unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Richard Sent <richard@freakingpenguin.com>
Cc: Josselin Poiret <dev@jpoiret.xyz>,
	 Simon Tournier <zimon.toutoune@gmail.com>,
	 Mathieu Othacehe <othacehe@gnu.org>,
	 Tobias Geerinckx-Rice <me@tobias.gr>,
	 Ricardo Wurmus <rekado@elephly.net>,
	Christopher Baines <guix@cbaines.net>,
	 70314@debbugs.gnu.org, guix-devel <guix-devel@gnu.org>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Date: Sun, 15 Sep 2024 23:39:39 +0200	[thread overview]
Message-ID: <875xqwd2as.fsf@gnu.org> (raw)
In-Reply-To: <871q1zsbry.fsf@freakingpenguin.com> (Richard Sent's message of "Wed, 04 Sep 2024 11:01:53 -0400")

Hi Richard,

Cc: guix-devel to get more feedback: this is about adding ‘nss-certs’ by
default in ‘guix shell -CN’ containers, along with a ‘--no-tls’ option
to opt out:

  https://issues.guix.gnu.org/70314

Richard Sent <richard@freakingpenguin.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Instead of adding the ‘nss-certs’ package, I would rather expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it’s less expensive than having to
>> compute the derivation of ‘nss-certs’.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.

Oh, indeed.

[...]

>> Users who definitely want Guix’s ‘nss-certs’ can always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).

Right.

[...]

> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.

You’ve convinced me.

That it’s opt-out sounds reasonable to me.  ‘--no-tls’ sounds reasonable
too as a name (I thought about ‘--no-x509-certificates’ but that’s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).

I have some comments about the patch and I’d like others to weigh in too
before we commit this change.

Thank you!

Ludo’.


       reply	other threads:[~2024-09-15 21:40 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com>
     [not found] ` <87jzfree6t.fsf@gnu.org>
     [not found]   ` <871q1zsbry.fsf@freakingpenguin.com>
2024-09-15 21:39     ` Ludovic Courtès [this message]
2024-09-16  0:04       ` [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Ryan Prior via Guix-patches via

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875xqwd2as.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=70314@debbugs.gnu.org \
    --cc=dev@jpoiret.xyz \
    --cc=guix-devel@gnu.org \
    --cc=guix@cbaines.net \
    --cc=me@tobias.gr \
    --cc=othacehe@gnu.org \
    --cc=rekado@elephly.net \
    --cc=richard@freakingpenguin.com \
    --cc=zimon.toutoune@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).