unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#30619: Cuirass requires TLS certificates
@ 2018-02-26 20:51 Andreas Enge
  2018-02-27 16:00 ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Andreas Enge @ 2018-02-26 20:51 UTC (permalink / raw)
  To: 30619

Hello,

the cuirass service requires TLS certificates to do continuous integration
of guix (or more generally, git repositories served over https). This works
when nss-certs is installed as a global package in the system.

Should the service depend on the nss-certs package? Or maybe take as an
optional configuration parameter a certificate package?

Andreas

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
@ 2018-02-27 16:00 ` Ludovic Courtès
  2021-09-16  7:33   ` zimoun
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2018-02-27 16:00 UTC (permalink / raw)
  To: Andreas Enge; +Cc: 30619

Andreas Enge <andreas@enge.fr> skribis:

> the cuirass service requires TLS certificates to do continuous integration
> of guix (or more generally, git repositories served over https). This works
> when nss-certs is installed as a global package in the system.
>
> Should the service depend on the nss-certs package? Or maybe take as an
> optional configuration parameter a certificate package?

I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
That would make it self-contained.

That’s currently not possible though because this certificate bundle is
built as a profile hook.  We would first need to export the procedure
that creates bundles, possibly by moving it to a new (guix
x509-certificates) module.

Thoughts?

Ludo’.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2018-02-27 16:00 ` Ludovic Courtès
@ 2021-09-16  7:33   ` zimoun
  2021-10-12 21:57     ` zimoun
  0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-09-16  7:33 UTC (permalink / raw)
  To: Ludovic Courtès, Mathieu Othacehe; +Cc: 30619

Hi,

On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
> Andreas Enge <andreas@enge.fr> skribis:
>
>> the cuirass service requires TLS certificates to do continuous integration
>> of guix (or more generally, git repositories served over https). This works
>> when nss-certs is installed as a global package in the system.
>>
>> Should the service depend on the nss-certs package? Or maybe take as an
>> optional configuration parameter a certificate package?
>
> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
> That would make it self-contained.
>
> That’s currently not possible though because this certificate bundle is
> built as a profile hook.  We would first need to export the procedure
> that creates bundles, possibly by moving it to a new (guix
> x509-certificates) module.

What is the status of this old bug [1]?  Well, if it is not fixed yet,
it seems a forgotten bug. :-)

1: <http://issues.guix.gnu.org/issue/30619>

Cheers,
simon




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-09-16  7:33   ` zimoun
@ 2021-10-12 21:57     ` zimoun
  2021-10-15 15:20       ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-10-12 21:57 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Mathieu Othacehe, 30619

Hi,

On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>> Andreas Enge <andreas@enge.fr> skribis:
>>
>>> the cuirass service requires TLS certificates to do continuous integration
>>> of guix (or more generally, git repositories served over https). This works
>>> when nss-certs is installed as a global package in the system.
>>>
>>> Should the service depend on the nss-certs package? Or maybe take as an
>>> optional configuration parameter a certificate package?
>>
>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>> That would make it self-contained.
>>
>> That’s currently not possible though because this certificate bundle is
>> built as a profile hook.  We would first need to export the procedure
>> that creates bundles, possibly by moving it to a new (guix
>> x509-certificates) module.
>
> What is the status of this old bug [1]?  Well, if it is not fixed yet,
> it seems a forgotten bug. :-)
>
> 1: <http://issues.guix.gnu.org/issue/30619>

From my understanding, this old bug could be closed.  But I am not sure
to get it right about this TLS story.  So closing?


Cheers,
simon




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-10-12 21:57     ` zimoun
@ 2021-10-15 15:20       ` Ludovic Courtès
  2021-11-26  1:38         ` zimoun
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2021-10-15 15:20 UTC (permalink / raw)
  To: zimoun; +Cc: Mathieu Othacehe, 30619

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas@enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook.  We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]?  Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed.  But I am not sure
> to get it right about this TLS story.  So closing?

The Cuirass Shepherd service still does:

              #:environment-variables
              (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)

which means that users still need to install certificates globally.

Now, whether it’s an issue, I don’t know.

Maybe we can close?

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-10-15 15:20       ` Ludovic Courtès
@ 2021-11-26  1:38         ` zimoun
  2021-11-26  6:28           ` Maxime Devos
  0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-11-26  1:38 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Hi,

On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> zimoun <zimon.toutoune@gmail.com> skribis:
>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

> The Cuirass Shepherd service still does:
>
>               #:environment-variables
>               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
>
> which means that users still need to install certificates globally.
>
> Now, whether it’s an issue, I don’t know.
>
> Maybe we can close?

I propose to close since I do not see what could the next action.

1: <http://issues.guix.gnu.org/issue/30619>


Cheers,
simon




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  1:38         ` zimoun
@ 2021-11-26  6:28           ` Maxime Devos
  2021-11-26  6:31             ` Maxime Devos
                               ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26  6:28 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> Hi,
> 
> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > zimoun <zimon.toutoune@gmail.com> skribis:
> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > wrote:
> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > > wrote:
> 
> > The Cuirass Shepherd service still does:
> > 
> >               #:environment-variables
> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > certificates.crt" …)
> > 
> > which means that users still need to install certificates globally.
> > 
> > Now, whether it’s an issue, I don’t know.
> > 
> > Maybe we can close?
> 
> I propose to close since I do not see what could the next action.
> 
> 1: <http://issues.guix.gnu.org/issue/30619>

The next action would be splitting of the bundle generation from the
profile code, and adding a ‘certificates’ field defaulting to nss-
certs, as Ludo seemed to suggest.

This could be useful if the server the channel repositories are on use
self-signed certificates (are git repositories of channels over https
the reason cuirass requires TLS certificates).


Greetings,
Maxime





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  6:28           ` Maxime Devos
@ 2021-11-26  6:31             ` Maxime Devos
  2021-11-26  6:32             ` Maxime Devos
  2022-01-04 23:09             ` zimoun
  2 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26  6:31 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> [...]
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

This was meant to be:

‘This could be useful if the server the channel repositories are on
use self-signed certificates (are git repositories of channels over
https the reason cuirass requires TLS certificates?).’






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  6:28           ` Maxime Devos
  2021-11-26  6:31             ` Maxime Devos
@ 2021-11-26  6:32             ` Maxime Devos
  2022-01-04 23:09             ` zimoun
  2 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26  6:32 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

Oops, this argument doesn't have much value, because those certificates
might as well be added to the system profile.





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  6:28           ` Maxime Devos
  2021-11-26  6:31             ` Maxime Devos
  2021-11-26  6:32             ` Maxime Devos
@ 2022-01-04 23:09             ` zimoun
  2022-01-05  9:53               ` Maxime Devos
  2 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2022-01-04 23:09 UTC (permalink / raw)
  To: Maxime Devos; +Cc: Mathieu Othacehe, 30619, Andreas Enge

Hi Maxime.

On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
>> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
>> > zimoun <zimon.toutoune@gmail.com> skribis:
>> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
>> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
>>
>> > The Cuirass Shepherd service still does:
>> >
>> >               #:environment-variables
>> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
>> > certificates.crt" …)
>> >
>> > which means that users still need to install certificates globally.
>> >
>> > Now, whether it’s an issue, I don’t know.
>> >
>> > Maybe we can close?
>>
>> I propose to close since I do not see what could the next action.
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> The next action would be splitting of the bundle generation from the
> profile code, and adding a ‘certificates’ field defaulting to nss-
> certs, as Ludo seemed to suggest.

Do you have an idea how to implement this suggestion?  Otherwise, I
think closing is reasonable. :-)

Cheers,
simon




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2022-01-04 23:09             ` zimoun
@ 2022-01-05  9:53               ` Maxime Devos
  2022-01-21 10:44                 ` Maxime Devos
  0 siblings, 1 reply; 12+ messages in thread
From: Maxime Devos @ 2022-01-05  9:53 UTC (permalink / raw)
  To: zimoun; +Cc: Mathieu Othacehe, 30619, Andreas Enge

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

zimoun schreef op wo 05-01-2022 om 00:09 [+0100]:
> Hi Maxime.
> 
> On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > > > zimoun <zimon.toutoune@gmail.com> skribis:
> > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > 
> > > > The Cuirass Shepherd service still does:
> > > > 
> > > >               #:environment-variables
> > > >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > > > certificates.crt" …)
> > > > 
> > > > which means that users still need to install certificates globally.
> > > > 
> > > > Now, whether it’s an issue, I don’t know.
> > > > 
> > > > Maybe we can close?
> > > 
> > > I propose to close since I do not see what could the next action.
> > > 
> > > 1: <http://issues.guix.gnu.org/issue/30619>
> > 
> > The next action would be splitting of the bundle generation from the
> > profile code, and adding a ‘certificates’ field defaulting to nss-
> > certs, as Ludo seemed to suggest.
> 
> Do you have an idea how to implement this suggestion?  Otherwise, I
> think closing is reasonable. :-)

That suggestion (+ Ludovic's suggestion of a
(guix x509-certificates) module) was my suggested implementation, it
just needs to be translated from a description in English to an actual
patch .

Anyway, I don't think closing is reasonable, because the bug
(certificates need to be installed globally) still exist, and it
is actionable (there's even a suggested implementation,
so a sufficiently motivated party (not me currently) could address the
issue.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2022-01-05  9:53               ` Maxime Devos
@ 2022-01-21 10:44                 ` Maxime Devos
  0 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2022-01-21 10:44 UTC (permalink / raw)
  To: zimoun, control; +Cc: Mathieu Othacehe, Andreas Enge, 30619-done

[-- Attachment #1: Type: text/plain, Size: 364 bytes --]

bugs 30619 + donewontfix
thanks

> [various discussion]

While I believe a 'certificates' field or the like would be nice,
there does not appear to be a need or interest, hence closing.

If someone would like to implement some solution or has a need,
they can reopen the bug (see
<https://debbugs.gnu.org/server-control.html>).

Greetings,
Maxime.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-01-21 11:18 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
2018-02-27 16:00 ` Ludovic Courtès
2021-09-16  7:33   ` zimoun
2021-10-12 21:57     ` zimoun
2021-10-15 15:20       ` Ludovic Courtès
2021-11-26  1:38         ` zimoun
2021-11-26  6:28           ` Maxime Devos
2021-11-26  6:31             ` Maxime Devos
2021-11-26  6:32             ` Maxime Devos
2022-01-04 23:09             ` zimoun
2022-01-05  9:53               ` Maxime Devos
2022-01-21 10:44                 ` Maxime Devos

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).