* bug#30619: Cuirass requires TLS certificates
@ 2018-02-26 20:51 Andreas Enge
2018-02-27 16:00 ` Ludovic Courtès
0 siblings, 1 reply; 12+ messages in thread
From: Andreas Enge @ 2018-02-26 20:51 UTC (permalink / raw)
To: 30619
Hello,
the cuirass service requires TLS certificates to do continuous integration
of guix (or more generally, git repositories served over https). This works
when nss-certs is installed as a global package in the system.
Should the service depend on the nss-certs package? Or maybe take as an
optional configuration parameter a certificate package?
Andreas
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
@ 2018-02-27 16:00 ` Ludovic Courtès
2021-09-16 7:33 ` zimoun
0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2018-02-27 16:00 UTC (permalink / raw)
To: Andreas Enge; +Cc: 30619
Andreas Enge <andreas@enge.fr> skribis:
> the cuirass service requires TLS certificates to do continuous integration
> of guix (or more generally, git repositories served over https). This works
> when nss-certs is installed as a global package in the system.
>
> Should the service depend on the nss-certs package? Or maybe take as an
> optional configuration parameter a certificate package?
I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
That would make it self-contained.
That’s currently not possible though because this certificate bundle is
built as a profile hook. We would first need to export the procedure
that creates bundles, possibly by moving it to a new (guix
x509-certificates) module.
Thoughts?
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2018-02-27 16:00 ` Ludovic Courtès
@ 2021-09-16 7:33 ` zimoun
2021-10-12 21:57 ` zimoun
0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-09-16 7:33 UTC (permalink / raw)
To: Ludovic Courtès, Mathieu Othacehe; +Cc: 30619
Hi,
On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
> Andreas Enge <andreas@enge.fr> skribis:
>
>> the cuirass service requires TLS certificates to do continuous integration
>> of guix (or more generally, git repositories served over https). This works
>> when nss-certs is installed as a global package in the system.
>>
>> Should the service depend on the nss-certs package? Or maybe take as an
>> optional configuration parameter a certificate package?
>
> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
> That would make it self-contained.
>
> That’s currently not possible though because this certificate bundle is
> built as a profile hook. We would first need to export the procedure
> that creates bundles, possibly by moving it to a new (guix
> x509-certificates) module.
What is the status of this old bug [1]? Well, if it is not fixed yet,
it seems a forgotten bug. :-)
1: <http://issues.guix.gnu.org/issue/30619>
Cheers,
simon
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-09-16 7:33 ` zimoun
@ 2021-10-12 21:57 ` zimoun
2021-10-15 15:20 ` Ludovic Courtès
0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-10-12 21:57 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Mathieu Othacehe, 30619
Hi,
On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>> Andreas Enge <andreas@enge.fr> skribis:
>>
>>> the cuirass service requires TLS certificates to do continuous integration
>>> of guix (or more generally, git repositories served over https). This works
>>> when nss-certs is installed as a global package in the system.
>>>
>>> Should the service depend on the nss-certs package? Or maybe take as an
>>> optional configuration parameter a certificate package?
>>
>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>> That would make it self-contained.
>>
>> That’s currently not possible though because this certificate bundle is
>> built as a profile hook. We would first need to export the procedure
>> that creates bundles, possibly by moving it to a new (guix
>> x509-certificates) module.
>
> What is the status of this old bug [1]? Well, if it is not fixed yet,
> it seems a forgotten bug. :-)
>
> 1: <http://issues.guix.gnu.org/issue/30619>
From my understanding, this old bug could be closed. But I am not sure
to get it right about this TLS story. So closing?
Cheers,
simon
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-10-12 21:57 ` zimoun
@ 2021-10-15 15:20 ` Ludovic Courtès
2021-11-26 1:38 ` zimoun
0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2021-10-15 15:20 UTC (permalink / raw)
To: zimoun; +Cc: Mathieu Othacehe, 30619
Hi,
zimoun <zimon.toutoune@gmail.com> skribis:
> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas@enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook. We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]? Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed. But I am not sure
> to get it right about this TLS story. So closing?
The Cuirass Shepherd service still does:
#:environment-variables
(list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
which means that users still need to install certificates globally.
Now, whether it’s an issue, I don’t know.
Maybe we can close?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-10-15 15:20 ` Ludovic Courtès
@ 2021-11-26 1:38 ` zimoun
2021-11-26 6:28 ` Maxime Devos
0 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2021-11-26 1:38 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619
Hi,
On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> zimoun <zimon.toutoune@gmail.com> skribis:
>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
> The Cuirass Shepherd service still does:
>
> #:environment-variables
> (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
>
> which means that users still need to install certificates globally.
>
> Now, whether it’s an issue, I don’t know.
>
> Maybe we can close?
I propose to close since I do not see what could the next action.
1: <http://issues.guix.gnu.org/issue/30619>
Cheers,
simon
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-11-26 1:38 ` zimoun
@ 2021-11-26 6:28 ` Maxime Devos
2021-11-26 6:31 ` Maxime Devos
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26 6:28 UTC (permalink / raw)
To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619
zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> Hi,
>
> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > zimoun <zimon.toutoune@gmail.com> skribis:
> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > wrote:
> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > > wrote:
>
> > The Cuirass Shepherd service still does:
> >
> > #:environment-variables
> > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > certificates.crt" …)
> >
> > which means that users still need to install certificates globally.
> >
> > Now, whether it’s an issue, I don’t know.
> >
> > Maybe we can close?
>
> I propose to close since I do not see what could the next action.
>
> 1: <http://issues.guix.gnu.org/issue/30619>
The next action would be splitting of the bundle generation from the
profile code, and adding a ‘certificates’ field defaulting to nss-
certs, as Ludo seemed to suggest.
This could be useful if the server the channel repositories are on use
self-signed certificates (are git repositories of channels over https
the reason cuirass requires TLS certificates).
Greetings,
Maxime
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-11-26 6:28 ` Maxime Devos
@ 2021-11-26 6:31 ` Maxime Devos
2021-11-26 6:32 ` Maxime Devos
2022-01-04 23:09 ` zimoun
2 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26 6:31 UTC (permalink / raw)
To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619
Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> [...]
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).
This was meant to be:
‘This could be useful if the server the channel repositories are on
use self-signed certificates (are git repositories of channels over
https the reason cuirass requires TLS certificates?).’
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-11-26 6:28 ` Maxime Devos
2021-11-26 6:31 ` Maxime Devos
@ 2021-11-26 6:32 ` Maxime Devos
2022-01-04 23:09 ` zimoun
2 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2021-11-26 6:32 UTC (permalink / raw)
To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619
Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).
Oops, this argument doesn't have much value, because those certificates
might as well be added to the system profile.
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2021-11-26 6:28 ` Maxime Devos
2021-11-26 6:31 ` Maxime Devos
2021-11-26 6:32 ` Maxime Devos
@ 2022-01-04 23:09 ` zimoun
2022-01-05 9:53 ` Maxime Devos
2 siblings, 1 reply; 12+ messages in thread
From: zimoun @ 2022-01-04 23:09 UTC (permalink / raw)
To: Maxime Devos; +Cc: Mathieu Othacehe, 30619, Andreas Enge
Hi Maxime.
On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
>> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
>> > zimoun <zimon.toutoune@gmail.com> skribis:
>> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
>> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
>>
>> > The Cuirass Shepherd service still does:
>> >
>> > #:environment-variables
>> > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
>> > certificates.crt" …)
>> >
>> > which means that users still need to install certificates globally.
>> >
>> > Now, whether it’s an issue, I don’t know.
>> >
>> > Maybe we can close?
>>
>> I propose to close since I do not see what could the next action.
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> The next action would be splitting of the bundle generation from the
> profile code, and adding a ‘certificates’ field defaulting to nss-
> certs, as Ludo seemed to suggest.
Do you have an idea how to implement this suggestion? Otherwise, I
think closing is reasonable. :-)
Cheers,
simon
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2022-01-04 23:09 ` zimoun
@ 2022-01-05 9:53 ` Maxime Devos
2022-01-21 10:44 ` Maxime Devos
0 siblings, 1 reply; 12+ messages in thread
From: Maxime Devos @ 2022-01-05 9:53 UTC (permalink / raw)
To: zimoun; +Cc: Mathieu Othacehe, 30619, Andreas Enge
[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]
zimoun schreef op wo 05-01-2022 om 00:09 [+0100]:
> Hi Maxime.
>
> On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > > > zimoun <zimon.toutoune@gmail.com> skribis:
> > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > >
> > > > The Cuirass Shepherd service still does:
> > > >
> > > > #:environment-variables
> > > > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > > > certificates.crt" …)
> > > >
> > > > which means that users still need to install certificates globally.
> > > >
> > > > Now, whether it’s an issue, I don’t know.
> > > >
> > > > Maybe we can close?
> > >
> > > I propose to close since I do not see what could the next action.
> > >
> > > 1: <http://issues.guix.gnu.org/issue/30619>
> >
> > The next action would be splitting of the bundle generation from the
> > profile code, and adding a ‘certificates’ field defaulting to nss-
> > certs, as Ludo seemed to suggest.
>
> Do you have an idea how to implement this suggestion? Otherwise, I
> think closing is reasonable. :-)
That suggestion (+ Ludovic's suggestion of a
(guix x509-certificates) module) was my suggested implementation, it
just needs to be translated from a description in English to an actual
patch .
Anyway, I don't think closing is reasonable, because the bug
(certificates need to be installed globally) still exist, and it
is actionable (there's even a suggested implementation,
so a sufficiently motivated party (not me currently) could address the
issue.
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates
2022-01-05 9:53 ` Maxime Devos
@ 2022-01-21 10:44 ` Maxime Devos
0 siblings, 0 replies; 12+ messages in thread
From: Maxime Devos @ 2022-01-21 10:44 UTC (permalink / raw)
To: zimoun, control; +Cc: Mathieu Othacehe, Andreas Enge, 30619-done
[-- Attachment #1: Type: text/plain, Size: 364 bytes --]
bugs 30619 + donewontfix
thanks
> [various discussion]
While I believe a 'certificates' field or the like would be nice,
there does not appear to be a need or interest, hence closing.
If someone would like to implement some solution or has a need,
they can reopen the bug (see
<https://debbugs.gnu.org/server-control.html>).
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-01-21 11:18 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
2018-02-27 16:00 ` Ludovic Courtès
2021-09-16 7:33 ` zimoun
2021-10-12 21:57 ` zimoun
2021-10-15 15:20 ` Ludovic Courtès
2021-11-26 1:38 ` zimoun
2021-11-26 6:28 ` Maxime Devos
2021-11-26 6:31 ` Maxime Devos
2021-11-26 6:32 ` Maxime Devos
2022-01-04 23:09 ` zimoun
2022-01-05 9:53 ` Maxime Devos
2022-01-21 10:44 ` Maxime Devos
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).