On Wed, Mar 01, 2017 at 10:20:00PM +0100, Marius Bakke wrote: > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. Nice! It works without GnuTLS in $PATH and an unset $SSL_CERT_DIR :) By the way, the only thing I'm waiting for before submitting an le-certs package is one more person to check that they can reproduce the certificates that would be provided by the le-certs package, as requested here: http://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html > (define %snapshot-url > ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" > - "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" > + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" > ) > + (define (use-le-certs? url) > + (string=? url %snapshot-url)) I thought about it, and we should probably relax this, to match "https://git.savannah.gnu.org/cgit/guix.git", so that everything would work in cases like this... $ guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/v0.12.0.tar.gz ... and for future cases when `guix pull` may use Git. > + (define (fetch-tarball store url) > + (download-to-store store url "guix-latest.tar.gz")) > + > (with-error-handling > (let* ((opts (parse-options)) > (store (open-connection)) > (url (assoc-ref opts 'tarball-url))) > - (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) > + (let ((tarball (if (use-gnutls? url) > + (begin > + ;; Add GnuTLS to inputs and load path. > + (set! %load-path > + (cons (string-append (package-output store gnutls) > + "/share/guile/site/" > + (effective-version)) > + %load-path)) > + (if (use-le-certs? url) > + (parameterize ((%x509-certificate-directory > + (string-append (package-output store nss-certs) > + "/etc/ssl/certs"))) > + (fetch-tarball store url)) > + (fetch-tarball store url))) > + (fetch-tarball store url)))) I hope some more seasoned Schemers will offer their review :)