From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH v3] pull: Default to HTTPS. Date: Wed, 1 Mar 2017 17:07:08 -0500 Message-ID: <20170301220708.GA22766@jasmine> References: <20170301051420.GA11310@jasmine> <20170301212000.5476-1-mbakke@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35302) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjCOw-0005Fq-8y for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:15 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjCOt-0002QG-1F for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:14 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38623) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cjCOs-0002Pt-DW for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:10 -0500 Content-Disposition: inline In-Reply-To: <20170301212000.5476-1-mbakke@fastmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Mar 01, 2017 at 10:20:00PM +0100, Marius Bakke wrote: > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. Nice! It works without GnuTLS in $PATH and an unset $SSL_CERT_DIR :) By the way, the only thing I'm waiting for before submitting an le-certs package is one more person to check that they can reproduce the certificates that would be provided by the le-certs package, as requested here: http://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html > (define %snapshot-url > ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" > - "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" > + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" > ) > + (define (use-le-certs? url) > + (string=? url %snapshot-url)) I thought about it, and we should probably relax this, to match "https://git.savannah.gnu.org/cgit/guix.git", so that everything would work in cases like this... $ guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/v0.12.0.tar.gz ... and for future cases when `guix pull` may use Git. > + (define (fetch-tarball store url) > + (download-to-store store url "guix-latest.tar.gz")) > + > (with-error-handling > (let* ((opts (parse-options)) > (store (open-connection)) > (url (assoc-ref opts 'tarball-url))) > - (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) > + (let ((tarball (if (use-gnutls? url) > + (begin > + ;; Add GnuTLS to inputs and load path. > + (set! %load-path > + (cons (string-append (package-output store gnutls) > + "/share/guile/site/" > + (effective-version)) > + %load-path)) > + (if (use-le-certs? url) > + (parameterize ((%x509-certificate-directory > + (string-append (package-output store nss-certs) > + "/etc/ssl/certs"))) > + (fetch-tarball store url)) > + (fetch-tarball store url))) > + (fetch-tarball store url)))) I hope some more seasoned Schemers will offer their review :) --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli3RgsACgkQJkb6MLrK fwgecQ/+KUYbNuwAZb8ZQXD1gR52iWdUCOPzY+DL4c7kRSaoyTdiMoC1do9bzBFw u9ba0l3lOvnkfxIgwEfEDuK+J8VNrCjNMOCYZ6YRlaKlcZ8kwiFxJqflB1Aw1/Tb vjDwxcFYHM6RctNobTpLGuecq1zlLreO08aqYE9RmBvIJCurihIV8KUZY8lBqw/0 CZNNS0NSSeDLwefY+qXC5vHXQkKtVgaUWrAwp3ZoD6zcKo48I9PAhwXoXhPUB88Y 4qdEDiBCxm4tYqbSSrqyxMPeSYgqc2FXw3KqH9wPsFNH4dv9ltcUbM6wcT9ZPts1 LF69xi5BJ+oNRhrYOX0pyrjt8CecL/YOGkcDLamhcDLoukvyNJazJ/wgn6593Agk jPuaLrC0qGxOq5TqodTEa6x+OvG0/HzzXP+WMemZjh6H0L5jzWR6vIM1VkU1KH03 1iAnjgSD2r5IrJcgXkdY4/8mwpwWdVhAWJGGTPi+BnMisHwnbGCGMM9RreJeeTDn 8zg26LN8yLg3XH9Tk8kSxRhmiQL7Tkz6e8Zh8h3KZQPzFQLoLceaYu2qmDqYRF7M WMS7Kja+prLlIp9dB8HLbBkvp9FAi4vkS3uwSsYRw3hQimG0Od27fhmeaEz0IHCO 71OLOk6ir7jzYlDmbJMbmcqgoyzB5I48XFBDWvauYoHR91tUFlM= =Jt2n -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu--