* bug#49508: Implement --allow-insecure-transport for `guix pull`
@ 2021-07-10 17:28 Leo Famulari
2022-02-08 10:18 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-07-10 17:28 UTC (permalink / raw)
To: 49508
As discussed in #46829, `guix pull` needs an option like
--allow-insecure-transport so that users can continue to pull from the
same channel even when their local certificate store has expired or is
otherwise invalid.
[0] <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46829#114>
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#49508: Implement --allow-insecure-transport for `guix pull`
2021-07-10 17:28 bug#49508: Implement --allow-insecure-transport for `guix pull` Leo Famulari
@ 2022-02-08 10:18 ` Ludovic Courtès
2022-02-08 17:11 ` Leo Famulari
2022-11-01 17:30 ` Mathieu Othacehe
0 siblings, 2 replies; 4+ messages in thread
From: Ludovic Courtès @ 2022-02-08 10:18 UTC (permalink / raw)
To: Leo Famulari; +Cc: 49508
Hi,
Leo Famulari <leo@famulari.name> skribis:
> As discussed in #46829, `guix pull` needs an option like
> --allow-insecure-transport so that users can continue to pull from the
> same channel even when their local certificate store has expired or is
> otherwise invalid.
Agreed.
Unfortunately it seems that libgit2 doesn’t let us turn off certificate
verification:
https://libgit2.org/libgit2/#HEAD/group/libgit2
‘verify_server_cert’ in src/streams/openssl.c is called
unconditionally. So it seems that the first thing to do would be to
submit a patch upstream that would allow users to disable certificate
checks via ‘git_libgit2_opts’.
Now, by default, ‘guix pull’ honors /etc/ssl/certs. Assuming those are
up-to-date, it should be fine, right?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#49508: Implement --allow-insecure-transport for `guix pull`
2022-02-08 10:18 ` Ludovic Courtès
@ 2022-02-08 17:11 ` Leo Famulari
2022-11-01 17:30 ` Mathieu Othacehe
1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2022-02-08 17:11 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 49508
On Tue, Feb 08, 2022 at 11:18:08AM +0100, Ludovic Courtès wrote:
> Unfortunately it seems that libgit2 doesn’t let us turn off certificate
> verification:
>
> https://libgit2.org/libgit2/#HEAD/group/libgit2
>
> ‘verify_server_cert’ in src/streams/openssl.c is called
> unconditionally.
Ah, that's not surprising.
> So it seems that the first thing to do would be to
> submit a patch upstream that would allow users to disable certificate
> checks via ‘git_libgit2_opts’.
Right, but it might not be accepted.
> Now, by default, ‘guix pull’ honors /etc/ssl/certs. Assuming those are
> up-to-date, it should be fine, right?
Yeah, I think so.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#49508: Implement --allow-insecure-transport for `guix pull`
2022-02-08 10:18 ` Ludovic Courtès
2022-02-08 17:11 ` Leo Famulari
@ 2022-11-01 17:30 ` Mathieu Othacehe
1 sibling, 0 replies; 4+ messages in thread
From: Mathieu Othacehe @ 2022-11-01 17:30 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 49508, Leo Famulari
Hello,
> ‘verify_server_cert’ in src/streams/openssl.c is called
> unconditionally. So it seems that the first thing to do would be to
> submit a patch upstream that would allow users to disable certificate
> checks via ‘git_libgit2_opts’.
While this seems like something that we definitely want, I think we
shouldn't block the release with a contribution that can take time to be
upstreamed in libgit2.
Unblocking #53214.
Mathieu
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-01 17:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-10 17:28 bug#49508: Implement --allow-insecure-transport for `guix pull` Leo Famulari
2022-02-08 10:18 ` Ludovic Courtès
2022-02-08 17:11 ` Leo Famulari
2022-11-01 17:30 ` Mathieu Othacehe
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).