From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id SGtfGuaaDWYf1gAAqHPOHw:P1 (envelope-from ) for ; Wed, 03 Apr 2024 20:07:34 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id SGtfGuaaDWYf1gAAqHPOHw (envelope-from ) for ; Wed, 03 Apr 2024 20:07:34 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=U8nf6MCo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712167654; a=rsa-sha256; cv=none; b=NpafUAORjNQd1A0M/6y2ePuCXrz8ValYSIwZ1MWHDxIKu5HnHQEXVasGdoqoByh+JJrZ4B mEEcLbgDgXBRZAF+fRwIAQRbxU/msb6KfCS2v6HILvFeNr+1wzi8oGOB2TUCYMA76irYrN CbIXjtye1rkE9JZ1FWuaae1LOmTTsslmMckno2ODqKFPncDe8UxR1lFuoOK0lJFUoQ9aYV 1Hlh+K4y/0Pl6iYxDiMNP+Q0kocpp4mm2Cw/egfC8gB3s6KkyJlgKFYsEpJomdz+6EDWFB vVBMCP3K7i9M3VUF9KbjqEt5T8LcBvDuRuiPff7swhjbV0JeljPwLoRdL0vBzg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=U8nf6MCo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712167654; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=kTjYRZS7DQN+fdCMDQJHPizaVVKpOzSUJ4r434b1PQA=; b=FXWBqvY7UAv4d84xsT39kV/5kIc/5AzT9DIcjmo0Ia1qPnSiywnDHL5sqaXkSrb9HuywEq OR7j4eOjUEKGP3AtLQXbHEjSwpehd//eqwA2fSDFtrD1VPw1ZyY5Gtk8oAou+oBic86sdk sOxAzI34bcR6AsV8SHGU3CD4dlm5fVgRCK+aBGdZuIzqZ9uOstrU9pHjJxXXDaSMaX+qb2 U6IlXNiPJ7A2ptAZ+GXBqzKMLSpjgAvHOIzLgNZi5JJaLwSJJAzPSseAwOtD4vocI4P5mO RHJNjRl5E+QzGu9/cYvVY2MBJO3v/VBcYkYAK0TgGbBiNOf9qfI306gdeI1WbA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 314092752D for ; Wed, 3 Apr 2024 20:07:34 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rs50c-0006y8-R1; Wed, 03 Apr 2024 14:06:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rs50b-0006xx-0C for guix-devel@gnu.org; Wed, 03 Apr 2024 14:06:49 -0400 Received: from mail-qk1-x736.google.com ([2607:f8b0:4864:20::736]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rs50Y-0000KA-Js for guix-devel@gnu.org; Wed, 03 Apr 2024 14:06:47 -0400 Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-789e6f7f748so5163385a.3 for ; Wed, 03 Apr 2024 11:06:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712167600; x=1712772400; darn=gnu.org; h=mime-version:message-id:date:subject:to:from:from:to:cc:subject :date:message-id:reply-to; bh=kTjYRZS7DQN+fdCMDQJHPizaVVKpOzSUJ4r434b1PQA=; b=U8nf6MCoLHZd0h4+eE0gXw5WyOH+U3oBSk4ZmV/LLEfP2325YBYQTuqdePTaMDWn66 8xyCzLoKUyfckn2iuai5glFwIujFTJv1lkE0odFaBsB6yaelRqRElrSdAvVQwoD0eUGZ AmVYDmBQhfF8+f06JMRi3NIpU2UK0AcNBfAhqwUhoNNfkFe50U2ItjX1g8u2fwbL4jtQ J26oKSlyoHIR8JI9pvy9VuDKBBAyRvAVbtKlsgN4sv522VNuy8xtoJoOomx/u03UO3ki 9YiZk72ZVmsuDz9QUu1ew9QRZiFIKZeVzMBYqmq0PThLNLl9NHiCHoI5bAoOKCBeGmr9 esHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712167600; x=1712772400; h=mime-version:message-id:date:subject:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=kTjYRZS7DQN+fdCMDQJHPizaVVKpOzSUJ4r434b1PQA=; b=DQS8RrDB3+kesiZxBg/uKOoCwLWH6ksFEQYQqFLWKEyhFMr9gwiRlAsXlY9x1MnPtX P6ekx4lrgL8rho/NVJKANX0z4RONY5dPCdyxvWFAm7EvIIHAWgXywJylHyjuyEjXj4OW X2R6tLkKHef6hCuTKNE48CdtXIwvWe7GfH1LLF4iwHDvO31yMWm0i2tA3EROuCrZq+Rq +UEMWtRjeoq90cQhMhvk9M4Rpxl6YLFvPzLm++cBTLnAZJpT5A703vr/9tE9Oa/phR4R s57VR1hnfPEPqCX8eUZCgOKvFLqX6ckuJW8ZKF7EhublQh22TyUf4DUzdofe+OD9i/BB qLSg== X-Gm-Message-State: AOJu0YyKU+/d9iq3/xyyhbCzpUHq5oLllZabhR9ldkvLwwMGhCBbP9qd RJYE/DAwHF+yUJXzSm8p9ptgq8FyUKRdLVtuKdWRhBlflG7U1rbjEzbr7X+D X-Google-Smtp-Source: AGHT+IHoGQI0OupuBTycGi9pgTcSk/IEIoHpjanolxb5bJAJ7WhI/Xep93TCD7PTowVDBD6XJAC9Xw== X-Received: by 2002:a05:620a:5687:b0:78b:befc:50db with SMTP id wg7-20020a05620a568700b0078bbefc50dbmr156072qkn.57.1712167599862; Wed, 03 Apr 2024 11:06:39 -0700 (PDT) Received: from hurd (dsl-205-233-124-5.b2b2c.ca. [205.233.124.5]) by smtp.gmail.com with ESMTPSA id bl39-20020a05620a1aa700b0078d3b2511d5sm377926qkb.5.2024.04.03.11.06.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 11:06:38 -0700 (PDT) From: Maxim Cournoyer To: guix-devel Subject: Should we include nss-certs out of the box? Date: Wed, 03 Apr 2024 14:06:37 -0400 Message-ID: <874jciuxqq.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::736; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qk1-x736.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -7.37 X-Migadu-Queue-Id: 314092752D X-Migadu-Spam-Score: -7.37 X-Migadu-Scanner: mx10.migadu.com X-TUID: c4xbVa9wydic Hi, It's been Guix policy to let people choose whether to install or not TLS root certificates and which one to their machine. While I applaud the idea to have the users make a conscious decision about it, in practice I suppose very few of us choose to *not* install any as that basically breaks using web browsers, especially ones like IceCat which (by default) ensures HTTPS is used on every page. It apparently even makes it impossible to run 'guix pull', if I am to believe bug#62026. Should we do as in bug#62026 and have this package be part of the recommended basic installation? It'd be in the basic set of an operating-system packages (via its default %base-packages set). It could still be manipulated via the Guix API (filtered out/replaced with something else). Is anyone opposed to having nss-certs in %base-packages? -- Thanks, Maxim