all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / Atom feed
* bug#30619: Cuirass requires TLS certificates
@ 2018-02-26 20:51 Andreas Enge
  2018-02-27 16:00 ` Ludovic Courtès
  0 siblings, 1 reply; 9+ messages in thread
From: Andreas Enge @ 2018-02-26 20:51 UTC (permalink / raw)
  To: 30619

Hello,

the cuirass service requires TLS certificates to do continuous integration
of guix (or more generally, git repositories served over https). This works
when nss-certs is installed as a global package in the system.

Should the service depend on the nss-certs package? Or maybe take as an
optional configuration parameter a certificate package?

Andreas

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
@ 2018-02-27 16:00 ` Ludovic Courtès
  2021-09-16  7:33   ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2018-02-27 16:00 UTC (permalink / raw)
  To: Andreas Enge; +Cc: 30619

Andreas Enge <andreas@enge.fr> skribis:

> the cuirass service requires TLS certificates to do continuous integration
> of guix (or more generally, git repositories served over https). This works
> when nss-certs is installed as a global package in the system.
>
> Should the service depend on the nss-certs package? Or maybe take as an
> optional configuration parameter a certificate package?

I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
That would make it self-contained.

That’s currently not possible though because this certificate bundle is
built as a profile hook.  We would first need to export the procedure
that creates bundles, possibly by moving it to a new (guix
x509-certificates) module.

Thoughts?

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2018-02-27 16:00 ` Ludovic Courtès
@ 2021-09-16  7:33   ` zimoun
  2021-10-12 21:57     ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-09-16  7:33 UTC (permalink / raw)
  To: Ludovic Courtès, Mathieu Othacehe; +Cc: 30619

Hi,

On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
> Andreas Enge <andreas@enge.fr> skribis:
>
>> the cuirass service requires TLS certificates to do continuous integration
>> of guix (or more generally, git repositories served over https). This works
>> when nss-certs is installed as a global package in the system.
>>
>> Should the service depend on the nss-certs package? Or maybe take as an
>> optional configuration parameter a certificate package?
>
> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
> That would make it self-contained.
>
> That’s currently not possible though because this certificate bundle is
> built as a profile hook.  We would first need to export the procedure
> that creates bundles, possibly by moving it to a new (guix
> x509-certificates) module.

What is the status of this old bug [1]?  Well, if it is not fixed yet,
it seems a forgotten bug. :-)

1: <http://issues.guix.gnu.org/issue/30619>

Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-09-16  7:33   ` zimoun
@ 2021-10-12 21:57     ` zimoun
  2021-10-15 15:20       ` Ludovic Courtès
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-10-12 21:57 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Mathieu Othacehe, 30619

Hi,

On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>> Andreas Enge <andreas@enge.fr> skribis:
>>
>>> the cuirass service requires TLS certificates to do continuous integration
>>> of guix (or more generally, git repositories served over https). This works
>>> when nss-certs is installed as a global package in the system.
>>>
>>> Should the service depend on the nss-certs package? Or maybe take as an
>>> optional configuration parameter a certificate package?
>>
>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>> That would make it self-contained.
>>
>> That’s currently not possible though because this certificate bundle is
>> built as a profile hook.  We would first need to export the procedure
>> that creates bundles, possibly by moving it to a new (guix
>> x509-certificates) module.
>
> What is the status of this old bug [1]?  Well, if it is not fixed yet,
> it seems a forgotten bug. :-)
>
> 1: <http://issues.guix.gnu.org/issue/30619>

From my understanding, this old bug could be closed.  But I am not sure
to get it right about this TLS story.  So closing?


Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-10-12 21:57     ` zimoun
@ 2021-10-15 15:20       ` Ludovic Courtès
  2021-11-26  1:38         ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2021-10-15 15:20 UTC (permalink / raw)
  To: zimoun; +Cc: Mathieu Othacehe, 30619

Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas@enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook.  We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]?  Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed.  But I am not sure
> to get it right about this TLS story.  So closing?

The Cuirass Shepherd service still does:

              #:environment-variables
              (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)

which means that users still need to install certificates globally.

Now, whether it’s an issue, I don’t know.

Maybe we can close?

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-10-15 15:20       ` Ludovic Courtès
@ 2021-11-26  1:38         ` zimoun
  2021-11-26  6:28           ` Maxime Devos
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-11-26  1:38 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Hi,

On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> zimoun <zimon.toutoune@gmail.com> skribis:
>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

> The Cuirass Shepherd service still does:
>
>               #:environment-variables
>               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
>
> which means that users still need to install certificates globally.
>
> Now, whether it’s an issue, I don’t know.
>
> Maybe we can close?

I propose to close since I do not see what could the next action.

1: <http://issues.guix.gnu.org/issue/30619>


Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  1:38         ` zimoun
@ 2021-11-26  6:28           ` Maxime Devos
  2021-11-26  6:31             ` Maxime Devos
  2021-11-26  6:32             ` Maxime Devos
  0 siblings, 2 replies; 9+ messages in thread
From: Maxime Devos @ 2021-11-26  6:28 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> Hi,
> 
> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:
> > zimoun <zimon.toutoune@gmail.com> skribis:
> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>
> > > wrote:
> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)
> > > > wrote:
> 
> > The Cuirass Shepherd service still does:
> > 
> >               #:environment-variables
> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > certificates.crt" …)
> > 
> > which means that users still need to install certificates globally.
> > 
> > Now, whether it’s an issue, I don’t know.
> > 
> > Maybe we can close?
> 
> I propose to close since I do not see what could the next action.
> 
> 1: <http://issues.guix.gnu.org/issue/30619>

The next action would be splitting of the bundle generation from the
profile code, and adding a ‘certificates’ field defaulting to nss-
certs, as Ludo seemed to suggest.

This could be useful if the server the channel repositories are on use
self-signed certificates (are git repositories of channels over https
the reason cuirass requires TLS certificates).


Greetings,
Maxime





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  6:28           ` Maxime Devos
@ 2021-11-26  6:31             ` Maxime Devos
  2021-11-26  6:32             ` Maxime Devos
  1 sibling, 0 replies; 9+ messages in thread
From: Maxime Devos @ 2021-11-26  6:31 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> [...]
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

This was meant to be:

‘This could be useful if the server the channel repositories are on
use self-signed certificates (are git repositories of channels over
https the reason cuirass requires TLS certificates?).’






^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#30619: Cuirass requires TLS certificates
  2021-11-26  6:28           ` Maxime Devos
  2021-11-26  6:31             ` Maxime Devos
@ 2021-11-26  6:32             ` Maxime Devos
  1 sibling, 0 replies; 9+ messages in thread
From: Maxime Devos @ 2021-11-26  6:32 UTC (permalink / raw)
  To: zimoun, Ludovic Courtès; +Cc: Mathieu Othacehe, Andreas Enge, 30619

Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).

Oops, this argument doesn't have much value, because those certificates
might as well be added to the system profile.





^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-11-26  6:33 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-26 20:51 bug#30619: Cuirass requires TLS certificates Andreas Enge
2018-02-27 16:00 ` Ludovic Courtès
2021-09-16  7:33   ` zimoun
2021-10-12 21:57     ` zimoun
2021-10-15 15:20       ` Ludovic Courtès
2021-11-26  1:38         ` zimoun
2021-11-26  6:28           ` Maxime Devos
2021-11-26  6:31             ` Maxime Devos
2021-11-26  6:32             ` Maxime Devos

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.