From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id 2IJbCAorEGYUqQAAqHPOHw:P1 (envelope-from ) for ; Fri, 05 Apr 2024 18:47:06 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id 2IJbCAorEGYUqQAAqHPOHw (envelope-from ) for ; Fri, 05 Apr 2024 18:47:06 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=interia.pl header.s=dk header.b=eJ7JxTO2; dmarc=pass (policy=none) header.from=interia.pl; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712335626; a=rsa-sha256; cv=none; b=Mpnd8PoSCC/DMez01t+9vAfTBKqCX9vHjwD7e8fsc8d+j3POihVnVMNgo1yKN/x5Tf90n4 cxxX4n5seDk4pizym1y34i4Zbm9eIZL7SamuF7+y3chFakOP3Pepnw0dU0PjvcrLW93pZv WA6czWjHqvNClbqKtnqSQmYAxw92+SIXrQe+818VIy0Jt2ZpBdv+hA2kRdCf3fYzIV/T3A mOnQMHInhp0pmVrViVr9ITfeaqFXJlFcRWhj4vTgdhF6ZOfphQWwpswZ1mFgiHR5GW/EIN /SaUC/2JZHyuTlxa4/46YlfE3F2XPN4pp+LmmA2CC4zZU9CPhR7U6h5WluySVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=interia.pl header.s=dk header.b=eJ7JxTO2; dmarc=pass (policy=none) header.from=interia.pl; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712335626; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=D3KI3+kFOba61KSZnG+bnmZAtr9K2UuoWFQez9y1Acc=; b=am1wrBisljQgB7rI/wwG6AfPge1ljkCGft8tRkZOnSKHUQ3CNABSB6pwstAKZ1Ck/lDDwe 2NX00tt9YQ383aEV/+9onoqHWLGw6g+zSr6d7YgQoEmTInrXgNSNYM3Csjpx86eAmWbqNY aA7aAjJMzf+8yyHxn7KvYuktuBEIGNhezKK/ZXzEUvsEe01y2r7uWKrzlY+ke7WAWjIEpJ 5AyLv9aCzklU2YdwKaVPplg+ROz/hgpvINfLcg+nXaAgCHHF8jUS2OseT8mv+zKu+IiiK3 05OP8GxmasOUqs9qWfx/m3ep4lThlOkVrFicy+O8aOgsnk+9BGSMlqmHT36hgA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F2CA27B2A0 for ; Fri, 5 Apr 2024 18:47:05 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsmi0-0001Lp-AZ; Fri, 05 Apr 2024 12:46:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsmhr-0001KN-U7 for guix-devel@gnu.org; Fri, 05 Apr 2024 12:46:24 -0400 Received: from smtpo48.interia.pl ([217.74.67.48]) by eggs.gnu.org with esmtps (TLS1.2:RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rsmhk-0006OB-B0 for guix-devel@gnu.org; Fri, 05 Apr 2024 12:46:18 -0400 Received: from localhost (89-64-56-150.dynamic.chello.pl [89.64.56.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by poczta.interia.pl (INTERIA.PL) with ESMTPSA; Fri, 5 Apr 2024 18:46:08 +0200 (CEST) Date: Fri, 5 Apr 2024 18:45:53 +0200 From: Jan Wielkiewicz To: Maxim Cournoyer Cc: guix-devel Subject: Re: Should we include nss-certs out of the box? Message-ID: <20240405184553.16106f94@interia.pl> In-Reply-To: <874jciuxqq.fsf@gmail.com> References: <874jciuxqq.fsf@gmail.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-IPL-Priority-Group: 0-0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=interia.pl; s=dk; t=1712335569; bh=D3KI3+kFOba61KSZnG+bnmZAtr9K2UuoWFQez9y1Acc=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=eJ7JxTO2ltOBOwhzF1eKmxKjByDslk2v7m0c71YbYJGTvv3ZbEUmw3uDGKQqaHhg+ H1MeUojAerwArgMKgxrvrTkKs9TfFcOwavUU10reU6VZigcCyPneDNbxBtBEwVFT6Y dL/C3FH/Dv7PhG+NdM5hB0WgWCDV51a0Nsbvw8oY= Received-SPF: pass client-ip=217.74.67.48; envelope-from=tona_kosmicznego_smiecia@interia.pl; helo=smtpo48.interia.pl X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -6.69 X-Migadu-Queue-Id: F2CA27B2A0 X-Migadu-Spam-Score: -6.69 X-Migadu-Scanner: mx10.migadu.com X-TUID: xIArkwSnDuHy On Wed, 03 Apr 2024 14:06:37 -0400 Maxim Cournoyer wrote: > Hi, > > It's been Guix policy to let people choose whether to install or not > TLS root certificates and which one to their machine. While I > applaud the idea to have the users make a conscious decision about > it, in practice I suppose very few of us choose to *not* install any > as that basically breaks using web browsers, especially ones like > IceCat which (by default) ensures HTTPS is used on every page. > > It apparently even makes it impossible to run 'guix pull', if I am to > believe bug#62026. > > Should we do as in bug#62026 and have this package be part of the > recommended basic installation? It'd be in the basic set of an > operating-system packages (via its default %base-packages set). It > could still be manipulated via the Guix API (filtered out/replaced > with something else). > > Is anyone opposed to having nss-certs in %base-packages? > Hello, IMO everything should work out of the box. Power users will be able to do their stuff if they need to, so the feature should be opt-out. -- Jan Wielkiewicz