From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bob Proulx Subject: Re: `guix pull` over HTTPS Date: Mon, 13 Feb 2017 14:23:50 -0700 Message-ID: <20170213135814456903673@bob.proulx.com> References: <20170209155512.GA11291@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wi4e766dzxybmroi" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44465) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdO6G-0003mS-K8 for guix-devel@gnu.org; Mon, 13 Feb 2017 16:23:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdO6B-0000A7-Kb for guix-devel@gnu.org; Mon, 13 Feb 2017 16:23:56 -0500 Received: from havoc.proulx.com ([96.88.95.61]:47448) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdO6B-00009q-C5 for guix-devel@gnu.org; Mon, 13 Feb 2017 16:23:51 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id CBEFF51A for ; Mon, 13 Feb 2017 14:23:50 -0700 (MST) Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 9AB7C217E0 for ; Mon, 13 Feb 2017 14:23:50 -0700 (MST) Content-Disposition: inline In-Reply-To: <20170209155512.GA11291@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --wi4e766dzxybmroi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Leo Famulari wrote: > GNU Guix is discussing the possibilities created by Savannah's > offering of Git-over-HTTPS: =2E.. > If anyone from Savannah has anything to add to the discussion, feel > free to jump in :) Thanks for the invite! I'll jump in. :-) I am not subscribed. Please CC me on anything you want me to see. Although I will check back periodically it won't be timely. I see many things over multiple messages. I will try to coalesce several things here in one place. > The Savannah admins have been working tirelessly to improve the Savannah > infrastructure, and they will soon announce the public availability of > Git served over HTTPS. [1] I think things are working pretty solidly. After having previously needed several flip-flops back and forth I think things are going to stick in the current configuration now. Haven't had any new showstopper problem reports recently and I think by now there would have been reports if something was significantly problematic. I need to write up a more official announcement but I think it is safe to rely upon using the current git over https configuration. Ludovic Court=C3=A8s wrote: > Alternately we could have a package that provides only the Let=E2=80=99s > Encrypt certificate chain, if that=E2=80=99s what Savannah uses. Yes. Previously the FSF furnished purchased static certificates yearly but with this migration we are now using Let's Encrypt on all of the Savannah servers. As you know Let's Encrypt have a maximum expiration of three months. The typical renewal schedule is to check daily and renew after two months giving a month of schedule exposure to ensure renewal before expiration. In practice this means the certificates are renewed and updated every two months. There have been problems elsewhere with people pinning certificates on their client and then finding that every two months they get a certificate change notice. With Let's Encrypt that is every two months but even with the previous commercial authority that change occurred every year. Marius Bakke wrote: > I think pinning the public key could work, if the Savannah > administrators are aware of it. But we'd need a reliable fallback > mechanism in case the private key needs to be updated. As you note the are both advantages and disadvantages to certificate pinning. At the moment we are not planning on implementing pinning. This is not a permanent statement. Just the current state of things at this time. Continuous incremental improvement is happening. Ludovic Court=C3=A8s wrote: > Agreed, let=E2=80=99s improve things incrementally. That is a good summary of my own philosophy too. > But as you write, the eventual goal is to authenticate the code rather > the server, which will provide much better assurance. As a long time user of a distro that does that I agree completely and would like to encourage this. And of course then it would work on other transports such as physical media and other paths. :-) Bob --wi4e766dzxybmroi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEY7Fmg4Qc49wl08brQhr6Jjh/mo4FAliiI+MACgkQQhr6Jjh/ mo7HXg//fLi64ywv80r4qimMC7vYLkgGVfjxUv4bIiTyqmXYaTpeozawPA7P/TUn x1EWMUG7n3rmQfwnrPvQf2ySAZe6F8pSwrdK8epv/X3EOGp7eH6h18NeiT8XOvVY XPcYRjnKv9tX8ZZNkcgQ57twBCfJAwxe/Ha8FRKn+ITZKh4TT3Agb5hzxsKkRA3d zN6t7CKz7iXPjDzeD1VPNUukuaviuvRAHujTon9qdVdVrduNWHpAW/QEHmK65JNt kX++ZHSxxEEKFNn5s0CAYCVTGAB7UxtmG9hoASx/mT8qiiQQ9+o1fj4tUzMqjG7z x44WI1jkrluMap1r26tKW05nIiihVOep0/EnM0xURU46aBU1h7sj1Ho7MhrkP1ab +l0G4vuesBCVcRnRpJHTSBN1i5n0mQXFQy5hxrMZNG0Q7GoXFla5AY9UhW2BGBtU V+UCslcKGjACQr5hdVmGBC+s7zZJqfZDs0S/Kp6JlAP3ATr6ltENnn8DLKEtlgyi rh2cLjWHNzQUNziPnJiOsIvez+OkxBskPOPwKG4Irar2k1TlAdz8m5J/wQX6H2qB wSo2aKSge7PrYsmE9CkaK73NNrqFZuLFLjPhE7f+uV+5EzMu4mz/5j1hVKlPL7IS YWKjiSkl7cAQsZplghxM/2UiV0wjumcCU8RZjwIwMp3yYlgt70E= =3bav -----END PGP SIGNATURE----- --wi4e766dzxybmroi--