From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: `guix pull` over HTTPS
Date: Thu, 9 Feb 2017 16:55:12 +0100
Message-ID: <20170209155512.GA11291@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58203)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cbr49-0006UJ-RE
	for guix-devel@gnu.org; Thu, 09 Feb 2017 10:55:26 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cbr44-00039M-RC
	for guix-devel@gnu.org; Thu, 09 Feb 2017 10:55:25 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57396)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cbr44-00038z-LE
	for guix-devel@gnu.org; Thu, 09 Feb 2017 10:55:20 -0500
Received: from localhost (123-190-190-109.dsl.ovh.fr [109.190.190.123])
	by mail.messagingengine.com (Postfix) with ESMTPA id CE8967E6FC
	for <guix-devel@gnu.org>; Thu,  9 Feb 2017 10:55:17 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--l76fUT7nc3MelDdI
Content-Type: multipart/mixed; boundary="Q68bSM7Ycu6FN28Q"
Content-Disposition: inline


--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Currently, the default source for `guix pull` is
<http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz>.

It's suboptimal to download the Guix source code over HTTP, since the
data can be mutated and recorded in transit. [0]

The Savannah admins have been working tirelessly to improve the Savannah
infrastructure, and they will soon announce the public availability of
Git served over HTTPS. [1]

HTTPS is not a security panacea but, in my opinion, we should use it if
it's available, at least until `guix pull` can verify commit signatures.

However, it's a little harder to get right than HTTP. For example, `guix
pull` could fail if there is a problem with the user's certificate
store, or if their clock is wrong.

Does anyone have any specific concerns or advice about changing the
value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
Should the change be that simple, or should we do more?

The attached patch works for me on a foreign distro when SSL_CERT_DIR
and SSL_CERT_FILE are set as described in the manual (section 7.2.9
X.509 Certificates) and GnuTLS-Guile is available in my environment.

[0] Discussion of the general problems with `guix pull`:
http://bugs.gnu.org/22883

[1]
http://lists.gnu.org/archive/html/savannah-hackers-public/2017-02/msg00034.html

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-pull-Download-GNU-Guix-with-HTTPS.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 63eca1a41d993c04d662736589872fbc7123a168 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Thu, 9 Feb 2017 12:13:42 +0100
Subject: [PATCH] pull: Download GNU Guix with HTTPS.

* guix/scripts/pull.scm (%snapshot-url): Use HTTPS URL.
---
 guix/scripts/pull.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index 3f940f94d..2312eed29 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -45,7 +45,7 @@
=20
 (define %snapshot-url
   ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
-  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
+  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
   )
=20
 (define-syntax-rule (with-environment-variable variable value body ...)
--=20
2.11.0


--Q68bSM7Ycu6FN28Q--

--l76fUT7nc3MelDdI
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlickN0ACgkQJkb6MLrK
fwi5cRAA5v0UYV0+1pNoLWxC+EHqfJQPDPLD2IMPz4GsajFOZg8BsMy5+Vslo1A8
hovYqorWxttfVvuv3V91dZOBsd7gfux11LaOj1DHv3vVWjVJ30s6MAEZn6hdkJhw
SQ2UVNfoJHRU4G2EU6xcVsOQeAeebJgp0FrCyUn1v0olaxsI4C3kgccOHSh5P8QT
gDNrxeTpEyXHSFSEsqJALDkuhxP4/YS2UPyPIYam6HD1qoheDyl5OH1OWvEHCjgf
A32yrP9V5zu0J50o4pOMWQ1RjBCfRax4YyMODCPn5LRx0xTtmiA3aGYUyapRxawr
u6BSbphby87tEJbEgBoLs2GFdrR7hgKxAuTGeJqLYRznNN9jww6cRcnNqyT4QwkW
EUAl2nV5Ug4oIsAIeilPkebzxZhLI8il6fEgtk7W3ugaruW9pcX9OeIoKEby2TFL
EcBw7S0Z2QJ31bZKr/cfhXqx/0JnS2WcG92k2XXtKV2jaz13U7xBVkbAp25zIXou
zPr4hsCH6rUyaP/F0I+RziLBXXydKdb/hDnn3nk5jJtvycmCq3GcUywGC7Kr9LtM
fUWC4hts4sCF+IAbMdEcoEz/AMt/Wecpng7CYfM9EtFXPDoLf9izqVWUWgb7FcmF
5vfT5nIIK5LDsqOqB//IDmRok7qejXQqPT8592cU7Wa5zOZOjoY=
=oy8H
-----END PGP SIGNATURE-----

--l76fUT7nc3MelDdI--