From e27ef839d9f755f4ce1445762fb0fbc2fc4fc91b Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Tue, 10 May 2022 13:34:10 -0500
Subject: [PATCH] Deprecate GDtlsClientConnection validation flags

See !2214 for motivation. It doesn't work properly anymore, and the TLS
versions of these functions were already deprecated. Sadly, I missed the
DTLS versions.

Fixes #2646
---
 gio/gdtlsclientconnection.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/gio/gdtlsclientconnection.c b/gio/gdtlsclientconnection.c
index bdbf890fe..a0ed3d243 100644
--- a/gio/gdtlsclientconnection.c
+++ b/gio/gdtlsclientconnection.c
@@ -63,7 +63,21 @@ g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface)
    * ways indicated here will be rejected unless the application
    * overrides the default via #GDtlsConnection::accept-certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * flag will be set, but it does not guarantee that all possible flags
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error. For example, it would be incorrect to mask
+   * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
+   * because this could potentially be the only error flag set even if
+   * other problems exist with the certificate. Therefore, there is no
+   * safe way to use this property. This is not a horrible problem,
+   * though, because you should not be attempting to ignore validation
+   * errors anyway. If you really must ignore TLS certificate errors,
+   * connect to #GDtlsConnection::accept-certificate.
+   *
    * Since: 2.48
+   *
+   * Deprecated: 2.74: Do not attempt to ignore validation errors.
    */
   g_object_interface_install_property (iface,
                                        g_param_spec_flags ("validation-flags",
@@ -162,9 +176,15 @@ g_dtls_client_connection_new (GDatagramBased      *base_socket,
  *
  * Gets @conn's validation flags
  *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
  * Returns: the validation flags
  *
  * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
  */
 GTlsCertificateFlags
 g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
@@ -186,7 +206,13 @@ g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
  * checks performed when validating a server certificate. By default,
  * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
  *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
  * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
  */
 void
 g_dtls_client_connection_set_validation_flags (GDtlsClientConnection  *conn,