From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id oFx9KyY+FGZ4uQAAqHPOHw:P1 (envelope-from ) for ; Mon, 08 Apr 2024 20:57:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id oFx9KyY+FGZ4uQAAqHPOHw (envelope-from ) for ; Mon, 08 Apr 2024 20:57:42 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=freakingpenguin.com header.s=x header.b=BVmQpBMG; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712602662; a=rsa-sha256; cv=none; b=lYrmGI+NmWx0YUxabNPZAqljbeT9ngX8fAbcGup4kZ7DkdJ6N3idJOXsfGIOHCuqrHurRp g69EM3OeGqLCJAHhedxHAepnLzqbWbrwQZwNQW1+98qhTktJF1EFmGiuge+QLO9IXqRs4c KAV6POJyGnHT+TZCG1a6wq4B7Q8eAZrgH2Vaj89CxvZWbUHRNUk7edfQ5rfsd3/wLbV0hd gSgMovAFkPU16tDBiWJsjGHcS7p9sn3Yb+gMvOyxUFiiJvxKbQ2Ix65YUifVZtqXF7gabU zWuSqdBOJ4CIrr7B8Y2uVBjWc54ciBMXcZqRoW6XOABs5MGFaTHGDs+7dKxa9A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=freakingpenguin.com header.s=x header.b=BVmQpBMG; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712602662; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=d4SYTXBKV7UTBImQh4zW4YzZZgj80qdQKiGDPM/rARM=; b=sT1C3CD/iW5T4keWxXtMEbu3YJO8nDZMZ5ZFjFvv4dv29+DUVJg3aHribv8gLXrxlNv85r yPMR8nSUkXGVwtJ294vNvjcK9+iceBUurl7az8rmQGWvKwN5b9sU0+uo9Xyo8t9XBum/3Q KlGB7xMtC8VrN2+x83rOVxt0ANqIs091t01TZwTzL9wHbaYfVlkQs+k2viHkc/kWMCTwXZ RyY+EFoAk00ZjdH5SEGh4ZyIBvsNhrMrEnEFk9t7RG4s7Bmduqr49MPHXWhPSNDM4zzt3C NLxpElHKnGQHHKJsaPajRg6YgWLxWf9X397plM5bBUwT+LIvdo4FMucnqhOCQg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 85E4A24DA1 for ; Mon, 8 Apr 2024 20:57:42 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rtuB6-0006Nh-L6; Mon, 08 Apr 2024 14:57:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtuB5-0006N2-56 for guix-devel@gnu.org; Mon, 08 Apr 2024 14:57:11 -0400 Received: from mail-108-mta173.mxroute.com ([136.175.108.173]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rtuB3-0006hw-7o for guix-devel@gnu.org; Mon, 08 Apr 2024 14:57:10 -0400 Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta173.mxroute.com (ZoneMTA) with ESMTPSA id 18ebf1229530003bea.002 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Mon, 08 Apr 2024 18:57:02 +0000 X-Zone-Loop: 7ddca3b18c5dc7363dc230f9d7399d2a72bd4ad25416 X-Originating-IP: [136.175.111.2] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=d4SYTXBKV7UTBImQh4zW4YzZZgj80qdQKiGDPM/rARM=; b=BVmQpBMGHdFXTjv3D2XpinxCf/ q3QKS3aSbrOjXQgiV3/8hT9LOA6aH25eNKfgK04X1hlwtEyUEg87n5/dNqCGImQw9lViyq/zsuBKY 3N7Mo4Onk0WCK56k9DA/l9W9Vuefk+7TvzW+sntO0uaLm0IzuBrX86gmCqiTifoWtimbsjioF04el ozkULbvujb4h0FqaUrIn+nl5eWhhRKN6GMTqAHyUuuhiAxpSzRobTY8SAxeliICvt/dUVqdu6JQ/9 jr601h9cbFmyffqw+YZQYSgQ53lfJgmPWM4yD4sS2XO5TScCHseUrXoEUODonvv1iGkqg/45MIa5v fHtYhihA==; From: Richard Sent To: Maxim Cournoyer Cc: guix-devel Subject: Re: Should we include nss-certs out of the box? In-Reply-To: <874jciuxqq.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 03 Apr 2024 14:06:37 -0400") References: <874jciuxqq.fsf@gmail.com> Date: Mon, 08 Apr 2024 14:56:54 -0400 Message-ID: <87wmp7adjd.fsf@freakingpenguin.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Authenticated-Id: richard@freakingpenguin.com Received-SPF: pass client-ip=136.175.108.173; envelope-from=richard@freakingpenguin.com; helo=mail-108-mta173.mxroute.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -5.37 X-Migadu-Queue-Id: 85E4A24DA1 X-Migadu-Spam-Score: -5.37 X-Migadu-Scanner: mx10.migadu.com X-TUID: Gd3NcMmmabVg I wonder if instead (or in addition to) a step should be added to the default profile to symlink nss-certs to /etc/ssl/certs/ca-certificates.crt? Consider running $ guix shell rust:cargo nss-certs -CN -- cargo search ox. On c9cd16c630 this will fail with --8<---------------cut here---------------start------------->8--- Updating crates.io index error: download of config.json failed Caused by: failed to download from `https://index.crates.io/config.json` Caused by: [60] SSL peer certificate or SSH remote key was not OK (server certificate verification failed. CAfile: none CRLfile: none) --8<---------------cut here---------------end--------------->8--- This is because /etc/ssl/certs doesn't exist in the shell's container. A user could work around this by running in the shell: --8<---------------cut here---------------start------------->8--- export SSL_CERT_FILE=$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt --8<---------------cut here---------------end--------------->8--- but this complicates the handle $ guix shell ... -- syntax. The only package that seems to escape this nonfunctional trap is git because the package definition explicitly sets a GIT_SSL_CAINFO search path specification. IMO, if we agree to add nss-certs to %base-packages, we should also set up a /etc/ssl/certs symlink to %default-profile-hooks. It's very odd to see `building CA certificate bundle...` printed to the console yet not be able to use https except for git in shell containers. Power users will still be able to override the normal behavior by setting the package-specific environment variables. This change would just change the default state from "nonfunctional" to "working". -- Take it easy, Richard Sent Making my computer weirder one commit at a time.