From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH v3] pull: Default to HTTPS.
Date: Wed, 1 Mar 2017 17:07:08 -0500
Message-ID: <20170301220708.GA22766@jasmine>
References: <20170301051420.GA11310@jasmine>
	<20170301212000.5476-1-mbakke@fastmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35302)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cjCOw-0005Fq-8y
	for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cjCOt-0002QG-1F
	for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:14 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38623)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cjCOs-0002Pt-DW
	for guix-devel@gnu.org; Wed, 01 Mar 2017 17:07:10 -0500
Content-Disposition: inline
In-Reply-To: <20170301212000.5476-1-mbakke@fastmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org


--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Mar 01, 2017 at 10:20:00PM +0100, Marius Bakke wrote:
> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
> (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate.

Nice! It works without GnuTLS in $PATH and an unset $SSL_CERT_DIR :)

By the way, the only thing I'm waiting for before submitting an le-certs
package is one more person to check that they can reproduce the
certificates that would be provided by the le-certs package, as
requested here:

http://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html

>  (define %snapshot-url
>    ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
> -  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
> +  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
>    )

> +  (define (use-le-certs? url)
> +    (string=? url %snapshot-url))

I thought about it, and we should probably relax this, to match
"https://git.savannah.gnu.org/cgit/guix.git", so that everything would
work in cases like this...

$ guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/v0.12.0.tar.gz

... and for future cases when `guix pull` may use Git.

> +  (define (fetch-tarball store url)
> +    (download-to-store store url "guix-latest.tar.gz"))
> +
>    (with-error-handling
>      (let* ((opts  (parse-options))
>             (store (open-connection))
>             (url   (assoc-ref opts 'tarball-url)))
> -      (let ((tarball (download-to-store store url "guix-latest.tar.gz")))
> +      (let ((tarball (if (use-gnutls? url)
> +                         (begin
> +                           ;; Add GnuTLS to inputs and load path.
> +                           (set! %load-path
> +                             (cons (string-append (package-output store gnutls)
> +                                                  "/share/guile/site/"
> +                                                  (effective-version))
> +                                   %load-path))
> +                           (if (use-le-certs? url)
> +                               (parameterize ((%x509-certificate-directory
> +                                               (string-append (package-output store nss-certs)
> +                                                              "/etc/ssl/certs")))
> +                                 (fetch-tarball store url))
> +                               (fetch-tarball store url)))
> +                         (fetch-tarball store url))))

I hope some more seasoned Schemers will offer their review :)

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli3RgsACgkQJkb6MLrK
fwgecQ/+KUYbNuwAZb8ZQXD1gR52iWdUCOPzY+DL4c7kRSaoyTdiMoC1do9bzBFw
u9ba0l3lOvnkfxIgwEfEDuK+J8VNrCjNMOCYZ6YRlaKlcZ8kwiFxJqflB1Aw1/Tb
vjDwxcFYHM6RctNobTpLGuecq1zlLreO08aqYE9RmBvIJCurihIV8KUZY8lBqw/0
CZNNS0NSSeDLwefY+qXC5vHXQkKtVgaUWrAwp3ZoD6zcKo48I9PAhwXoXhPUB88Y
4qdEDiBCxm4tYqbSSrqyxMPeSYgqc2FXw3KqH9wPsFNH4dv9ltcUbM6wcT9ZPts1
LF69xi5BJ+oNRhrYOX0pyrjt8CecL/YOGkcDLamhcDLoukvyNJazJ/wgn6593Agk
jPuaLrC0qGxOq5TqodTEa6x+OvG0/HzzXP+WMemZjh6H0L5jzWR6vIM1VkU1KH03
1iAnjgSD2r5IrJcgXkdY4/8mwpwWdVhAWJGGTPi+BnMisHwnbGCGMM9RreJeeTDn
8zg26LN8yLg3XH9Tk8kSxRhmiQL7Tkz6e8Zh8h3KZQPzFQLoLceaYu2qmDqYRF7M
WMS7Kja+prLlIp9dB8HLbBkvp9FAi4vkS3uwSsYRw3hQimG0Od27fhmeaEz0IHCO
71OLOk6ir7jzYlDmbJMbmcqgoyzB5I48XFBDWvauYoHR91tUFlM=
=Jt2n
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--