From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: `guix pull` over HTTPS
Date: Fri, 10 Feb 2017 16:33:43 +0100
Message-ID: <87fujmcb6w.fsf@gnu.org>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32821)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ccDCq-0001Fl-D4
	for guix-devel@gnu.org; Fri, 10 Feb 2017 10:33:53 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ccDCl-0002pb-Eb
	for guix-devel@gnu.org; Fri, 10 Feb 2017 10:33:52 -0500
In-Reply-To: <20170210003054.GA12412@jasmine> (Leo Famulari's message of "Fri,
	10 Feb 2017 01:30:54 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
>> Does anyone have any specific concerns or advice about changing the
>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
>> Should the change be that simple, or should we do more?
>
> While testing, I realized that an X.509 certificate store is not a
> standard feature of GuixSD, so using Savannah's HTTPS URL will not work
> in all cases.
>
> SSL_CERT_FILE and SSL_CERT_DIR appear to be set unconditionally in (gnu
> system operating-system-environment-variables), so it's not enough to
> test that they are set in order to decide which protocol to download the
> Guix source code with.
>
> Any advice on how to proceed?

Initially, I didn=E2=80=99t want to have =E2=80=98nss-certs=E2=80=99 in =E2=
=80=98%base-packages=E2=80=99 or
anything like that, on the grounds that the whole X.509 CA story is
completely broken IMO.  I wonder if we should revisit that, on the
grounds that =E2=80=9Cit=E2=80=99s better than nothing.=E2=80=9D

The next question is what to do with foreign distros, and whether we
should bundle =E2=80=98nss-certs=E2=80=99 in the binary tarball, which is n=
ot exciting.

Alternately we could have a package that provides only the Let=E2=80=99s En=
crypt
certificate chain, if that=E2=80=99s what Savannah uses.

Thoughts?

Ludo=E2=80=99.