* bug#30619: Cuirass requires TLS certificates @ 2018-02-26 20:51 Andreas Enge 2018-02-27 16:00 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Andreas Enge @ 2018-02-26 20:51 UTC (permalink / raw) To: 30619 Hello, the cuirass service requires TLS certificates to do continuous integration of guix (or more generally, git repositories served over https). This works when nss-certs is installed as a global package in the system. Should the service depend on the nss-certs package? Or maybe take as an optional configuration parameter a certificate package? Andreas ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge @ 2018-02-27 16:00 ` Ludovic Courtès 2021-09-16 7:33 ` zimoun 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2018-02-27 16:00 UTC (permalink / raw) To: Andreas Enge; +Cc: 30619 Andreas Enge <andreas@enge.fr> skribis: > the cuirass service requires TLS certificates to do continuous integration > of guix (or more generally, git repositories served over https). This works > when nss-certs is installed as a global package in the system. > > Should the service depend on the nss-certs package? Or maybe take as an > optional configuration parameter a certificate package? I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt"). That would make it self-contained. That’s currently not possible though because this certificate bundle is built as a profile hook. We would first need to export the procedure that creates bundles, possibly by moving it to a new (guix x509-certificates) module. Thoughts? Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2018-02-27 16:00 ` Ludovic Courtès @ 2021-09-16 7:33 ` zimoun 2021-10-12 21:57 ` zimoun 0 siblings, 1 reply; 12+ messages in thread From: zimoun @ 2021-09-16 7:33 UTC (permalink / raw) To: Ludovic Courtès, Mathieu Othacehe; +Cc: 30619 Hi, On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote: > Andreas Enge <andreas@enge.fr> skribis: > >> the cuirass service requires TLS certificates to do continuous integration >> of guix (or more generally, git repositories served over https). This works >> when nss-certs is installed as a global package in the system. >> >> Should the service depend on the nss-certs package? Or maybe take as an >> optional configuration parameter a certificate package? > > I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass > service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt"). > That would make it self-contained. > > That’s currently not possible though because this certificate bundle is > built as a profile hook. We would first need to export the procedure > that creates bundles, possibly by moving it to a new (guix > x509-certificates) module. What is the status of this old bug [1]? Well, if it is not fixed yet, it seems a forgotten bug. :-) 1: <http://issues.guix.gnu.org/issue/30619> Cheers, simon ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-09-16 7:33 ` zimoun @ 2021-10-12 21:57 ` zimoun 2021-10-15 15:20 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: zimoun @ 2021-10-12 21:57 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Mathieu Othacehe, 30619 Hi, On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote: > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote: >> Andreas Enge <andreas@enge.fr> skribis: >> >>> the cuirass service requires TLS certificates to do continuous integration >>> of guix (or more generally, git repositories served over https). This works >>> when nss-certs is installed as a global package in the system. >>> >>> Should the service depend on the nss-certs package? Or maybe take as an >>> optional configuration parameter a certificate package? >> >> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass >> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt"). >> That would make it self-contained. >> >> That’s currently not possible though because this certificate bundle is >> built as a profile hook. We would first need to export the procedure >> that creates bundles, possibly by moving it to a new (guix >> x509-certificates) module. > > What is the status of this old bug [1]? Well, if it is not fixed yet, > it seems a forgotten bug. :-) > > 1: <http://issues.guix.gnu.org/issue/30619> From my understanding, this old bug could be closed. But I am not sure to get it right about this TLS story. So closing? Cheers, simon ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-10-12 21:57 ` zimoun @ 2021-10-15 15:20 ` Ludovic Courtès 2021-11-26 1:38 ` zimoun 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2021-10-15 15:20 UTC (permalink / raw) To: zimoun; +Cc: Mathieu Othacehe, 30619 Hi, zimoun <zimon.toutoune@gmail.com> skribis: > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote: >> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote: >>> Andreas Enge <andreas@enge.fr> skribis: >>> >>>> the cuirass service requires TLS certificates to do continuous integration >>>> of guix (or more generally, git repositories served over https). This works >>>> when nss-certs is installed as a global package in the system. >>>> >>>> Should the service depend on the nss-certs package? Or maybe take as an >>>> optional configuration parameter a certificate package? >>> >>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass >>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt"). >>> That would make it self-contained. >>> >>> That’s currently not possible though because this certificate bundle is >>> built as a profile hook. We would first need to export the procedure >>> that creates bundles, possibly by moving it to a new (guix >>> x509-certificates) module. >> >> What is the status of this old bug [1]? Well, if it is not fixed yet, >> it seems a forgotten bug. :-) >> >> 1: <http://issues.guix.gnu.org/issue/30619> > > From my understanding, this old bug could be closed. But I am not sure > to get it right about this TLS story. So closing? The Cuirass Shepherd service still does: #:environment-variables (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …) which means that users still need to install certificates globally. Now, whether it’s an issue, I don’t know. Maybe we can close? Thanks, Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-10-15 15:20 ` Ludovic Courtès @ 2021-11-26 1:38 ` zimoun 2021-11-26 6:28 ` Maxime Devos 0 siblings, 1 reply; 12+ messages in thread From: zimoun @ 2021-11-26 1:38 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619 Hi, On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote: > zimoun <zimon.toutoune@gmail.com> skribis: >> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote: >>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote: > The Cuirass Shepherd service still does: > > #:environment-variables > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …) > > which means that users still need to install certificates globally. > > Now, whether it’s an issue, I don’t know. > > Maybe we can close? I propose to close since I do not see what could the next action. 1: <http://issues.guix.gnu.org/issue/30619> Cheers, simon ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-11-26 1:38 ` zimoun @ 2021-11-26 6:28 ` Maxime Devos 2021-11-26 6:31 ` Maxime Devos ` (2 more replies) 0 siblings, 3 replies; 12+ messages in thread From: Maxime Devos @ 2021-11-26 6:28 UTC (permalink / raw) To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619 zimoun schreef op vr 26-11-2021 om 02:38 [+0100]: > Hi, > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote: > > zimoun <zimon.toutoune@gmail.com> skribis: > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> > > > wrote: > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) > > > > wrote: > > > The Cuirass Shepherd service still does: > > > > #:environment-variables > > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca- > > certificates.crt" …) > > > > which means that users still need to install certificates globally. > > > > Now, whether it’s an issue, I don’t know. > > > > Maybe we can close? > > I propose to close since I do not see what could the next action. > > 1: <http://issues.guix.gnu.org/issue/30619> The next action would be splitting of the bundle generation from the profile code, and adding a ‘certificates’ field defaulting to nss- certs, as Ludo seemed to suggest. This could be useful if the server the channel repositories are on use self-signed certificates (are git repositories of channels over https the reason cuirass requires TLS certificates). Greetings, Maxime ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-11-26 6:28 ` Maxime Devos @ 2021-11-26 6:31 ` Maxime Devos 2021-11-26 6:32 ` Maxime Devos 2022-01-04 23:09 ` zimoun 2 siblings, 0 replies; 12+ messages in thread From: Maxime Devos @ 2021-11-26 6:31 UTC (permalink / raw) To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619 Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]: > [...] > This could be useful if the server the channel repositories are on > use > self-signed certificates (are git repositories of channels over https > the reason cuirass requires TLS certificates). This was meant to be: ‘This could be useful if the server the channel repositories are on use self-signed certificates (are git repositories of channels over https the reason cuirass requires TLS certificates?).’ ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-11-26 6:28 ` Maxime Devos 2021-11-26 6:31 ` Maxime Devos @ 2021-11-26 6:32 ` Maxime Devos 2022-01-04 23:09 ` zimoun 2 siblings, 0 replies; 12+ messages in thread From: Maxime Devos @ 2021-11-26 6:32 UTC (permalink / raw) To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619 Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]: > This could be useful if the server the channel repositories are on > use > self-signed certificates (are git repositories of channels over https > the reason cuirass requires TLS certificates). Oops, this argument doesn't have much value, because those certificates might as well be added to the system profile. ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2021-11-26 6:28 ` Maxime Devos 2021-11-26 6:31 ` Maxime Devos 2021-11-26 6:32 ` Maxime Devos @ 2022-01-04 23:09 ` zimoun 2022-01-05 9:53 ` Maxime Devos 2 siblings, 1 reply; 12+ messages in thread From: zimoun @ 2022-01-04 23:09 UTC (permalink / raw) To: Maxime Devos; +Cc: Mathieu Othacehe, 30619, Andreas Enge Hi Maxime. On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote: > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]: >> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote: >> > zimoun <zimon.toutoune@gmail.com> skribis: >> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> >> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) >> >> > The Cuirass Shepherd service still does: >> > >> > #:environment-variables >> > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca- >> > certificates.crt" …) >> > >> > which means that users still need to install certificates globally. >> > >> > Now, whether it’s an issue, I don’t know. >> > >> > Maybe we can close? >> >> I propose to close since I do not see what could the next action. >> >> 1: <http://issues.guix.gnu.org/issue/30619> > > The next action would be splitting of the bundle generation from the > profile code, and adding a ‘certificates’ field defaulting to nss- > certs, as Ludo seemed to suggest. Do you have an idea how to implement this suggestion? Otherwise, I think closing is reasonable. :-) Cheers, simon ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2022-01-04 23:09 ` zimoun @ 2022-01-05 9:53 ` Maxime Devos 2022-01-21 10:44 ` Maxime Devos 0 siblings, 1 reply; 12+ messages in thread From: Maxime Devos @ 2022-01-05 9:53 UTC (permalink / raw) To: zimoun; +Cc: Mathieu Othacehe, 30619, Andreas Enge [-- Attachment #1: Type: text/plain, Size: 1844 bytes --] zimoun schreef op wo 05-01-2022 om 00:09 [+0100]: > Hi Maxime. > > On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote: > > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]: > > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote: > > > > zimoun <zimon.toutoune@gmail.com> skribis: > > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> > > > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) > > > > > > > The Cuirass Shepherd service still does: > > > > > > > > #:environment-variables > > > > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca- > > > > certificates.crt" …) > > > > > > > > which means that users still need to install certificates globally. > > > > > > > > Now, whether it’s an issue, I don’t know. > > > > > > > > Maybe we can close? > > > > > > I propose to close since I do not see what could the next action. > > > > > > 1: <http://issues.guix.gnu.org/issue/30619> > > > > The next action would be splitting of the bundle generation from the > > profile code, and adding a ‘certificates’ field defaulting to nss- > > certs, as Ludo seemed to suggest. > > Do you have an idea how to implement this suggestion? Otherwise, I > think closing is reasonable. :-) That suggestion (+ Ludovic's suggestion of a (guix x509-certificates) module) was my suggested implementation, it just needs to be translated from a description in English to an actual patch . Anyway, I don't think closing is reasonable, because the bug (certificates need to be installed globally) still exist, and it is actionable (there's even a suggested implementation, so a sufficiently motivated party (not me currently) could address the issue. Greetings, Maxime. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 260 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* bug#30619: Cuirass requires TLS certificates 2022-01-05 9:53 ` Maxime Devos @ 2022-01-21 10:44 ` Maxime Devos 0 siblings, 0 replies; 12+ messages in thread From: Maxime Devos @ 2022-01-21 10:44 UTC (permalink / raw) To: zimoun, control; +Cc: Mathieu Othacehe, Andreas Enge, 30619-done [-- Attachment #1: Type: text/plain, Size: 364 bytes --] bugs 30619 + donewontfix thanks > [various discussion] While I believe a 'certificates' field or the like would be nice, there does not appear to be a need or interest, hence closing. If someone would like to implement some solution or has a need, they can reopen the bug (see <https://debbugs.gnu.org/server-control.html>). Greetings, Maxime. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 260 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-01-21 11:18 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge 2018-02-27 16:00 ` Ludovic Courtès 2021-09-16 7:33 ` zimoun 2021-10-12 21:57 ` zimoun 2021-10-15 15:20 ` Ludovic Courtès 2021-11-26 1:38 ` zimoun 2021-11-26 6:28 ` Maxime Devos 2021-11-26 6:31 ` Maxime Devos 2021-11-26 6:32 ` Maxime Devos 2022-01-04 23:09 ` zimoun 2022-01-05 9:53 ` Maxime Devos 2022-01-21 10:44 ` Maxime Devos
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).