8.10.3 release missing on GitHub

Question

8.10.3 release missing on GitHub

mbanck opened this issue 5 years ago · comments

I kinda understand that you prefer to keep your development in a private gitlab, but it would be nice to have at least the releases on GitHub quickly. It seems 8.10.3 got released in June?

Even more so as I get certificate errors on my Linux notebook when trying to download from abinit.org, so it is not possible to automate checking for new versions and/or downloading them from scripts:

$ wget https://www.abinit.org/sites/default/files/packages/abinit-8.10.3.tar.gz
--2019-11-03 21:24:31--  https://www.abinit.org/sites/default/files/packages/abinit-8.10.3.tar.gz
Resolving www.abinit.org (www.abinit.org)... 130.104.22.56
Connecting to www.abinit.org (www.abinit.org)|130.104.22.56|:443... connected.
ERROR: The certificate of 'www.abinit.org' is not trusted.
ERROR: The certificate of 'www.abinit.org' hasn't got a known issuer.

piti-diablotin · Answer 1 · Sat Nov 30 2019 17:11:48 GMT+0800 (China Standard Time)

Hi

It seems that with

wget https://www.abinit.org/sites/default/files/packages/abinit-8.10.3.tar.gz --no-check-certificate

it works.

Cheers

Jordan

Michael Banck · Answer 2 · Sat Nov 30 2019 17:20:32 GMT+0800 (China Standard Time)

Yes, but that's (i) extremely bad security practise and (ii) cannot be integrated with the automatic debian/watch system which allows to automatically or semi-automatically check for new upstream versions and/or download a new upstream version.

piti-diablotin · Answer 3 · Sat Nov 30 2019 17:27:49 GMT+0800 (China Standard Time)

What OS do you use ?
FF has no trouble with this certificate and validates it. Maybe the OS is to old to know the validation organization unit ?
What package debian package do you talk about ?

Michael Banck · Answer 4 · Sat Nov 30 2019 19:18:54 GMT+0800 (China Standard Time)

I use Debian stable. I know that Firefox accepts the cert, but https://www.ssllabs.com/ssltest/analyze.html?d=www.abinit.org shows "This server's certificate chain is incomplete. Grade capped to B." so there seems to be something wrong.

In any case it seems that you can reproduce the issue with wget/curl without --no-check-certificate? Downloading tarballs from the command-line / in a script is a pretty common thing, so basically disabling https is not great.

I am talking about the Debian abinit package, https://packages.debian.org/buster/abinit and the Debian framework to automatically check for new upstream versions, see e.g. https://qa.debian.org/cgi-bin/watch?pkg=abinit - I had to move to github becuase abinit.org doesn't work and that one only has 8.10.2

Jean-Michel Beuken · Answer 5 · Sat Nov 30 2019 22:12:39 GMT+0800 (China Standard Time)

The SSL certificate ( Sectigo PositiveSSL Wildcard ) for the domain *.abinit.org was signed by "Sectigo Certification Authority" ( in previous years, it was Comodo )

You need to add "Sectigo Chain Hierarchy and Intermediate Roots" ( see here )

For example, for wget, I put in the ~/.wgetrc

check_certificate = on
ca_certificate = /root/ssl/SectigoRSADomainValidationSecureServerCA.crt

Concerning the 8.10.3 release, it's an oversight :-(
I'm going to push the latest version...
However, it is a very minor update

Michael F. Herbst · Answer 6 · Fri Mar 20 2020 22:48:57 GMT+0800 (China Standard Time)

Any news on releasing 8.10.3 here?

piti-diablotin · Answer 7 · Sat Mar 21 2020 00:12:05 GMT+0800 (China Standard Time)

We are working on the next release of Abinit. I guess the next one will be pushed on github instead of 8.10.3

Jean-Michel Beuken · Answer 8 · Wed Apr 22 2020 01:15:02 GMT+0800 (China Standard Time)

The certificat problem is resolved \o/

8.10.3 release will not be published...

9.0.3 pre-release is published !