From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id WC0NJ09U52Yd1gAA62LTzQ:P1 (envelope-from ) for ; Sun, 15 Sep 2024 21:40:31 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id WC0NJ09U52Yd1gAA62LTzQ (envelope-from ) for ; Sun, 15 Sep 2024 23:40:31 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=eiCSItnX; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1726436431; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=qdlneN5EAUZSxwYuEQtHu8ADXVR7VQ+BI7U3B3XwCXRtfgknQEBywjS4jq7e6yd+OlvBMC kyOUmVlLRY4ZliOBJP2ttLt+u574eQuwJU+ExskYMCdZJTjkWsJMDpSOnMrVwJdH4H+nL5 HLVSJy0t/pA7HOvrhxdxDi+lbKrKo0WSdiPembilh1DfHt6t7abMAcCN872d8ZDQOJlwFX IJbG6mvyw4E7AWyv2PV3y8/F7xNxC/mcoJzGuwfPfV/5drVrkMr8Qp0QSfcHOsaKUMb+6Z fxgWWiNmHoykNfeF4uas/NXSR/a7Iz3EmNPBrLQItWrOaHI88rxw6f7J9bEXww== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=eiCSItnX; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1726436431; a=rsa-sha256; cv=none; b=kFkiRTjgNN/NBj4rwo+QMlaF56AarNkIa3R3ybQcHkJ4RYFJlH5iAMiHegi+RBoMfsROqo PhJYMcI931ucnUswStuObUNH9R/aVjxrja4wsIHc0tORgGXJRUFXOD25v9JDmbLVaTQAXQ Zvs+70BbMDUzzreccbBaZZD4DKKuhXlMKmSpq0omq/NUiJ0X5UXGUKM4nrjSSfx9Bx18Sq 2snilemy1YDUHaT5cjrSYqaVv7+zNLramduOoA5EKx+WHwKwaSfvoA4TOpD+SJADm97/4T VROA8pgyJcNLv+qev1rLqt7uK2v9xLOHNwSkXSlhcDn/SgCzzVxmSQCdNXeV3g== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6BEE3366B0 for ; Sun, 15 Sep 2024 23:40:30 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1spwyC-0003uc-RD; Sun, 15 Sep 2024 17:39:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1spwyA-0003uB-TY for guix-devel@gnu.org; Sun, 15 Sep 2024 17:39:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1spwy7-0007DX-38; Sun, 15 Sep 2024 17:39:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=eiCSItnXRucQ+1gRvycS WhsMrVJUn2ClDOA9YxNQwhKm1HeAV5fYtoXqhU5PQKGd+xSowzVvrBrIUufjvnxrZMbVNE05VPhSS BKIVT/f9CUQT05pnLtxMxH5fKfbXVAJjs1QRPqwgc6kQ4FqfUWjG6CnsSGZqBG+xNuJFpJYGDiEoR Sk3H4nEamREEOWf4kYi9ikz/TjROp8/T99uj3pBKTsgl1dHHMMf0EytrRSh6Whscij7U6flStmpyt IHZpwWL8iM/yfkYgyUorCFUXbBg5e8RIGwdRgYWwOkOyNFBj/+w1tc4YFK/kN1GM4rZPxhnqP7l0G rPmVStcGrkhCyw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Richard Sent Cc: Josselin Poiret , Simon Tournier , Mathieu Othacehe , Tobias Geerinckx-Rice , Ricardo Wurmus , Christopher Baines , 70314@debbugs.gnu.org, guix-devel Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <871q1zsbry.fsf@freakingpenguin.com> (Richard Sent's message of "Wed, 04 Sep 2024 11:01:53 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> <87jzfree6t.fsf@gnu.org> <871q1zsbry.fsf@freakingpenguin.com> Date: Sun, 15 Sep 2024 23:39:39 +0200 Message-ID: <875xqwd2as.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.31 X-Spam-Score: -5.31 X-Migadu-Queue-Id: 6BEE3366B0 X-Migadu-Scanner: mx10.migadu.com X-TUID: Z/rR1rlVdh95 Hi Richard, Cc: guix-devel to get more feedback: this is about adding =E2=80=98nss-cert= s=E2=80=99 by default in =E2=80=98guix shell -CN=E2=80=99 containers, along with a =E2=80= =98--no-tls=E2=80=99 option to opt out: https://issues.guix.gnu.org/70314 Richard Sent skribis: > Ludovic Court=C3=A8s writes: > >> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rathe= r expose >> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen >> certificates will be used, and (2) it=E2=80=99s less expensive than havi= ng to >> compute the derivation of =E2=80=98nss-certs=E2=80=99. > > There is an issue with this that's cropped up in the past. The files in > /etc/ssl/certs/* are symlinks to store items. Because containers only > see a subset of store items that are in that container's profile, it > often sees the symlinks to store items but not the target file. Oh, indeed. [...] >> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can= always add it to the >> shell and it will take precedence over /etc/ssl/certs, assuming >> SSL_CERT_{FILE,DIR} is defined. > > True, although at present anyone who wants to use nss-certs must set > SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that > registers the search path). Right. [...] > My thoughts are if we have to decide between > > 1. Users who want TLS with standard public endpoints > 2. Users who want TLS with custom private endpoints > > it's better to prioritize a good experience for 1 and let 2 opt-out of > the "hand holding" defaults. But perhaps it's possible to make everyone > happy. You=E2=80=99ve convinced me. That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls=E2=80= =99 sounds reasonable too as a name (I thought about =E2=80=98--no-x509-certificates=E2=80=99 but= that=E2=80=99s actually less accurate since there are the SSL_* variables in addition to the certificates themselves). I have some comments about the patch and I=E2=80=99d like others to weigh i= n too before we commit this change. Thank you! Ludo=E2=80=99.