bug#30619: Cuirass requires TLS certificates

bug#30619: Cuirass requires TLS certificates

[Andreas Enge]

Hello,

the cuirass service requires TLS certificates to do continuous integration
of guix (or more generally, git repositories served over https). This works
when nss-certs is installed as a global package in the system.

Should the service depend on the nss-certs package? Or maybe take as an
optional configuration parameter a certificate package?

Andreas

bug#30619: Cuirass requires TLS certificates

[Ludovic Courtès]

Andreas Enge <andreas@enge.fr> skribis:

> the cuirass service requires TLS certificates to do continuous integration
> of guix (or more generally, git repositories served over https). This works
> when nss-certs is installed as a global package in the system.
>
> Should the service depend on the nss-certs package? Or maybe take as an
> optional configuration parameter a certificate package?

I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
That would make it self-contained.

That’s currently not possible though because this certificate bundle is
built as a profile hook.  We would first need to export the procedure
that creates bundles, possibly by moving it to a new (guix
x509-certificates) module.

Thoughts?

Ludo’.

bug#30619: Cuirass requires TLS certificates

[zimoun]

Hi,

On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
> Andreas Enge <andreas@enge.fr> skribis:
>
>> the cuirass service requires TLS certificates to do continuous integration
>> of guix (or more generally, git repositories served over https). This works
>> when nss-certs is installed as a global package in the system.
>>
>> Should the service depend on the nss-certs package? Or maybe take as an
>> optional configuration parameter a certificate package?
>
> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
> That would make it self-contained.
>
> That’s currently not possible though because this certificate bundle is
> built as a profile hook.  We would first need to export the procedure
> that creates bundles, possibly by moving it to a new (guix
> x509-certificates) module.

What is the status of this old bug [1]?  Well, if it is not fixed yet,
it seems a forgotten bug. :-)

1: <http://issues.guix.gnu.org/issue/30619>

Cheers,
simon

bug#30619: Cuirass requires TLS certificates

[zimoun]

Hi,

On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>> Andreas Enge <andreas@enge.fr> skribis:
>>
>>> the cuirass service requires TLS certificates to do continuous integration
>>> of guix (or more generally, git repositories served over https). This works
>>> when nss-certs is installed as a global package in the system.
>>>
>>> Should the service depend on the nss-certs package? Or maybe take as an
>>> optional configuration parameter a certificate package?
>>
>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>> That would make it self-contained.
>>
>> That’s currently not possible though because this certificate bundle is
>> built as a profile hook.  We would first need to export the procedure
>> that creates bundles, possibly by moving it to a new (guix
>> x509-certificates) module.
>
> What is the status of this old bug [1]?  Well, if it is not fixed yet,
> it seems a forgotten bug. :-)
>
> 1: <http://issues.guix.gnu.org/issue/30619>

From my understanding, this old bug could be closed.  But I am not sure
to get it right about this TLS story.  So closing?


Cheers,
simon

bug#30619: Cuirass requires TLS certificates

[Ludovic Courtès]

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas@enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook.  We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]?  Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed.  But I am not sure
> to get it right about this TLS story.  So closing?

The Cuirass Shepherd service still does:

              #:environment-variables
              (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)

which means that users still need to install certificates globally.

Now, whether it’s an issue, I don’t know.

Maybe we can close?

Thanks,
Ludo’.

bug#30619: Cuirass requires TLS certificates

[zimoun]

Hi,

On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> zimoun <zimon.toutoune@gmail.com> skribis:
>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

> The Cuirass Shepherd service still does:
>
>               #:environment-variables
>               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
>
> which means that users still need to install certificates globally.
>
> Now, whether it’s an issue, I don’t know.
>
> Maybe we can close?

I propose to close since I do not see what could the next action.

1: <http://issues.guix.gnu.org/issue/30619>


Cheers,
simon

bug#30619: Cuirass requires TLS certificates

[Maxime Devos]

zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> Hi,
> 
> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > zimoun <zimon.toutoune@gmail.com> skribis:
> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > wrote:
> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > > wrote:
> 
> > The Cuirass Shepherd service still does:
> > 
> >               #:environment-variables
> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > certificates.crt" …)
> > 
> > which means that users still need to install certificates globally.
> > 
> > Now, whether it’s an issue, I don’t know.
> > 
> > Maybe we can close?
> 
> I propose to close since I do not see what could the next action.
> 
> 1: <http://issues.guix.gnu.org/issue/30619>

The next action would be splitting of the bundle generation from the
profile code, and adding a ‘certificates’ field defaulting to nss-
certs, as Ludo seemed to suggest.

This could be useful if the server the channel repositories are on use
self-signed certificates (are git repositories of channels over https
the reason cuirass requires TLS certificates).


Greetings,
Maxime

bug#30619: Cuirass requires TLS certificates

[Maxime Devos]

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> [...]
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

This was meant to be:

‘This could be useful if the server the channel repositories are on
use self-signed certificates (are git repositories of channels over
https the reason cuirass requires TLS certificates?).’

bug#30619: Cuirass requires TLS certificates

[Maxime Devos]

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

Oops, this argument doesn't have much value, because those certificates
might as well be added to the system profile.

bug#30619: Cuirass requires TLS certificates

[zimoun]

Hi Maxime.

On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
>> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
>> > zimoun <zimon.toutoune@gmail.com> skribis:
>> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
>> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
>>
>> > The Cuirass Shepherd service still does:
>> >
>> >               #:environment-variables
>> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
>> > certificates.crt" …)
>> >
>> > which means that users still need to install certificates globally.
>> >
>> > Now, whether it’s an issue, I don’t know.
>> >
>> > Maybe we can close?
>>
>> I propose to close since I do not see what could the next action.
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> The next action would be splitting of the bundle generation from the
> profile code, and adding a ‘certificates’ field defaulting to nss-
> certs, as Ludo seemed to suggest.

Do you have an idea how to implement this suggestion?  Otherwise, I
think closing is reasonable. :-)

Cheers,
simon

bug#30619: Cuirass requires TLS certificates

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

zimoun schreef op wo 05-01-2022 om 00:09 [+0100]:
> Hi Maxime.
> 
> On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:
> > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > > > zimoun <zimon.toutoune@gmail.com> skribis:
> > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > 
> > > > The Cuirass Shepherd service still does:
> > > > 
> > > >               #:environment-variables
> > > >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > > > certificates.crt" …)
> > > > 
> > > > which means that users still need to install certificates globally.
> > > > 
> > > > Now, whether it’s an issue, I don’t know.
> > > > 
> > > > Maybe we can close?
> > > 
> > > I propose to close since I do not see what could the next action.
> > > 
> > > 1: <http://issues.guix.gnu.org/issue/30619>
> > 
> > The next action would be splitting of the bundle generation from the
> > profile code, and adding a ‘certificates’ field defaulting to nss-
> > certs, as Ludo seemed to suggest.
> 
> Do you have an idea how to implement this suggestion?  Otherwise, I
> think closing is reasonable. :-)

That suggestion (+ Ludovic's suggestion of a
(guix x509-certificates) module) was my suggested implementation, it
just needs to be translated from a description in English to an actual
patch .

Anyway, I don't think closing is reasonable, because the bug
(certificates need to be installed globally) still exist, and it
is actionable (there's even a suggested implementation,
so a sufficiently motivated party (not me currently) could address the
issue.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#30619: Cuirass requires TLS certificates

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 364 bytes --]

bugs 30619 + donewontfix
thanks

> [various discussion]

While I believe a 'certificates' field or the like would be nice,
there does not appear to be a need or interest, hence closing.

If someone would like to implement some solution or has a need,
they can reopen the bug (see
<https://debbugs.gnu.org/server-control.html>).

Greetings,
Maxime.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]