From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id sEoAN1anFmbngwAA62LTzQ:P1 (envelope-from ) for ; Wed, 10 Apr 2024 16:51:03 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id sEoAN1anFmbngwAA62LTzQ (envelope-from ) for ; Wed, 10 Apr 2024 16:51:03 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=KpgqN5nu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712760662; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=dqnstWKc+VERWbx0ea0Ef/2NUnc7NmRdzQDKnt16Drg=; b=YUSGdnRAs5k0nvjgr6swNETboJn6Uu4ATmVVFhqYC5rvJIIq22kr/ls/BdJF+2+MVcWz9G 1uYezCIWE8nhaREfN4UYK6HFJM1bxHDSyXsq32wmWKqI5Iug1lwQdkU34inCLUKnXt4oO1 BnlIgbv/o03NmXzFsaqvUIkCZNPt4RJUrMlNenGftRtjts6D4ZmBI5xE3sdjZlLDjRNXzk fRjdXk1JAH0KeS3x74b5klr0GG4Lx4KBn2puJ3+ZU8c9MlTVfH85CdUEx2n90ylr+SbGOq LATuwJZyP02UTvLvyfvzlGfPOOSUHjw5unIqFOJTY6pggoWPRk8vgrLPoVZ2HQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712760662; a=rsa-sha256; cv=none; b=kaCePaB9E9TTeGVjwv14mhHxRkLD2CEaowLHCexbPYYQezM/j5eSeAOqzCy0WCSnUQUUWh AxZICzLZcwYdTGbrkBMHA5EtHRoYYS2BYdDLmAN+N3lvOCaB55RdXYzlpGIGkCoNnHSSeg gULumhnIWz9M72wvMFwkbCDK9PLD3k7uto1i56+c+xodHZOdB4nL6cpGY8pdRSYXdzsHLM gkXC6Wa4ufeqFEau67PLJoj1x0iVCAA+TJ8kMNupmGfImB9/crbJNQ+PMCc9aum/qpI9wn zkqeCTamFPspbi6vMD6wBX9TAO2IGDy6BxlX/UhrxIQvU2SqG/yueahrrz5skg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=KpgqN5nu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 78BE563125 for ; Wed, 10 Apr 2024 16:51:02 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruZHg-0004IT-2m; Wed, 10 Apr 2024 10:50:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruZHe-0004Hx-EJ for guix-devel@gnu.org; Wed, 10 Apr 2024 10:50:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruZHe-0006YE-5G; Wed, 10 Apr 2024 10:50:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=dqnstWKc+VERWbx0ea0Ef/2NUnc7NmRdzQDKnt16Drg=; b=KpgqN5nupw92pAaszWkr QCRbZll+w8jkqCa/cnu4hWD1Gus4MexG0bxQnRDgbulQABzPSRKfIE0oe3JzjCI4p/RqSCjEldHO/ X0SazEw42lHfBe/Iq46RJ1xt4YNkaDZHpXNTi9ix2m1FvGum21aX08Ca9NTOAcQ6JvHMtoNnyVGOu yTYEGYVS7mn03sECGYFUG2nwVAGc7c+7D+xd5AtdhoDLPxSrVi87erDgEqxVQsP1VEabsNpHyxkKO 4/1EJQwq9jWERo0s8HhGqBlj/Vm1a2qR3pUcpvGYztNwNTAcceeRuoj3S6jkzM7gsemxIH4y9gJ2J dQmTfdGPGeBNUg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxim Cournoyer Cc: guix-devel Subject: Re: Should we include nss-certs out of the box? In-Reply-To: <874jciuxqq.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 03 Apr 2024 14:06:37 -0400") References: <874jciuxqq.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 22 Germinal an 232 de la =?utf-8?Q?R=C3=A9volu?= =?utf-8?Q?tion=2C?= jour de la Romaine X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 10 Apr 2024 16:50:39 +0200 Message-ID: <87il0pjmps.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -10.12 X-Spam-Score: -10.12 X-Migadu-Queue-Id: 78BE563125 X-Migadu-Scanner: mx13.migadu.com X-TUID: tB6SSxx8vB5L Hi, Maxim Cournoyer skribis: > It's been Guix policy to let people choose whether to install or not TLS > root certificates and which one to their machine. While I applaud the > idea to have the users make a conscious decision about it, in practice I > suppose very few of us choose to *not* install any as that basically > breaks using web browsers, especially ones like IceCat which (by > default) ensures HTTPS is used on every page. Right. > It apparently even makes it impossible to run 'guix pull', if I am to > believe bug#62026. I don=E2=80=99t think that=E2=80=99s the case: see use of =E2=80=98le-certs= =E2=80=99 in (guix scripts pull). > Should we do as in bug#62026 and have this package be part of the > recommended basic installation? It'd be in the basic set of an > operating-system packages (via its default %base-packages set). It > could still be manipulated via the Guix API (filtered out/replaced with > something else). > > Is anyone opposed to having nss-certs in %base-packages? No objection from me. I=E2=80=99m partly responsible for the initial choic= e to not include nss-certs by default, but as you write, most likely everyone installs it these days. Note that we=E2=80=99ll also need to remove that choice from the installer = in (gnu installer services). Thanks! Ludo=E2=80=99.