Board index FlightGear Support Installation Linux

FGdata downloading error  Topic is solved

Installing FlightGear, scenery, aircraft etc. on Linux systems like Ubuntu.

Re: FGdata downloading error

Postby rominet » Wed Mar 14, 2018 11:35 am

It would be a guarantee if SHA-1 were considered cryptographically strong. I'm not in the field (cryptography), but I believe this is not really the case anymore, esp. since February 2017 (see the SHAttered collision attack on wikipedia).
Code: Select all
% llh
total 832K
-rw-r--r-- 1 me users 413K Feb 27  2017 shattered-1.pdf
-rw-r--r-- 1 me users 413K Feb 27  2017 shattered-2.pdf
% ll
total 832
-rw-r--r-- 1 me users 422435 Feb 27  2017 shattered-1.pdf
-rw-r--r-- 1 me users 422435 Feb 27  2017 shattered-2.pdf
% sha1sum shattered-1.pdf shattered-2.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-1.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-2.pdf
% cmp shattered-1.pdf shattered-2.pdf
shattered-1.pdf shattered-2.pdf differ: byte 193, line 8
% sha256sum shattered-1.pdf shattered-2.pdf
2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0  shattered-1.pdf
d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff  shattered-2.pdf
% sha512sum shattered-1.pdf shattered-2.pdf
3c19b2cbcf72f7f5b252ea31677b8f2323d6119e49bcc0fb55931d00132385f1e749bb24cbd68c04ac826ae8421802825d3587fe185abf709669bb9693f6b416  shattered-1.pdf
f39a04842e4b28e04558496beb7cb84654ded9c00b2f873c3ef64f9dfdbc760cd0273b816858ba5b203c0dd71af8b65d6a0c1032e00e48ace0b4705eedcc1bab  shattered-2.pdf
%

The files are apparently valid PDF, the contents is well under control (nice presentation, the only striking change when looking at them with okular is a background color modification), they are reasonably small and even have the exact same size. According to the above the wikipedia page:
The attack required “the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations”.

Granted, I don't have that at home, but I am not the bad guy, and time has passed since Feb 2017...

Besides, checking commit ids against the SF web site after every 'git pull' is... surely doable, but not great fun!

BTW, ISTR that the recurring problem encountered on the FG Jenkins installation when cloning FGData (see Torsten's messages on the ML) is the same, so unless I'm mistaken here, daweed is not alone with this.
rominet
 
Posts: 605
Joined: Sat Nov 01, 2014 2:33 pm
Callsign: F-KATS
Version: Git next
OS: Debian GNU/Linux

Re: FGdata downloading error

Postby AndersG » Wed Mar 14, 2018 1:35 pm

rominet wrote in Wed Mar 14, 2018 11:35 am:It would be a guarantee if SHA-1 were considered cryptographically strong. I'm not in the field (cryptography), but I believe this is not really the case anymore, esp. since February 2017 (see the SHAttered collision attack on wikipedia).


Thanks, I had some faint recollection that that might have been the case. It might be worth noting that the attack seems to be based on creating two documents with the same hash code. The case where one forged document needs to be created that match the hash code of an already existing document could possibly be much harder, but yes, relying on SHA-1 for integrity in a hostile environment would seem less than ideal.
Callsign: SE-AG
Aircraft (uhm...): Submarine Scout, Zeppelin NT, ZF Navy free balloon, Nordstern, Hindenburg, Short Empire flying-boat, ZNP-K, North Sea class, MTB T21 class, U.S.S. Monitor, MFI-9B, Type UB I submarine, Gokstad ship, Renault FT.
AndersG
 
Posts: 2524
Joined: Wed Nov 29, 2006 10:20 am
Location: Göteborg, Sweden
Callsign: SE-AG
OS: Debian GNU Linux

Re: FGdata downloading error

Postby rominet » Wed Mar 14, 2018 10:37 pm

You are right, this distinction is very important. Although Google said with rather strong words on Feb 23, 2017, that SHA-1 should be considered dead:
more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. [...] As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.

For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.

We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.

when looking at the page they redirect to for more details, we find things like:
It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.

For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.

and, more interestingly in the context of this thread:
Is GIT affected?

GIT strongly relies on SHA-1 for the identification and integrity checking of all file objects and commits. It is essentially possible to create two GIT repositories with the same head commit hash and different contents, say a benign source code and a backdoored one. An attacker could potentially selectively serve either repository to targeted users. This will require attackers to compute their own collision.

In both cases, it is the same entity (person, etc.) that creates both documents/repositories/etc. In the FG context, this means such an attack on an FG Git repository would need to be performed by someone with full write access to the repo, e.g., someone with admin access to the SourceForge servers. But apparently, the SHAttered attack doesn't allow a middle man in a plain git:// connection to provide a modified repository matching the hash of the official one he can't control.

So, yes, it's probably time to move away from SHA-1 for systems whose security relies on it, but in this particular context of Git repositories where you check your downloaded HEAD Git commit id against the official site, it seems to me that there is no practical threat yet—at least, not from the SHAttered attack.
rominet
 
Posts: 605
Joined: Sat Nov 01, 2014 2:33 pm
Callsign: F-KATS
Version: Git next
OS: Debian GNU/Linux

Re: FGdata downloading error

Postby F_D2760 » Sun Mar 18, 2018 5:44 pm

Hi,

@Rominet: in very few words: Merci !

I did read the different posts but wasn't really able to know what to do. Your given summary was what I needed and I now have a fgdata folder and its content.

And the new FG version installed!

Regards.
Last edited by F_D2760 on Thu Mar 22, 2018 9:28 pm, edited 1 time in total.
KUbuntu 22.04
AMD Ryzen 5 5600G
AMD Radeon RX 6650 XT
22" + 22"
16 Go
F_D2760
 
Posts: 84
Joined: Thu May 09, 2013 1:27 pm
Location: Oise - France
Callsign: F_D2760
Version: Last one
OS: KUbuntu 22.04

Re: FGdata downloading error

Postby rominet » Mon Mar 19, 2018 8:35 am

Thanks, glad to see it worked for you!
rominet
 
Posts: 605
Joined: Sat Nov 01, 2014 2:33 pm
Callsign: F-KATS
Version: Git next
OS: Debian GNU/Linux

Re: FGdata downloading error

Postby CoolGames » Mon Mar 19, 2018 7:35 pm

I tried many options before reading this post after I had successfully used the git version on the download page

Code: Select all
git clone git://git.code.sf.net/p/flightgear/fgdata


instead of https.
I was using the download_and_compile.sh approach so I knew where the downloads were happening.
The script could find and compile the code happily !
User avatar
CoolGames
 
Posts: 15
Joined: Fri Jan 12, 2018 1:31 am
Version: 2017.3.1
OS: Ubuntu Studio 17.10

Re: FGdata downloading error

Postby mifi » Tue Mar 20, 2018 12:19 pm

I have read somewhere (I wish I could remember where; I think it might have been in some Debian forum, but I am not sure), that there are Cisco traffic balancers at SF with software releases dating from 2012, that seem to not properly support TLS1.2. Many if not all of us that updated GnuTLS to the latest are having the same problems.
I do not quite know the details about all of this myself. I did not even read the article with the traffic analysis with full attention at the time, but I seem to remember someone patching config files to force GnuTLS to use TLS1.0 as a workaround. That sounded a bit harsh to me.

Perhaps someone else with detailed TLS knowledge can elaborate a bit more on this?
If this post is total crap, please let me know and I will delete it.
mifi
mifi
 
Posts: 327
Joined: Mon Jul 23, 2007 4:24 pm
Location: NL
Version: git next
OS: Ubuntu 18.04.x Gnome

Re: FGdata downloading error

Postby wkitty42 » Tue Mar 20, 2018 9:16 pm

as i understand it, the d&c script now prefers libopenssl to libgnussl... i've not tried using https for my git pulls since i switched during SF's recent move to another data center...
"You get more air close to the ground," said Angalo. "I read that in a book. You get lots of air low down, and not much when you go up."
"Why not?" said Gurder.
"Dunno. It's frightened of heights, I guess."
User avatar
wkitty42
 
Posts: 9146
Joined: Fri Feb 20, 2015 4:46 pm
Location: central NC, USA
Callsign: wk42
Version: git next
OS: Kubuntu 20.04

Re: FGdata downloading error

Postby daweed » Wed Mar 21, 2018 1:44 pm

wkitty42 wrote in Tue Mar 20, 2018 9:16 pm:as i understand it, the d&c script now prefers libopenssl to libgnussl... i've not tried using https for my git pulls since i switched during SF's recent move to another data center...


Hello, as i can understand with my knowledge, D&C script search and download for Curl lib and prefers the libopenssl one, BUT, the real problem seems to come from git itself, as, even with the new update D&C script, when error are raised on Git download, it always talking about GNU TLS error.

Googling with the -110 error, i have found some threat talking about re compile GIT with openssl lib instead to bypass this problem [ meaning for me that by default GIT seems to be compiled with GNUTLS ], but this is far away from my knowledge ...

If someone have a procedure step by step i can test if needed

Best regards

Daweed
Windows 10 / Linux Mint 20
AMD Ryzen 7 3700X |32 Go RAM GeForce RTX 3070 Ti 8 Go
FG Interface
Lyon Saint Exupery Scenery

ATC on LFLL on Friday 19:00 UTC => 22:00 UTC
daweed
 
Posts: 398
Joined: Thu Dec 11, 2014 11:45 am
Location: LFKP LFLL
Callsign: daweed
OS: Linux Mint 20

Re: FGdata downloading error

Postby wkitty42 » Wed Mar 21, 2018 8:14 pm

yeah, i don't think we have to go that far... AFAIK, SF is the only place having this problem... i suspect it has something to do with their recent move to a new data center...

FWIW: i did see an update related to either ssl or tls come in the other day... i don't know what git is using but i don't think it is using curl... if it is, i guess that's ok :lol:
i'm wanting to say there was also a more specific update but my process only keeps the last 10 logs of our updates :(

ahhh... here's the stuff i was thinking about from my 20180315 update at 12:12 -0400...
Code: Select all
The following packages will be upgraded:
  curl dpkg dpkg-dev firefox firefox-locale-en isc-dhcp-client
  isc-dhcp-common libcurl3 libcurl3-gnutls libcurl4-gnutls-dev libdpkg-perl
"You get more air close to the ground," said Angalo. "I read that in a book. You get lots of air low down, and not much when you go up."
"Why not?" said Gurder.
"Dunno. It's frightened of heights, I guess."
User avatar
wkitty42
 
Posts: 9146
Joined: Fri Feb 20, 2015 4:46 pm
Location: central NC, USA
Callsign: wk42
Version: git next
OS: Kubuntu 20.04

Re: FGdata downloading error

Postby rominet » Wed Mar 21, 2018 9:30 pm

@mifi: thanks for your post, seems like an interesting hypothesis (I'm not a TLS expert, though).

@daweed: could you please post the output of:
Code: Select all
dpkg -l libcurl4-openssl-dev libcurl4-gnutls-dev

on the system where you see the dreaded “GnuTLS recv error (-110)”?

This is because the latest download_and_compile.sh (actually since FGMeta commit 5eb7dd3ef74d) only tries to install preferably libcurl4-openssl-dev, falling back to libcurl4-gnutls-dev if the former isn't available, if neither of the two packages are installed; but if you already have libcurl4-gnutls-dev, it is not removed and libcurl4-openssl-dev is not installed either.
rominet
 
Posts: 605
Joined: Sat Nov 01, 2014 2:33 pm
Callsign: F-KATS
Version: Git next
OS: Debian GNU/Linux

Re: FGdata downloading error

Postby daweed » Wed Mar 21, 2018 11:34 pm

Here what is installed :

Code: Select all
| État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé/W=attend-traitement-déclenchements
|/ Err?=(aucune)/besoin Réinstallation (État,Err: majuscule=mauvais)
||/ Nom                                    Version                  Architecture             Description
+++-======================================-========================-========================-==================================================================================
un  libcurl4-gnutls-dev                    <aucune>                 <aucune>                 (aucune description n'est disponible)
ii  libcurl4-openssl-dev:amd64             7.47.0-1ubuntu2.7        amd64                    development files and documentation for libcurl (OpenSSL flavour)
Windows 10 / Linux Mint 20
AMD Ryzen 7 3700X |32 Go RAM GeForce RTX 3070 Ti 8 Go
FG Interface
Lyon Saint Exupery Scenery

ATC on LFLL on Friday 19:00 UTC => 22:00 UTC
daweed
 
Posts: 398
Joined: Thu Dec 11, 2014 11:45 am
Location: LFKP LFLL
Callsign: daweed
OS: Linux Mint 20

Re: FGdata downloading error

Postby daweed » Wed Mar 21, 2018 11:41 pm

OK, i am still trying to understand.
I have download a new time D&C script to be sure to have last version.

I have starting a new fresh download and compile on an another directory using

../download_and_compile.sh SIMGEAR PLIB FGFS

PLIB No problem
then failed now on SIMGEAR

Starting one more time ...Fail on simgear

Start a new time with only simgear
../download_and_compile.sh SIMGEAR => Fail

Restart 2 more time before it work, i didn't do any action on os, no update, no replacement, as like sometime i am talking to "someone who understand" and most of time to be "not understand" ... very stange
Windows 10 / Linux Mint 20
AMD Ryzen 7 3700X |32 Go RAM GeForce RTX 3070 Ti 8 Go
FG Interface
Lyon Saint Exupery Scenery

ATC on LFLL on Friday 19:00 UTC => 22:00 UTC
daweed
 
Posts: 398
Joined: Thu Dec 11, 2014 11:45 am
Location: LFKP LFLL
Callsign: daweed
OS: Linux Mint 20

Re: FGdata downloading error

Postby rominet » Thu Mar 22, 2018 12:49 am

Thanks for the precisions. The erratic behavior might be explained by load-balancing as mentioned in mifi's post (the explanation would require that for the same 'git clone' operation, several servers are used, which is probably possible, e.g. if each Git blob is fetched in a separate TLS connection).

Anyway, since I believe I've never seen this error on my system (EDIT: now I have), and have cloned fgdata “recently” from SourceForge using HTTPS (at the beginning of this thread), and since the error message mentions curl, here is what I have:
Code: Select all
% dpkg -s curl | grep Depends
Depends: libc6 (>= 2.17), libcurl3 (= 7.52.1-5+deb9u5), zlib1g (>= 1:1.1.4)
% dpkg -s libcurl3 | grep Depends
Depends: libc6 (>= 2.17), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= 1.14+dfsg), libidn2-0 (>= 0.6), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libnghttp2-14 (>= 1.12.0), libpsl5 (>= 0.13.0), librtmp1 (>= 2.4+20131018.git79459a2-3~), libssh2-1 (>= 1.7.0), libssl1.0.2 (>= 1.0.2d), zlib1g (>= 1:1.1.4)
% dpkg -s libssl1.0.2
Package: libssl1.0.2
Status: install ok installed
Priority: important
Section: libs
Installed-Size: 3547
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Architecture: amd64
Multi-Arch: same
Source: openssl1.0
Version: 1.0.2l-2+deb9u2
Depends: libc6 (>= 2.14), debconf (>= 0.5) | debconf-2.0
Description: Secure Sockets Layer toolkit - shared libraries
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It provides the libssl and libcrypto shared libraries.
Homepage: https://www.openssl.org
%

Unless there is some other dependency/link I haven't seen, this means that my curl uses OpenSSL, not GnuTLS. This could be an explanation for the fact that I don't see the error.

That is also to say, I'm not even sure that recompiling Git against OpenSSL would solve the problem for you, since Git uses curl in particular with SSL support, as shown by your error message (the same as Dany's one on flightgear-devel) and this excerpt from Git's configure.ac in Debian stretch:
Code: Select all
AC_CHECK_PROG([CURL_CONFIG], [curl-config],
[curl-config],
[no])

if test $CURL_CONFIG != no; then
    GIT_CONF_SUBST([CURL_CONFIG])
    if test -z "${NO_OPENSSL}"; then
      AC_MSG_CHECKING([if Curl supports SSL])
      if test $(curl-config --features|grep SSL) = SSL; then
         NEEDS_SSL_WITH_CURL=YesPlease
         AC_MSG_RESULT([yes])
      else
         NEEDS_SSL_WITH_CURL=
         AC_MSG_RESULT([no])
      fi
      GIT_CONF_SUBST([NEEDS_SSL_WITH_CURL])
    fi
fi
Last edited by rominet on Thu Mar 22, 2018 9:31 pm, edited 1 time in total.
rominet
 
Posts: 605
Joined: Sat Nov 01, 2014 2:33 pm
Callsign: F-KATS
Version: Git next
OS: Debian GNU/Linux

Re: FGdata downloading error

Postby daweed » Thu Mar 22, 2018 6:46 am

Here how it is on mine system :

Code: Select all
farmeradmin@FARMERSALOON ~ $ sudo dpkg -s curl | grep Depends
[sudo] Mot de passe de farmeradmin :
Depends: libc6 (>= 2.17), libcurl3-gnutls (= 7.47.0-1ubuntu2.7), zlib1g (>= 1:1.1.4)
farmeradmin@FARMERSALOON ~ $ sudo dpkg -s curl | grep Depends
Depends: libc6 (>= 2.17), libcurl3-gnutls (= 7.47.0-1ubuntu2.7), zlib1g (>= 1:1.1.4)
farmeradmin@FARMERSALOON ~ $ dpkg -s libcurl3 | grep Depends
Depends: libc6 (>= 2.17), libgssapi-krb5-2 (>= 1.10+dfsg~), libidn11 (>= 1.13), libldap-2.4-2 (>= 2.4.7), librtmp1 (>= 2.4+20131018.git79459a2-3~), libssl1.0.0 (>= 1.0.2~beta3), zlib1g (>= 1:1.1.4)
farmeradmin@FARMERSALOON ~ $ sudo dpkg -s libssl1.0.2
dpkg-query: le paquet « libssl1.0.2 » n'est pas installé et aucune information n'est disponible
Utilisez dpkg --info (= dpkg-deb --info) pour examiner les fichiers
archives, et dpkg --contents (= dpkg-deb --contents) pour afficher leur
contenu.
farmeradmin@FARMERSALOON ~ $


Before going bed i have a FGDATA Clone (have to start more than one time to begin, but that can fail during the process, that is happening sometime):

still cloning this morning :
****************************************
**************** DATA ******************
****************************************
Clonage dans '.'...
remote: Counting objects: 61455, done.
remote: Compressing objects: 100% (27321/27321), done.
Réception d'objets: 28% (17640/61455), 177.92 MiB | 743.00 KiB/s 3.71 MiB | 703.00 KiB/s

Will see this evening

Regards
Windows 10 / Linux Mint 20
AMD Ryzen 7 3700X |32 Go RAM GeForce RTX 3070 Ti 8 Go
FG Interface
Lyon Saint Exupery Scenery

ATC on LFLL on Friday 19:00 UTC => 22:00 UTC
daweed
 
Posts: 398
Joined: Thu Dec 11, 2014 11:45 am
Location: LFKP LFLL
Callsign: daweed
OS: Linux Mint 20

PreviousNext

Return to Linux

Who is online

Users browsing this forum: No registered users and 2 guests