From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: `guix pull` over HTTPS Date: Wed, 01 Mar 2017 22:21:15 +0100 Message-ID: <87h93czoac.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87efyi0ynv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8760jt206c.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170301051420.GA11310@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48484) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjBgX-0001R7-Bx for guix-devel@gnu.org; Wed, 01 Mar 2017 16:21:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjBgU-0000qn-6Y for guix-devel@gnu.org; Wed, 01 Mar 2017 16:21:21 -0500 In-Reply-To: <20170301051420.GA11310@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote: >> Subject: [PATCH] pull: Default to HTTPS. >>=20 >> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY paramete= r. >> (open-connection-for-uri): Adjust parameters to match. >> (http-fetch): Likewise. >> (url-fetch): Likewise. >> * guix/download.scm (download-to-store): Likewise. >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Verify against the store path of NSS-CERTS. > > When I don't have GnuTLS in my environment, it fails like this: > > Starting download of /tmp/guix-file.pSCYyI > From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... > ;;; Failed to autoload make-session in (gnutls): > ;;; ERROR: missing interface for module (gnutls) > ERROR: In procedure module-lookup: Unbound variable: make-session > failed to download "/tmp/guix-file.pSCYyI" from "https://git.savannah.gnu= .org/cgit/guix.git/snapshot/master.tar.gz" > guix pull: error: failed to download up-to-date source, exiting > > Also, I think we should only use a default trust store when pulling from > %snapshot-url. Please try version 3 of the patch, where I tried to address these issues. It is also far simpler than the previous approaches. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli3O0sACgkQoqBt8qM6 VPpO+Af/Te8ebIBSn1EcLGoZ+PG2HzUv/gZh0swYqP6u01xJrVxBYHzi6dmabzUZ udsyltG9v3Sx60wFfwF8yNL1vIcYwYM1sKJjpw7dI10NKQ5v0iYuTrTsa/bGQW3/ 06Uu9aFcGYPIKRpa+MFGiWn8AdYMySmQRWOXOgUUUjzmO/+uIq0BoF4+kOpL3swK w4RAP0IOMR8ocKUF/XTwWk4ZsGDW/Vl/Fow6+Q1vas79LLsnBTQL14iu5o2czpZx tCRjSLQKui/4xoCb6OBB9+Jyni5yUVvCIJYVp7r0OZcerIxa2jsgkgs8XvxNohN/ 9ZDdoUusOoSUjzKCzvGVGO13IUH4bA== =zHIe -----END PGP SIGNATURE----- --=-=-=--