From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: `guix pull` over HTTPS Date: Mon, 06 Mar 2017 13:27:47 +0100 Message-ID: <87mvcy614s.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87mvcywwh6.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40931) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckrk3-0007An-PL for guix-devel@gnu.org; Mon, 06 Mar 2017 07:27:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckrk0-0000ch-K6 for guix-devel@gnu.org; Mon, 06 Mar 2017 07:27:55 -0500 In-Reply-To: <87mvcywwh6.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hi! > > Marius Bakke skribis: > >> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Tue, 28 Feb 2017 22:34:29 +0100 >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a >> search string for certificates. >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Verify against the store path of NSS-CERTS. >> --- >> guix/build/download.scm | 7 +++++-- >> guix/scripts/pull.scm | 8 ++++++-- >> 2 files changed, 11 insertions(+), 4 deletions(-) >> >> diff --git a/guix/build/download.scm b/guix/build/download.scm >> index 203338b52..88da1776f 100644 >> --- a/guix/build/download.scm >> +++ b/guix/build/download.scm >> @@ -342,13 +342,16 @@ way." >>=20=20 >> (define* (tls-wrap port server #:key (verify-certificate? #t)) >> "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a= DNS >> -host name without trailing dot." >> +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it= is >> +assumed to be the search path for TLS certificates passed to gnutls." >> (define (log level str) >> (format (current-error-port) >> "gnutls: [~a|~a] ~a" (getpid) level str)) >>=20=20 >> (let ((session (make-session connection-end/client)) >> - (ca-certs (%x509-certificate-directory))) >> + (ca-certs (if (string? verify-certificate?) >> + verify-certificate? >> + (%x509-certificate-directory)))) > > Nitpick: I would prefer to use a different argument for the certificate > directory. Something like this: > > (define* (tls-wrap port server #:key (verify-certificate? #t) > (certificate-directory > (%x509-certificate-directory))) > =E2=80=A6)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20 > > Also the =E2=80=98guix pull=E2=80=99 part should be a separate patch. > > Great work, thank you! Hello! Please see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D25975 ... for the latest version of this patch. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli9VcMACgkQoqBt8qM6 VPrDQQf8C4G9V/eB3I2nusvHbuT8XVzD/tKcebm5+YhOzWocLtr0p5huBs6fyqvT ti4OYLsqg/E1/apBcZqBrZr2/1EfunO/+yw1jXmBc360gWaHCzcUQqD4Twv6sbut SlrpSN9S6u7MxHeflZ06gi7mVpzKAeTAyP5zZaayinTR9rnTatuLHG40n8iYrDeZ lZJ+xxvjmZx9Df7iZgZdGNc4KYb+7IOw6NueKFbxBQMpl2Stoo0yGYD0wAieHEGP E1FZKkubvvnL5pSk6m75rXah9RYETjJz9pJsRM/S8uNhIypMIolhvzgO9FJPD9z4 CwT8qwxwY1WBDOMLr6P5V5LrxkMHSg== =4cCJ -----END PGP SIGNATURE----- --=-=-=--