the entire 17.xx branch of lede and went straight to 18.xx, which means that we jumped 2 entire years of upstream development in one go. I don't intend for this to happen again in quite a dramatic sense. All of these good intentions on the table, I am not the project lead nor do I have control of the release cycle etc. I can only offer suggestion and prompt when I think we should release.

Backporting of security fixes is largely controlled by upstream, and maintaining out of date kernels individually in the Gargoyle codebase is not on my todo list.

rootkea commented 5 years ago

Thanks for this comment. Looks like I should shift to 1.11.x then.

One last question, in your view to a general Gargoyle user what will you suggest to use? "Experimental" or "Stable" for future releases?

I'm now a bit confused especially because of what you said: "1.10.x is EOL with many significant security vulnerabilities." and what https://www.gargoyle-router.com/wiki/doku.php?id=changelog says: "larger experimental changes such as this should not be introduced into what everyone considers the latest stable version." " No more large, experimental changes will be introduced into the 1.0.X releases. 1.0.X will be considered stable. A new branch, 1.1.X has been created and should be considered experimental. All large changes will be introduced into this branch."

Here, 1.0.x corresponds to 1.y.x (y even) and 1.1.x to 1.y.x (y odd)

lantis1008 commented 5 years ago

There are several scenarios:

Obviously for the project to be successful, we need a mix of all 3 of these types of users. In particular, if we do not have any expert users or those who are willing to try out the latest experimental versions, we will never be able to perfect them and turn them into stable.

** In the special case of 1.10.x, I would recommend moving to 1.11.x in order to gain at least the WPA2 KRACK fixes. However, there are many other vulnerabilities.

rootkea commented 5 years ago

Thank you very much! I think I fall into category 2 so I'm now moving to 1.11.x :-)

Not sure what to do about this issue of HTTPS gargoyle repo on 1.10.x. Since there's nothing actionable which can be done to address the issue I am closing this one.