[PATCH 0/1] Another Let's Encrypt client

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [PATCH 0/1] Another Let's Encrypt client
@ 2016-09-02 14:49 Leo Famulari
  2016-09-02 14:49 ` [PATCH 1/1] gnu: Add acme-client Leo Famulari
  0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-09-02 14:49 UTC (permalink / raw)
  To: guix-devel

I have been looking at this Let's Encrypt client for a little while. It
was just merged into the OpenBSD base system, and had its name changed
from 'letskencrypt' to the generic 'acme-client'. The name might be too 
generic; I found at least 4 different programs with this name.

https://kristaps.bsd.lv/acme-client/

Some attempt has been made to reduce the risks inherent to running the 
program as root, as described on the home page.

And, I did a minimal test: I was able to get a new certificate.

Leo Famulari (1):
  gnu: Add acme-client.

 gnu/packages/tls.scm | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

-- 
2.9.3

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 14:49 [PATCH 0/1] Another Let's Encrypt client Leo Famulari
@ 2016-09-02 14:49 ` Leo Famulari
  2016-09-02 18:01   ` Hartmut Goebel
  2016-09-12 17:06   ` Leo Famulari
  0 siblings, 2 replies; 14+ messages in thread
From: Leo Famulari @ 2016-09-02 14:49 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/tls.scm (acme-client): New variable.
---
 gnu/packages/tls.scm | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 4b87150..eeb15ca 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -34,6 +34,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages)
   #:use-module (gnu packages guile)
+  #:use-module (gnu packages libbsd)
   #:use-module (gnu packages libffi)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages linux)
@@ -619,3 +620,37 @@ arithmetic in Perl.")
   (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
 number generator")
   (license (package-license perl))))
+
+(define-public acme-client
+  (package
+    (name "acme-client")
+    (version "0.1.11")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://kristaps.bsd.lv/" name "/"
+                                  "snapshots/" name "-portable-"
+                                  version ".tgz"))
+              (sha256
+               (base32
+                "09pipyfk448gxqr7ci56gsq5la8wlydv7wwn9wk0zgjxmlh7h6fb"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:tests? #f ; no test suite
+       #:make-flags
+       (list "CC=gcc"
+             (string-append "PREFIX=" (assoc-ref %outputs "out")))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)))) ; no './configure' script
+    (inputs
+     `(("libbsd" ,libbsd)
+       ("libressl" ,libressl)))
+    (synopsis "Let's Encrypt client")
+    (description "acme-client is a Let's Encrypt client implemented in C.  It
+uses a modular design, and attempts to secure itself by dropping privileges and
+operating in a chroot where possible.  acme-client is developed on OpenBSD and
+then ported to the GNU / Linux environment.")
+    (home-page "https://kristaps.bsd.lv/acme-client/")
+    ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
+    ;; and 'jsmn.c' are distributed under the Expat license.
+    (license (list license:isc license:expat))))
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 14:49 ` [PATCH 1/1] gnu: Add acme-client Leo Famulari
@ 2016-09-02 18:01   ` Hartmut Goebel
  2016-09-02 18:50     ` Leo Famulari
  2016-09-12 17:06   ` Leo Famulari
  1 sibling, 1 reply; 14+ messages in thread
From: Hartmut Goebel @ 2016-09-02 18:01 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 1161 bytes --]

Am 02.09.2016 um 16:49 schrieb Leo Famulari:
> +    (name "acme-client")

I strongly suggest using a different name, as this is *one* of many
implementations and it is not the "official" one.

> +    (synopsis "Let's Encrypt client")

The synopsis should already state, this is *one* of the acme-clients.
Something like "Let's Encrypt client  used as standard at OpenBSD" is
more meaningful.
> +    (description "acme-client is a Let's Encrypt client implemented in C.  It
> +uses a modular design, and attempts to secure itself by dropping privileges and

*shiver* Why would one implement this in an language like C, which is
prone to buffer overflows, if there are implementations available in
more secure languages?


-- 
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development

Goebel Consult, Landshut
http://www.goebel-consult.de

Blog:
http://www.goebel-consult.de/blog/filmgesprach-zu-201ecitizenfour201c-in-herrsching

Kolumne: http://www.cissp-gefluester.de/2010-06-adobe-und-der-maiszunsler


[-- Attachment #1.2: Type: text/html, Size: 2740 bytes --]

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2430 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 18:01   ` Hartmut Goebel
@ 2016-09-02 18:50     ` Leo Famulari
  2016-09-02 18:58       ` Leo Famulari
                         ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Leo Famulari @ 2016-09-02 18:50 UTC (permalink / raw)
  To: Hartmut Goebel; +Cc: guix-devel

On Fri, Sep 02, 2016 at 08:01:55PM +0200, Hartmut Goebel wrote:
> Am 02.09.2016 um 16:49 schrieb Leo Famulari:
> > +    (name "acme-client")
> 
> I strongly suggest using a different name, as this is *one* of many
> implementations and it is not the "official" one.

Suggestions?

> *shiver* Why would one implement this in an language like C, which is
> prone to buffer overflows, if there are implementations available in
> more secure languages?

I wouldn't propose this package if it wasn't part of OpenBSD's base
system:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/acme-client/

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 18:50     ` Leo Famulari
@ 2016-09-02 18:58       ` Leo Famulari
  2016-09-03  7:43       ` Hartmut Goebel
  2016-09-03 10:04       ` Andreas Enge
  2 siblings, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-09-02 18:58 UTC (permalink / raw)
  To: Hartmut Goebel; +Cc: guix-devel

On Fri, Sep 02, 2016 at 02:50:28PM -0400, Leo Famulari wrote:
> > *shiver* Why would one implement this in an language like C, which is
> > prone to buffer overflows, if there are implementations available in
> > more secure languages?
> 
> I wouldn't propose this package if it wasn't part of OpenBSD's base
> system:
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/acme-client/

To clarify my statement, I think the OpenBSD project has a reputation
for writing good C. Also they design software to fail safely, by
designing privilege separation into their tools, inventing and using
pledge(2), etc.

This portable version of the software only gets some of those benefits,
but it does get some of them.

That's I didn't propose this package until I saw that it had been
reviewed and adopted by OpenBSD.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 18:50     ` Leo Famulari
  2016-09-02 18:58       ` Leo Famulari
@ 2016-09-03  7:43       ` Hartmut Goebel
  2016-09-03 10:04       ` Andreas Enge
  2 siblings, 0 replies; 14+ messages in thread
From: Hartmut Goebel @ 2016-09-03  7:43 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1.1: Type: text/plain, Size: 1684 bytes --]

Am 02.09.2016 um 20:50 schrieb Leo Famulari:
> On Fri, Sep 02, 2016 at 08:01:55PM +0200, Hartmut Goebel wrote:
>> Am 02.09.2016 um 16:49 schrieb Leo Famulari:
>>> +    (name "acme-client")
>>>
> Suggestions?

acme-client-openbsd? But given that this is a stupid name, and given
that
https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
does not list a program with this name, may we should stick with the
official name.

>
>> *shiver* Why would one implement this in an language like C, which is
>> prone to buffer overflows, if there are implementations available in
>> more secure languages?
> I wouldn't propose this package if it wasn't part of OpenBSD's base
> system:

I'm sorry, no offence meant! I only wanted do express my doubt about
using C if other implementations are available. (I just had a look at
the source, which did not make me more confident in this piece of
software; as far as can see they implement a  a http-client from stretch
and include a json-parse instead of linking one.) I also know, OpenBSD
delivers good software.

It's not our job to decide what software a sysadmin should install. It's
the sysadmin's responsibility. Our job as distribution-builders is to 
provide software to the sysadmin.

-- 
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development

Goebel Consult, Landshut
http://www.goebel-consult.de

Blog: http://www.goebel-consult.de/blog/verschlusselte-mailingslisten
Kolumne: http://www.cissp-gefluester.de/2010-07-passwoerter-lieben-lernen

[-- Attachment #1.2: Type: text/html, Size: 3389 bytes --]

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2430 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 18:50     ` Leo Famulari
  2016-09-02 18:58       ` Leo Famulari
  2016-09-03  7:43       ` Hartmut Goebel
@ 2016-09-03 10:04       ` Andreas Enge
  2016-09-03 10:32         ` Marius Bakke
  2016-09-04  2:29         ` Leo Famulari
  2 siblings, 2 replies; 14+ messages in thread
From: Andreas Enge @ 2016-09-03 10:04 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, Hartmut Goebel

On Fri, Sep 02, 2016 at 02:50:28PM -0400, Leo Famulari wrote:
> On Fri, Sep 02, 2016 at 08:01:55PM +0200, Hartmut Goebel wrote:
> > Am 02.09.2016 um 16:49 schrieb Leo Famulari:
> > > +    (name "acme-client")
> > I strongly suggest using a different name, as this is *one* of many
> > implementations and it is not the "official" one.
> Suggestions?

Is there other reasonably widely used software with this name? Our package
guidelines say to use the upstream name.

Andreas

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-03 10:04       ` Andreas Enge
@ 2016-09-03 10:32         ` Marius Bakke
  2016-09-04  2:43           ` Leo Famulari
  2016-09-04  2:29         ` Leo Famulari
  1 sibling, 1 reply; 14+ messages in thread
From: Marius Bakke @ 2016-09-03 10:32 UTC (permalink / raw)
  To: Andreas Enge, Leo Famulari; +Cc: guix-devel, Hartmut Goebel

Andreas Enge <andreas@enge.fr> writes:

> On Fri, Sep 02, 2016 at 02:50:28PM -0400, Leo Famulari wrote:
>> On Fri, Sep 02, 2016 at 08:01:55PM +0200, Hartmut Goebel wrote:
>> > Am 02.09.2016 um 16:49 schrieb Leo Famulari:
>> > > +    (name "acme-client")
>> > I strongly suggest using a different name, as this is *one* of many
>> > implementations and it is not the "official" one.
>> Suggestions?
>
> Is there other reasonably widely used software with this name? Our package
> guidelines say to use the upstream name.

I don't know about widely used, but searching "acme-client" on github
shows four projects with this name, neither of which is this package.

Many distros prefix OpenBSD projects with ambigous names with
"openbsd-". E.g. "openbsd-netcat", "openbsd-ntpd" etc. We don't appear
to have that problem yet, but I think this could be a good precedent.

-marius

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-03 10:32         ` Marius Bakke
@ 2016-09-04  2:43           ` Leo Famulari
  2016-09-04  5:12             ` Marius Bakke
  0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-09-04  2:43 UTC (permalink / raw)
  To: Marius Bakke; +Cc: guix-devel, Hartmut Goebel

On Sat, Sep 03, 2016 at 11:32:20AM +0100, Marius Bakke wrote:
> Many distros prefix OpenBSD projects with ambigous names with
> "openbsd-". E.g. "openbsd-netcat", "openbsd-ntpd" etc. We don't appear
> to have that problem yet, but I think this could be a good precedent.

Is "openbsd-ntpd" the same thing as OpenNTPD? [0]

As for openbsd-netcat, this was discussed on guix-devel recently, and we
learned that OpenBSD does not provide a portable release of their netcat
client. I don't think it would be appropriate for us to re-package
Debian's unmaintained port of this software. [1]

I looked at `apt-cache search openbsd`, which searches my Debian package
cache for packages related to OpenBSD. I *think* that there isn't
anything packaged with an "openbsd-" name that OpenBSD offers a portable
release of, but I'm not sure about openbsd-inetd.

On the other hand, they explicitly provide portable releases of things
like OpenNTPD, OpenSSH, LibreSSL, and now acme-client.

They really pushed the issue with this "acme-client". Maybe they should
have kept the old name, letskencrypt, for the sake of all the GNU /
Linux distros :)

[0]
http://www.openntpd.org/

[1]
http://lists.gnu.org/archive/html/guix-devel/2016-07/msg00084.html

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-04  2:43           ` Leo Famulari
@ 2016-09-04  5:12             ` Marius Bakke
  0 siblings, 0 replies; 14+ messages in thread
From: Marius Bakke @ 2016-09-04  5:12 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, Hartmut Goebel

Leo Famulari <leo@famulari.name> writes:

> On Sat, Sep 03, 2016 at 11:32:20AM +0100, Marius Bakke wrote:
>> Many distros prefix OpenBSD projects with ambigous names with
>> "openbsd-". E.g. "openbsd-netcat", "openbsd-ntpd" etc. We don't appear
>> to have that problem yet, but I think this could be a good precedent.
>
> Is "openbsd-ntpd" the same thing as OpenNTPD? [0]
>
> As for openbsd-netcat, this was discussed on guix-devel recently, and we
> learned that OpenBSD does not provide a portable release of their netcat
> client. I don't think it would be appropriate for us to re-package
> Debian's unmaintained port of this software. [1]
>
> I looked at `apt-cache search openbsd`, which searches my Debian package
> cache for packages related to OpenBSD. I *think* that there isn't
> anything packaged with an "openbsd-" name that OpenBSD offers a portable
> release of, but I'm not sure about openbsd-inetd.
>
> On the other hand, they explicitly provide portable releases of things
> like OpenNTPD, OpenSSH, LibreSSL, and now acme-client.

You are right, of course. I could have sworn there were more. And I even
use OpenNTPD on many systems..

The other acme-client projects seems to be mostly library
implementations with a CLI frontend and are likely to end up as
"ruby-acme-client" or similar in the tree. So "acme-client" should be
perfectly fine. If anything we'll get to have a new bikeshedding round
if another popular client with the same name comes around. :)

~marius

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-03 10:04       ` Andreas Enge
  2016-09-03 10:32         ` Marius Bakke
@ 2016-09-04  2:29         ` Leo Famulari
  2016-09-11 12:42           ` Andreas Enge
  1 sibling, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-09-04  2:29 UTC (permalink / raw)
  To: Andreas Enge; +Cc: guix-devel, Hartmut Goebel

On Sat, Sep 03, 2016 at 12:04:13PM +0200, Andreas Enge wrote:
> Is there other reasonably widely used software with this name? Our package
> guidelines say to use the upstream name.

Here is what I found:

https://github.com/kristapsdz/acme-client
The program I have proposed to package.

https://github.com/unixcharles/acme-client
Written in Ruby. Appears active.

https://github.com/kelunik/acme-client
Written in PHP. Appears active.

https://github.com/zero11it/acme-client
Written in Java. No recent activity and only 8 commits to the Git repo.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-04  2:29         ` Leo Famulari
@ 2016-09-11 12:42           ` Andreas Enge
  2016-09-11 12:57             ` Hartmut Goebel
  0 siblings, 1 reply; 14+ messages in thread
From: Andreas Enge @ 2016-09-11 12:42 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, Hartmut Goebel

On Sat, Sep 03, 2016 at 10:29:12PM -0400, Leo Famulari wrote:
> On Sat, Sep 03, 2016 at 12:04:13PM +0200, Andreas Enge wrote:
> > Is there other reasonably widely used software with this name? Our package
> > guidelines say to use the upstream name.
> 
> Here is what I found:
> 
> https://github.com/kristapsdz/acme-client
> The program I have proposed to package.
> 
> https://github.com/unixcharles/acme-client
> Written in Ruby. Appears active.
> 
> https://github.com/kelunik/acme-client
> Written in PHP. Appears active.
> 
> https://github.com/zero11it/acme-client
> Written in Java. No recent activity and only 8 commits to the Git repo.

Maybe one solution would be to call the first program "acme-client",
and, if it ever gets packaged, the second one "ruby-acme-client" and so on?

Andreas

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-11 12:42           ` Andreas Enge
@ 2016-09-11 12:57             ` Hartmut Goebel
  0 siblings, 0 replies; 14+ messages in thread
From: Hartmut Goebel @ 2016-09-11 12:57 UTC (permalink / raw)
  To: guix-devel

Am 11.09.2016 um 14:42 schrieb Andreas Enge:
> Maybe one solution would be to call the first program "acme-client",
> and, if it ever gets packaged, the second one "ruby-acme-client" and so on?

This sound good to me.

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH 1/1] gnu: Add acme-client.
  2016-09-02 14:49 ` [PATCH 1/1] gnu: Add acme-client Leo Famulari
  2016-09-02 18:01   ` Hartmut Goebel
@ 2016-09-12 17:06   ` Leo Famulari
  1 sibling, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-09-12 17:06 UTC (permalink / raw)
  To: guix-devel

On Fri, Sep 02, 2016 at 10:49:38AM -0400, Leo Famulari wrote:
> * gnu/packages/tls.scm (acme-client): New variable.

Thanks for the feedback, everyone. Pushed as
0581c273a4d5171a477d89f109c46d7ab3691429, with a followup commit that
adds some detail to certbot's synopsis.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2016-09-12 17:07 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-02 14:49 [PATCH 0/1] Another Let's Encrypt client Leo Famulari
2016-09-02 14:49 ` [PATCH 1/1] gnu: Add acme-client Leo Famulari
2016-09-02 18:01   ` Hartmut Goebel
2016-09-02 18:50     ` Leo Famulari
2016-09-02 18:58       ` Leo Famulari
2016-09-03  7:43       ` Hartmut Goebel
2016-09-03 10:04       ` Andreas Enge
2016-09-03 10:32         ` Marius Bakke
2016-09-04  2:43           ` Leo Famulari
2016-09-04  5:12             ` Marius Bakke
2016-09-04  2:29         ` Leo Famulari
2016-09-11 12:42           ` Andreas Enge
2016-09-11 12:57             ` Hartmut Goebel
2016-09-12 17:06   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).