From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: `guix pull` over HTTPS Date: Wed, 1 Mar 2017 00:14:20 -0500 Message-ID: <20170301051420.GA11310@jasmine> References: <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87efyi0ynv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8760jt206c.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55138) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciwbB-0003ok-BB for guix-devel@gnu.org; Wed, 01 Mar 2017 00:14:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciwb7-0001qT-9k for guix-devel@gnu.org; Wed, 01 Mar 2017 00:14:49 -0500 Content-Disposition: inline In-Reply-To: <8760jt206c.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote: > Subject: [PATCH] pull: Default to HTTPS. >=20 > * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter. > (open-connection-for-uri): Adjust parameters to match. > (http-fetch): Likewise. > (url-fetch): Likewise. > * guix/download.scm (download-to-store): Likewise. > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Verify against the store path of NSS-CERTS. When I don't have GnuTLS in my environment, it fails like this: Starting download of /tmp/guix-file.pSCYyI =46rom https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... ;;; Failed to autoload make-session in (gnutls): ;;; ERROR: missing interface for module (gnutls) ERROR: In procedure module-lookup: Unbound variable: make-session failed to download "/tmp/guix-file.pSCYyI" from "https://git.savannah.gnu.o= rg/cgit/guix.git/snapshot/master.tar.gz" guix pull: error: failed to download up-to-date source, exiting Also, I think we should only use a default trust store when pulling from %snapshot-url. --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli2WKwACgkQJkb6MLrK fwjdHBAAqpG5iexadwFa9oY5AC98KJ86z0Jpw7CBhu1FOQFRZuZlA1rpNm+qx8VL 6Nxb6A2Af5H8LrkVmRFUtj5i3FyYlWV0vywpXA7NLnNj38hV2vya9eUfzL2wCQFw awL+tqrS2V/iih7ETDuoAyLSwvpsr2ElSMm0N+BJBIC8KeXvp+GjHkq87bR29HO/ FJhHMfmQq3Mxu7EPN+0iLa4MQDFbJrAel3FZIklC6TmWd9x8XJiDs3Z81y9EDBiA XBRt9z5DtEvi6UNbVEJ+r7UCi1iGQRjNymLP+pL2eonF8sybv9B7OIPJwxewBcwI mGo7r7HlCnyy8iQQvPaTIq3u7Rk9LSP2bDvHucAsRSTvTWBHQ8isxgbXMO9PIxGl IdRBLe7lM6Fjq1wV0mPsUEUloAR4B2cGoSFZlvP5vpGUN7D+uuh1/JsBY0zyEFoE +4srYUmFmc1neU9Dg7mCw/JrgpQjYL2X/bA2b59pQ/dSMZJTBmIhee6Ior+7wz/l QmELMXMNTGFoj/NYgzJ6ydSWDwSx+bTQ7IeVTvKsVQgKHJcRmctNHhJ7C9uEuIp1 mSp4eIcRlJ//DRaU/iYj/z0inL0FxGU2L8qL0AELxYJcZWsNGzGN1BnJVD9x9xXc dJJ9IuZz5TsqHxSXrgPy3oweqSMPaEHgGt8GoLmBS7CmELWZkYY= =ka24 -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--