unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#46829: Fresh install of 1.2.0 can't guix pull
@ 2021-02-28 10:27 Christopher Baines
  2021-02-28 11:06 ` Andreas Enge
                   ` (7 more replies)
  0 siblings, 8 replies; 38+ messages in thread
From: Christopher Baines @ 2021-02-28 10:27 UTC (permalink / raw)
  To: 46829

[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]

I believe there's TLS issues with pulling for the current 1.2.0 release.

root@horna ~# guix pull
substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
0.0 MB will be downloaded
downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
 le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%

Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix pull: error: Git error: the SSL certificate is invalid

root@horna ~# wget https://git.savannah.gnu.org/git/guix.git
--2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 2001:470:142:5::201
Connecting to git.savannah.gnu.org (git.savannah.gnu.org)|209.51.188.201|:443... connected.
ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.


This is probably possible to work around by doing:

  guix pull --url=http://git.savannah.gnu.org/git/guix.git

As the commit signatures are checked, the risk of not using HTTPS should
be reduced.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
@ 2021-02-28 11:06 ` Andreas Enge
  2021-02-28 11:10 ` Andreas Enge
                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 38+ messages in thread
From: Andreas Enge @ 2021-02-28 11:06 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

Am Sun, Feb 28, 2021 at 10:27:02AM +0000 schrieb Christopher Baines:
> I believe there's TLS issues with pulling for the current 1.2.0 release.
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

I noticed the same for the following, slightly older version:
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 0939462e3f81bc98b38bdb7610e6a80ca1cbaa1b

And it also occurs with the current master checkout using
   ./pre-inst-env guix pull

I tried again after updating my nss-certs package, but it did not make
any difference.

This is on dover, an aarch64 machine. I successfully did "guix pull"
on other machines, however.

Andreas





^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
  2021-02-28 11:06 ` Andreas Enge
@ 2021-02-28 11:10 ` Andreas Enge
  2021-03-01 10:15   ` Ludovic Courtès
  2021-03-01  9:49 ` zimoun
                   ` (5 subsequent siblings)
  7 siblings, 1 reply; 38+ messages in thread
From: Andreas Enge @ 2021-02-28 11:10 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

Am Sun, Feb 28, 2021 at 10:27:02AM +0000 schrieb Christopher Baines:
> This is probably possible to work around by doing:
>   guix pull --url=http://git.savannah.gnu.org/git/guix.git

This works, thanks for sharing! But it prints a nonsensical warning message:
Updating channel 'guix' from Git repository at 'http://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new commits)...
guix pull: warning: pulled channel 'guix' from a mirror of https://git.savannah.gnu.org/git/guix.git, which might be stale
Building from this channel:
  guix      http://git.savannah.gnu.org/git/guix.git	bebfe06

It is weird to call the https location a potentially stale mirror of the
http location.

Andreas





^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
  2021-02-28 11:06 ` Andreas Enge
  2021-02-28 11:10 ` Andreas Enge
@ 2021-03-01  9:49 ` zimoun
  2021-03-05 10:49   ` Christopher Baines
  2021-03-01 10:19 ` Ludovic Courtès
                   ` (4 subsequent siblings)
  7 siblings, 1 reply; 38+ messages in thread
From: zimoun @ 2021-03-01  9:49 UTC (permalink / raw)
  To: Christopher Baines, 46829

Hi Chris,

On Sun, 28 Feb 2021 at 10:27, Christopher Baines <mail@cbaines.net> wrote:
> I believe there's TLS issues with pulling for the current 1.2.0
> release.

Is this bug different from <http://issues.guix.gnu.org/issue/44559#8>?

And fixes are also discussed here:
<http://issues.guix.gnu.org/issue/46650>.


Cheers,
simon




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 11:10 ` Andreas Enge
@ 2021-03-01 10:15   ` Ludovic Courtès
  0 siblings, 0 replies; 38+ messages in thread
From: Ludovic Courtès @ 2021-03-01 10:15 UTC (permalink / raw)
  To: Andreas Enge; +Cc: 46829

Hi,

Andreas Enge <andreas@enge.fr> skribis:

> This works, thanks for sharing! But it prints a nonsensical warning message:
> Updating channel 'guix' from Git repository at 'http://git.savannah.gnu.org/git/guix.git'...
> Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new commits)...
> guix pull: warning: pulled channel 'guix' from a mirror of https://git.savannah.gnu.org/git/guix.git, which might be stale
> Building from this channel:
>   guix      http://git.savannah.gnu.org/git/guix.git	bebfe06
>
> It is weird to call the https location a potentially stale mirror of the
> http location.

There’s no way to know that the two URLs point to the same thing, hence
the message.

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
                   ` (2 preceding siblings ...)
  2021-03-01  9:49 ` zimoun
@ 2021-03-01 10:19 ` Ludovic Courtès
  2021-03-01 12:03   ` Andreas Enge
  2021-03-17 14:36   ` Ludovic Courtès
  2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
                   ` (3 subsequent siblings)
  7 siblings, 2 replies; 38+ messages in thread
From: Ludovic Courtès @ 2021-03-01 10:19 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

Hi,

Christopher Baines <mail@cbaines.net> skribis:

> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
>
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

That’s on an installation without ‘nss-certs’ in the system profile,
right?

I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
certification verification altogether for the ‘guix’ channel?

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-03-01 10:19 ` Ludovic Courtès
@ 2021-03-01 12:03   ` Andreas Enge
  2021-03-17 14:36   ` Ludovic Courtès
  1 sibling, 0 replies; 38+ messages in thread
From: Andreas Enge @ 2021-03-01 12:03 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

Am Mon, Mar 01, 2021 at 11:19:08AM +0100 schrieb Ludovic Courtès:
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Yes, I installed nss-certs into the profiles from which I wanted to do
the "guix pull".

Andreas





^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-03-01  9:49 ` zimoun
@ 2021-03-05 10:49   ` Christopher Baines
  0 siblings, 0 replies; 38+ messages in thread
From: Christopher Baines @ 2021-03-05 10:49 UTC (permalink / raw)
  To: zimoun; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]


zimoun <zimon.toutoune@gmail.com> writes:

> Hi Chris,
>
> On Sun, 28 Feb 2021 at 10:27, Christopher Baines <mail@cbaines.net> wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0
>> release.
>
> Is this bug different from <http://issues.guix.gnu.org/issue/44559#8>?
>
> And fixes are also discussed here:
> <http://issues.guix.gnu.org/issue/46650>.

Yes, this bug is about a problem with guix pull, whereas #44559 relates
to a specific issue building the gnutls package.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-03-01 10:19 ` Ludovic Courtès
  2021-03-01 12:03   ` Andreas Enge
@ 2021-03-17 14:36   ` Ludovic Courtès
  2021-04-11 20:41     ` Leo Famulari
  1 sibling, 1 reply; 38+ messages in thread
From: Ludovic Courtès @ 2021-03-17 14:36 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

> Christopher Baines <mail@cbaines.net> skribis:
>
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>>
>> root@horna ~# guix pull
>> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
>> 0.0 MB will be downloaded
>> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
>>
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> guix pull: error: Git error: the SSL certificate is invalid
>
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Looking at (guix scripts pull), I think that is the case:

  (define (honor-x509-certificates store)
    "Use the right X.509 certificates for Git checkouts over HTTPS."
    (unless (honor-system-x509-certificates!)
      (honor-lets-encrypt-certificates! store)))

By default, 1.2.0 installs ‘nss-certs’, so I would assume such
installations are unaffected, right?

> I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
> certification verification altogether for the ‘guix’ channel?

In hindsight, it seems preferable to keep X.509 authentication for now,
because there are still unauthenticated channels out there and because
it’s a bit tedious to work around it in (guix channels) and (guix git).

I checked the ‘le-certs’ package like so:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build -d le-certs) |grep pem
/gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv
/gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
/gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
$ guix build --check -v1 $(guix gc --references $(guix build -d le-certs) |grep pem)
La jenaj derivoj estos konstruataj:
   /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
   /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
   /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv

building /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem ...
|warning: rewriting hashes in `/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem'; cross fingers
building /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem ...
\warning: rewriting hashes in `/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem'; cross fingers
building /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx4.pem ...
|warning: rewriting hashes in `/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem'; cross fingers
/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem
/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem
/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem
--8<---------------cut here---------------end--------------->8---

AFAICS, everything is up-to-date here.  So I don’t get where the ‘guix
pull’ error above comes from.

Ideas?

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
                   ` (3 preceding siblings ...)
  2021-03-01 10:19 ` Ludovic Courtès
@ 2021-04-10 19:02 ` Leo Famulari
  2021-04-10 19:45   ` Christopher Baines
  2021-04-10 23:04 ` Leo Famulari
                   ` (2 subsequent siblings)
  7 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 19:02 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> I believe there's TLS issues with pulling for the current 1.2.0 release.

On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
instructions in the manual section Binary Installation.

Then, `guix pull` succeeded for me, no problem.

Can anyone reproduce still reproduce this bug?

> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%

If it's still around, maybe you can share this store item? I wonder if
it got corrupted.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
@ 2021-04-10 19:45   ` Christopher Baines
  2021-04-10 20:30     ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Christopher Baines @ 2021-04-10 19:45 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]


Leo Famulari <leo@famulari.name> writes:

> On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> instructions in the manual section Binary Installation.
>
> Then, `guix pull` succeeded for me, no problem.
>
> Can anyone reproduce still reproduce this bug?

I'm pretty sure I experienced this with a fresh install of Guix System,
I should have given more information in the initial report.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-10 19:45   ` Christopher Baines
@ 2021-04-10 20:30     ` Leo Famulari
  2021-04-10 21:09       ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 20:30 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

On Sat, Apr 10, 2021 at 08:45:22PM +0100, Christopher Baines wrote:
> 
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> >> I believe there's TLS issues with pulling for the current 1.2.0 release.
> >
> > On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> > instructions in the manual section Binary Installation.
> >
> > Then, `guix pull` succeeded for me, no problem.
> >
> > Can anyone reproduce still reproduce this bug?
> 
> I'm pretty sure I experienced this with a fresh install of Guix System,
> I should have given more information in the initial report.

Okay, I'm testing this now, in a VM.

I wonder if it's the same thing as
<https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-10 20:30     ` Leo Famulari
@ 2021-04-10 21:09       ` Leo Famulari
  2021-04-10 21:21         ` Christopher Baines
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 21:09 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
> Okay, I'm testing this now, in a VM.
> 
> I wonder if it's the same thing as
> <https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?

I followed the instructions in the manual section Installing Guix in a
VM.

Then, I booted the new system, opened a terminal emulator in the XFCE
desktop environment, and ran `guix pull`. It succeeded.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-10 21:09       ` Leo Famulari
@ 2021-04-10 21:21         ` Christopher Baines
  2021-04-10 22:54           ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Christopher Baines @ 2021-04-10 21:21 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]


Leo Famulari <leo@famulari.name> writes:

> On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
>> Okay, I'm testing this now, in a VM.
>> 
>> I wonder if it's the same thing as
>> <https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?
>
> I followed the instructions in the manual section Installing Guix in a
> VM.
>
> Then, I booted the new system, opened a terminal emulator in the XFCE
> desktop environment, and ran `guix pull`. It succeeded.

Maybe it just doesn't work for the root user... I encountered this when
running guix pull as the root user on a headless machine.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-10 21:21         ` Christopher Baines
@ 2021-04-10 22:54           ` Leo Famulari
  0 siblings, 0 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 22:54 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 275 bytes --]

On Sat, Apr 10, 2021 at 10:21:35PM +0100, Christopher Baines wrote:
> Maybe it just doesn't work for the root user... I encountered this when
> running guix pull as the root user on a headless machine.

I logged in as root from the console, and `guix pull` worked there too.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
                   ` (4 preceding siblings ...)
  2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
@ 2021-04-10 23:04 ` Leo Famulari
  2021-04-10 23:13 ` Leo Famulari
  2021-04-14  1:08 ` Leo Famulari
  7 siblings, 0 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 23:04 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...

I downloaded this file, un-lzipped it, and extracted the nar. The
results are bit-identical to the le-certs from ci.guix.gnu.org.

Maybe there was a momentary misconfiguration on Savannah? Or something
like that?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
                   ` (5 preceding siblings ...)
  2021-04-10 23:04 ` Leo Famulari
@ 2021-04-10 23:13 ` Leo Famulari
  2021-04-14  1:08 ` Leo Famulari
  7 siblings, 0 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-10 23:13 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 788 bytes --]

On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> root@horna ~# wget https://git.savannah.gnu.org/git/guix.git
> --2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
> Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 2001:470:142:5::201
> Connecting to git.savannah.gnu.org (git.savannah.gnu.org)|209.51.188.201|:443... connected.
> ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
> ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.

By the way, it's expected that wget would fail here, if you had not
installed and configured nss-certs as directed in the manual.

`guix pull` uses its own certificate store (le-certs), and it's
suppposed to happen automatically.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-03-17 14:36   ` Ludovic Courtès
@ 2021-04-11 20:41     ` Leo Famulari
  2021-04-12  1:29       ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-11 20:41 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
>   (define (honor-x509-certificates store)
>     "Use the right X.509 certificates for Git checkouts over HTTPS."
>     (unless (honor-system-x509-certificates!)
>       (honor-lets-encrypt-certificates! store)))
> 
> By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> installations are unaffected, right?

So, the bug here is that `guix pull` is using the wrong certificate
store. It should use le-certs, but is instead ignoring le-certs, and
looking for a system-wide store that doesn't exist.

I tested with an installer image from current master, and the bug still
exists.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-11 20:41     ` Leo Famulari
@ 2021-04-12  1:29       ` Leo Famulari
  2021-04-12  6:42         ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-12  1:29 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Sun, Apr 11, 2021 at 04:41:11PM -0400, Leo Famulari wrote:
> On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
> >   (define (honor-x509-certificates store)
> >     "Use the right X.509 certificates for Git checkouts over HTTPS."
> >     (unless (honor-system-x509-certificates!)
> >       (honor-lets-encrypt-certificates! store)))
> > 
> > By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> > installations are unaffected, right?
> 
> So, the bug here is that `guix pull` is using the wrong certificate
> store. It should use le-certs, but is instead ignoring le-certs, and
> looking for a system-wide store that doesn't exist.
> 
> I tested with an installer image from current master, and the bug still
> exists.

I checked and, although there have been some changes upstream at Let's
Encrypt [0], our le-certs still works for contacting Savannah with TLS.

[0] Some new root and intermediate certificates:

https://letsencrypt.org/certificates/

Once we fix this bug, we should look into updating the le-certs package.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12  1:29       ` Leo Famulari
@ 2021-04-12  6:42         ` Leo Famulari
  2021-04-12  8:30           ` Leo Famulari
  2021-04-13  9:29           ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
  0 siblings, 2 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-12  6:42 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote:
> I checked and, although there have been some changes upstream at Let's
> Encrypt [0], our le-certs still works for contacting Savannah with TLS.

I checked wrong; le-certs needs to be updated. I'm testing the update
now...

> [0] Some new root and intermediate certificates:
> 
> https://letsencrypt.org/certificates/




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12  6:42         ` Leo Famulari
@ 2021-04-12  8:30           ` Leo Famulari
  2021-04-12 12:25             ` Ludovic Courtès
  2021-04-12 12:25             ` Ludovic Courtès
  2021-04-13  9:29           ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
  1 sibling, 2 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-12  8:30 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829


[-- Attachment #1.1: Type: text/plain, Size: 554 bytes --]

On Mon, Apr 12, 2021 at 02:42:07AM -0400, Leo Famulari wrote:
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...

I couldn't figure out how to test an update of the Guix package, but
here is my patch updating le-certs.

`make update-guix-package` segfaults for me, sometime after it updates
the source tree but before adding the source checkout to the store.

I did `guix build guix --with-git-url=guix=$PWD`, which succeeded, but
using --with-git-url changes the derivation, so I couldn't test this in
a VM sans nss-certs.

[-- Attachment #1.2: 0001-gnu-le-certs-Update-to-new-Let-s-Encrypt-certificate.patch --]
[-- Type: text/plain, Size: 6372 bytes --]

From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 12 Apr 2021 02:19:33 -0400
Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.

* gnu/packages/certs.scm (le-certs): Update the certificate store.
[inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
letsencryptauthorityx4.pem.
[arguments]: Adjust the builder accordingly.
---
 gnu/packages/certs.scm | 76 ++++++++++++++++++++++++++++++------------
 1 file changed, 55 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index b72d927c0d..9dcd733ffe 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -147,7 +147,7 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
 (define-public le-certs
   (package
     (name "le-certs")
-    (version "0")
+    (version "1")
     (source #f)
     (build-system trivial-build-system)
     (arguments
@@ -155,9 +155,12 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
        #:builder
        (begin
          (use-modules (guix build utils))
-         (let ((root (assoc-ref %build-inputs "isrgrootx1.pem"))
-               (intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem"))
-               (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem"))
+         (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
+               (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
+               (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
+               (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
+               (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
+               (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
                (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
                (openssl (assoc-ref %build-inputs "openssl"))
                (perl (assoc-ref %build-inputs "perl")))
@@ -166,7 +169,9 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
              (lambda (cert)
                (copy-file cert (string-append out "/"
                                               (strip-store-file-name cert))))
-             (list root intermediate backup))
+             (list root-rsa root-ecdsa
+                   intermediate-rsa intermediate-ecdsa
+                   backup-rsa backup-ecdsa))
 
            ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
            ;; similar.)
@@ -186,26 +191,55 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
            (sha256
             (base32
              "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
-       ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate
-       ;; certificate.
-       ("letsencryptauthorityx3.pem"
+      ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
+      ; Let's Encrypt describes it as "Active, limited availability"
+      ("isrgrootx2.pem"
         ,(origin
            (method url-fetch)
-           (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem")
+           (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
            (sha256
             (base32
-             "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2"))))
-       ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate
-       ;; certificate.  This will be used for disaster recovery and will only be
-       ;; used should Let's Encrypt lose the ability to issue with "Let’s
-       ;; Encrypt Authority X3".
-       ("letsencryptauthorityx4.pem"
-        ,(origin
-           (method url-fetch)
-           (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem")
-           (sha256
-            (base32
-             "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m"))))))
+             "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
+      ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
+      ;; RSA certificate.
+      ("letsencryptauthorityr3.pem"
+       ,(origin
+          (method url-fetch)
+          (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
+          (sha256
+           (base32
+            "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
+      ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
+      ;; ECDSA certificate.
+      ("letsencryptauthoritye1.pem"
+       ,(origin
+          (method url-fetch)
+          (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
+          (sha256
+           (base32
+            "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
+      ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
+      ;; RSA certificate.  This will be used for disaster recovery and will only be
+      ;; used should Let's Encrypt lose the ability to issue with "Let’s
+      ;; Encrypt Authority R3".
+      ("letsencryptauthorityr4.pem"
+       ,(origin
+          (method url-fetch)
+          (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
+          (sha256
+           (base32
+            "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
+      ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
+      ;; ECDSA certificate.  This will be used for disaster recovery and will
+      ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
+      ;; Encrypt Authority E1".
+      ("letsencryptauthoritye2.pem"
+       ,(origin
+          (method url-fetch)
+          (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
+          (sha256
+           (base32
+            "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
     (home-page "https://letsencrypt.org/certificates/")
     (synopsis "Let's Encrypt root and intermediate certificates")
     (description "This package provides a certificate store containing only the
-- 
2.31.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12  8:30           ` Leo Famulari
@ 2021-04-12 12:25             ` Ludovic Courtès
  2021-04-12 17:15               ` Leo Famulari
  2021-04-12 12:25             ` Ludovic Courtès
  1 sibling, 1 reply; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-12 12:25 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12  8:30           ` Leo Famulari
  2021-04-12 12:25             ` Ludovic Courtès
@ 2021-04-12 12:25             ` Ludovic Courtès
  2021-04-12 17:02               ` Leo Famulari
  1 sibling, 1 reply; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-12 12:25 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 12:25             ` Ludovic Courtès
@ 2021-04-12 17:02               ` Leo Famulari
  2021-04-12 18:26                 ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-12 17:02 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> In the meantime, you could also update the ‘guix’ package by hand for
> testing purposes.

I tried this, but I can't figure out how to actually build the updated
Guix package, since the source code isn't added to the store.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 12:25             ` Ludovic Courtès
@ 2021-04-12 17:15               ` Leo Famulari
  2021-04-12 17:32                 ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-12 17:15 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> Could you grab a backtrace, with:
> 
>   gdb $(which guile) core

I don't know where to find this 'core' file. I'm on Guix System (the
Berlin server).




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 17:15               ` Leo Famulari
@ 2021-04-12 17:32                 ` Leo Famulari
  2021-04-13  8:12                   ` Ludovic Courtès
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-12 17:32 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 4437 bytes --]

On Mon, Apr 12, 2021 at 01:15:11PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> > Could you grab a backtrace, with:
> > 
> >   gdb $(which guile) core
> 
> I don't know where to find this 'core' file. I'm on Guix System (the
> Berlin server).

I did `ulimit -c unlimited`, and then the core file was created at
/tmp/core.

I ran your command, and this is the output:

------
gdb $(which guile) /tmp/core                                                                                                                                          
GNU gdb (GDB) 10.1                                                                                                                                                                              
Copyright (C) 2020 Free Software Foundation, Inc.                                                                                                                                               
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>                                                                                                                   
This is free software: you are free to change and redistribute it.                                                                                                                              
There is NO WARRANTY, to the extent permitted by law.                                                                                                                                           
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile...
(No debugging symbols found in /gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile)

warning: Can't open file /home/lfam/.cache/guile/ccache/3.0-LE-8-4.4/home/lfam/guix/gnu/packages/package-management.scm.go (deleted) during file-backed mapping note processing
[New LWP 70404]
[New LWP 70409]
[New LWP 70408]
[New LWP 70412]
[New LWP 70411]
[New LWP 70413]
[New LWP 70410]
[New LWP 70417]
[New LWP 70414]
[New LWP 70416]
[New LWP 70415]
[New LWP 70418]
[New LWP 70419]
[New LWP 70421]
[New LWP 70422]
[New LWP 70420]
[New LWP 70423]
[New LWP 70424]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
;;;       or pass the --no-auto-compile argument to disable.
;;; compiling /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:293:20: warning: possibly unbound variable `program-debug-info-name'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:9: warning: possibly unbound variable `find-source-for-addr'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:31: warning: possibly unbound variable `program-debug-info-addr'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:327:31: warning: possibly unbound variable `program-debug-info-context'
;;; compiled /home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm.go
;;; compiling /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm
;;; compiled /home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm.go
------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 17:02               ` Leo Famulari
@ 2021-04-12 18:26                 ` Leo Famulari
  2021-04-13 17:47                   ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-12 18:26 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > In the meantime, you could also update the ‘guix’ package by hand for
> > testing purposes.
> 
> I tried this, but I can't figure out how to actually build the updated
> Guix package, since the source code isn't added to the store.

Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
the Guix package, and then a VM image sans nss-certs.

I confirm that updating the le-certs package fixes this bug.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 17:32                 ` Leo Famulari
@ 2021-04-13  8:12                   ` Ludovic Courtès
  2021-04-13 18:09                     ` Leo Famulari
  0 siblings, 1 reply; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-13  8:12 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Hi,

Leo Famulari <leo@famulari.name> skribis:

> I ran your command, and this is the output:

Could you type ‘bt’ (backtrace) at the GDB prompt?

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: `guix pull` uses incorrect certificate store
  2021-04-12  6:42         ` Leo Famulari
  2021-04-12  8:30           ` Leo Famulari
@ 2021-04-13  9:29           ` Ludovic Courtès
  2021-04-13 17:44             ` Leo Famulari
  1 sibling, 1 reply; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-13  9:29 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote:
>> I checked and, although there have been some changes upstream at Let's
>> Encrypt [0], our le-certs still works for contacting Savannah with TLS.
>
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...

So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
pull’ uses the LE certs, but these certificates expire quite frequently,
whereas if you have ‘nss-certs’ installed, there’s “always” a valid
authentication chain from the roots.

Indeed, running ‘guix pull’ in the 1.2.0 live VM image works (it has
‘nss-certs’ installed in /etc/ssl/certs).  Likewise, a Guix System 1.2.0
installation that includes ‘nss-certs’ (which is the default) is
unaffected.

For those who do not have ‘nss-certs’ installed, a workaround is to do
avoid HTTPS:

  guix pull --url=http://git.savannah.gnu.org/git/guix.git

This is fine because the ‘guix’ channel is authenticated anyway.

We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
For that, Guile-Git needs to implement
‘git_transport_certificate_check_cb’ & co.  I started doing that but
it’s a bit of work (wrapping ‘struct git_cert’ is cumbersome) so I’m
willing to punt on it for now.

Thoughts?

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: `guix pull` uses incorrect certificate store
  2021-04-13  9:29           ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
@ 2021-04-13 17:44             ` Leo Famulari
  2021-04-14 10:50               ` Ludovic Courtès
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-13 17:44 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 1562 bytes --]

On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
> pull’ uses the LE certs, but these certificates expire quite frequently,
> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
> authentication chain from the roots.

No, that's incorrect. The certificates in le-certs expired after 5
years, so it's not frequent.

These are the root and intermediate certificates for the Let's Encrypt
certificate authority — they are not the 90 day certificates used by a
webserver.

The problem is that we (I) failed to pay attention and let our le-certs
package go stale.

> For those who do not have ‘nss-certs’ installed, a workaround is to do
> avoid HTTPS:

The original motivation of le-certs was that nss-certs would not be
required, and that `guix pull` would always work. I think we should
still try to achieve this.

>   guix pull --url=http://git.savannah.gnu.org/git/guix.git
> 
> This is fine because the ‘guix’ channel is authenticated anyway.

Yes, that works and is pretty safe. Although Guix will complain because
it can't tell that this is the same repo.

> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.

I think we should avoid adding "use insecure connection" options. Even
if the code itself is signed.

I'm going to figure out how to subscribe to Let's Encrypt announcements
and I'll report back with ideas about how to avoid a repeat of the
problem.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-12 18:26                 ` Leo Famulari
@ 2021-04-13 17:47                   ` Leo Famulari
  0 siblings, 0 replies; 38+ messages in thread
From: Leo Famulari @ 2021-04-13 17:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Mon, Apr 12, 2021 at 02:26:47PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> > On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > > In the meantime, you could also update the ‘guix’ package by hand for
> > > testing purposes.
> > 
> > I tried this, but I can't figure out how to actually build the updated
> > Guix package, since the source code isn't added to the store.
> 
> Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
> the Guix package, and then a VM image sans nss-certs.

I've pushed the update patch as
15de49e60b255b98a53c6de4780e1ae95a8beada.

Now, we just need to update Guix package for it to take effect for
users, IIUC.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-13  8:12                   ` Ludovic Courtès
@ 2021-04-13 18:09                     ` Leo Famulari
  2021-04-21 13:14                       ` Ludovic Courtès
  0 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-13 18:09 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 4212 bytes --]

On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
> Could you type ‘bt’ (backtrace) at the GDB prompt?

It goes like this:

------
Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007eff61d9d4c4 in git_buf_try_grow () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#2  0x00007eff61d9d7a5 in git_buf_set () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#3  0x00007eff61deffe7 in git_path_prettify () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#4  0x00007eff61e043ad in find_repo () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#5  0x00007eff61e0528b in git_repository_discover () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#6  0x00007eff7de6166d in ffi_call_unix64 () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#7  0x00007eff7de5fac0 in ffi_call_int () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#8  0x00007eff7df4efbe in scm_i_foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#9  0x00007eff7dfbd904 in foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#10 0x00007eff7dfc4118 in vm_regular_engine () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#11 0x00007eff7dfc55b5 in scm_call_n () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#12 0x00007eff7df42d27 in scm_primitive_eval () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#13 0x00007eff7df42d83 in scm_eval () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#14 0x00007eff7df9b830 in scm_shell () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#15 0x00007eff7df5a73d in invoke_main_func () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#16 0x00007eff7df3cb0a in c_body () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#17 0x00007eff7dfc4149 in vm_regular_engine () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#18 0x00007eff7dfc55b5 in scm_call_n () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#19 0x00007eff7df41bba in scm_call_2 () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#20 0x00007eff7df433ba in scm_c_with_exception_handler () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#21 0x00007eff7dfbac3d in scm_c_catch () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#22 0x00007eff7df3d0b3 in scm_i_with_continuation_barrier () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#23 0x00007eff7df3d145 in scm_c_with_continuation_barrier () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#24 0x00007eff7dfb96df in with_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#25 0x00007eff7de97c78 in GC_call_with_stack_base () from /gnu/store/zg126cjicrpm2p6zc08ra5vh4ddag7ww-libgc-8.0.4/lib/libgc.so.1
#26 0x00007eff7dfb99f8 in scm_with_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#27 0x00007eff7df5a8b2 in scm_boot_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#28 0x0000000000401100 in main ()
------

By the way, I can no longer reproduce the crash, now that I am using
`make update-guix-package` with a commit that has been pushed to
Savannah.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
                   ` (6 preceding siblings ...)
  2021-04-10 23:13 ` Leo Famulari
@ 2021-04-14  1:08 ` Leo Famulari
  2021-04-14  9:44   ` François
  7 siblings, 1 reply; 38+ messages in thread
From: Leo Famulari @ 2021-04-14  1:08 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 46829-done

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
> 
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

This should be fixed with commit
a758a8a3c20052c5f1228e1ec80068652bbc3849, which updates the Guix package
to include commit 15de49e60b255b98a53c6de4780e1ae95a8beada.

There's nothing we can do for the 1.2.0 release artifacts at this point.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-14  1:08 ` Leo Famulari
@ 2021-04-14  9:44   ` François
  0 siblings, 0 replies; 38+ messages in thread
From: François @ 2021-04-14  9:44 UTC (permalink / raw)
  To: 46829, leo, mail

Hello,

On Tue, Apr 13, 2021 at 09:08:20PM -0400, Leo Famulari wrote:
> There's nothing we can do for the 1.2.0 release artifacts at this point.

Is there any place were we could document the problem and the suggested
workaround by Ludo (--url=http://)? Perhaps on the "Installation"
chapter of the manual, near the line documenting "guix pull"?

Cheers,
François




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: `guix pull` uses incorrect certificate store
  2021-04-13 17:44             ` Leo Famulari
@ 2021-04-14 10:50               ` Ludovic Courtès
  2021-04-14 19:57                 ` Maxime Devos
  2021-05-31 19:17                 ` Leo Famulari
  0 siblings, 2 replies; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-14 10:50 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
>> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
>> pull’ uses the LE certs, but these certificates expire quite frequently,
>> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
>> authentication chain from the roots.
>
> No, that's incorrect. The certificates in le-certs expired after 5
> years, so it's not frequent.
>
> These are the root and intermediate certificates for the Let's Encrypt
> certificate authority — they are not the 90 day certificates used by a
> webserver.
>
> The problem is that we (I) failed to pay attention and let our le-certs
> package go stale.

OK.  5 years still looks kinda “frequent” to me.  I would think that old
software installations (including “appliances”) would live longer than
that, no?

You install Guix on a laptop, you leave it in a drawer, and you come a
few years later and you can neither access HTTPS web sites nor run ‘guix
pull’?

>> For those who do not have ‘nss-certs’ installed, a workaround is to do
>> avoid HTTPS:
>
> The original motivation of le-certs was that nss-certs would not be
> required, and that `guix pull` would always work. I think we should
> still try to achieve this.

OK.

>> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
>
> I think we should avoid adding "use insecure connection" options. Even
> if the code itself is signed.

“Insecure” is a strong word: it still prevents eavesdropping, which is
the only property that matters in the presence of authenticated
channels.

> I'm going to figure out how to subscribe to Let's Encrypt announcements
> and I'll report back with ideas about how to avoid a repeat of the
> problem.

Yes, that’s the better option.  Thank you!

Ludo’.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: `guix pull` uses incorrect certificate store
  2021-04-14 10:50               ` Ludovic Courtès
@ 2021-04-14 19:57                 ` Maxime Devos
  2021-05-31 19:17                 ` Leo Famulari
  1 sibling, 0 replies; 38+ messages in thread
From: Maxime Devos @ 2021-04-14 19:57 UTC (permalink / raw)
  To: Ludovic Courtès, Leo Famulari; +Cc: 46829

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Wed, 2021-04-14 at 12:50 +0200, Ludovic Courtès wrote:
> [...]
> > > We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
> > 
> > I think we should avoid adding "use insecure connection" options. Even
> > if the code itself is signed.
> 
> “Insecure” is a strong word: it still prevents eavesdropping, which is
> the only property that matters in the presence of authenticated
> channels.

Maybe call the option '--tolerate-eavesdropping' then?  That name:

* is technically correct
* doesn't suggest the option is "Insecure"
* but still sounds like something you don't want
* should be clear to people not knowing about TLS' PKI infrastructure,
  ‘will eventually’™ be replaced with GNS + <insert GNUnet protocol here> or
  something like that, which wouldn't use such a centralised structure.

Thoughts?
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: Fresh install of 1.2.0 can't guix pull
  2021-04-13 18:09                     ` Leo Famulari
@ 2021-04-21 13:14                       ` Ludovic Courtès
  0 siblings, 0 replies; 38+ messages in thread
From: Ludovic Courtès @ 2021-04-21 13:14 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 46829

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
>> Could you type ‘bt’ (backtrace) at the GDB prompt?
>
> It goes like this:
>
> ------
> Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
> Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0000000000000000 in ?? ()
> [Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
> (gdb) bt
> #0  0x0000000000000000 in ?? ()
> #1  0x00007eff61d9d4c4 in git_buf_try_grow () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #2  0x00007eff61d9d7a5 in git_buf_set () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #3  0x00007eff61deffe7 in git_path_prettify () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #4  0x00007eff61e043ad in find_repo () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #5  0x00007eff61e0528b in git_repository_discover () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #6  0x00007eff7de6166d in ffi_call_unix64 () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #7  0x00007eff7de5fac0 in ffi_call_int () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #8  0x00007eff7df4efbe in scm_i_foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1

BTW, this must be fixed by 5b35c9adc899749a0bd96a0e6d2c3bbf88e38963.

Ludo'.




^ permalink raw reply	[flat|nested] 38+ messages in thread

* bug#46829: `guix pull` uses incorrect certificate store
  2021-04-14 10:50               ` Ludovic Courtès
  2021-04-14 19:57                 ` Maxime Devos
@ 2021-05-31 19:17                 ` Leo Famulari
  1 sibling, 0 replies; 38+ messages in thread
From: Leo Famulari @ 2021-05-31 19:17 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 46829

On Wed, Apr 14, 2021 at 12:50:39PM +0200, Ludovic Courtès wrote:
> OK.  5 years still looks kinda “frequent” to me.  I would think that old
> software installations (including “appliances”) would live longer than
> that, no?
> 
> You install Guix on a laptop, you leave it in a drawer, and you come a
> few years later and you can neither access HTTPS web sites nor run ‘guix
> pull’?

Yeah, that's bad.

Let's go ahead with adding some kind of '--allow-insecure-transport'
option to `guix pull` for this use case. Bonus points for making it
sounds as scary as possible :)




^ permalink raw reply	[flat|nested] 38+ messages in thread

end of thread, other threads:[~2021-05-31 19:18 UTC | newest]

Thread overview: 38+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
2021-02-28 11:06 ` Andreas Enge
2021-02-28 11:10 ` Andreas Enge
2021-03-01 10:15   ` Ludovic Courtès
2021-03-01  9:49 ` zimoun
2021-03-05 10:49   ` Christopher Baines
2021-03-01 10:19 ` Ludovic Courtès
2021-03-01 12:03   ` Andreas Enge
2021-03-17 14:36   ` Ludovic Courtès
2021-04-11 20:41     ` Leo Famulari
2021-04-12  1:29       ` Leo Famulari
2021-04-12  6:42         ` Leo Famulari
2021-04-12  8:30           ` Leo Famulari
2021-04-12 12:25             ` Ludovic Courtès
2021-04-12 17:15               ` Leo Famulari
2021-04-12 17:32                 ` Leo Famulari
2021-04-13  8:12                   ` Ludovic Courtès
2021-04-13 18:09                     ` Leo Famulari
2021-04-21 13:14                       ` Ludovic Courtès
2021-04-12 12:25             ` Ludovic Courtès
2021-04-12 17:02               ` Leo Famulari
2021-04-12 18:26                 ` Leo Famulari
2021-04-13 17:47                   ` Leo Famulari
2021-04-13  9:29           ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
2021-04-13 17:44             ` Leo Famulari
2021-04-14 10:50               ` Ludovic Courtès
2021-04-14 19:57                 ` Maxime Devos
2021-05-31 19:17                 ` Leo Famulari
2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
2021-04-10 19:45   ` Christopher Baines
2021-04-10 20:30     ` Leo Famulari
2021-04-10 21:09       ` Leo Famulari
2021-04-10 21:21         ` Christopher Baines
2021-04-10 22:54           ` Leo Famulari
2021-04-10 23:04 ` Leo Famulari
2021-04-10 23:13 ` Leo Famulari
2021-04-14  1:08 ` Leo Famulari
2021-04-14  9:44   ` François

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git