From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 22:44:21 +0100
Message-ID: <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine>
	<87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<20170228162919.GA10253@jasmine>
	<87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44189)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cipZN-0005id-Un
	for guix-devel@gnu.org; Tue, 28 Feb 2017 16:44:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cipZJ-0007rI-1N
	for guix-devel@gnu.org; Tue, 28 Feb 2017 16:44:30 -0500
In-Reply-To: <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"

--==-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Marius Bakke <mbakke@fastmail.com> writes:

>>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
>>> pull` to know to use the le-certs bundle when pulling from
>>> %snapshot-url. For other URLs, users will have to take care of it
>>> themselves.=20
>>
>> This sounds like a better approach. Also, I did not see this email
>> before sending the patch! If you package it up, I can look into
>> realizing the package in `guix pull` directly.
>
> I gave this a go using "nss-certs", but can't figure out how to set
> SSL_CERT_DIR (or GUIX_TLS_CERTIFICATE_DIRECTORY) in `guix pull`. The
> naive approach of setting the variable before calling
> "download-to-store" does not work because %x509-certificate-directory
> has already been evaluated.
>
> I wonder what's the best approach here. Parameterizing this and
> propagating it all the way down to (tls-wrap) similar to
> #:verify-certificate? could work, but seems awkward. Any suggestions?

I made it work with the attached hack. It breaks all conventions by
allowing #:verify-certificate? to be a search path for certificates.

If it wasn't for the implied boolean nature of "#:verify-certificate?" I
would be happy with this solution. But I think setting the
GUIX_TLS_CERTIFICATE_DIRECTORY environment variable before pulling in
(guix download) would be better.


--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli17zUACgkQoqBt8qM6
VPqZ6Af/aih3ssRlutbjDrKamRnzgO3AVMUlthwaPeJyCkC+b7flIP+G59EWdmbV
D3tkuyoF/Jyz+FmwLY5fL8knxI48bGqTCrDdslRMrIxRWpILubVhfPsLI+SPcoOa
mMqR6M8Vx9X82iL2WnRbXRUghgvrrax+SMUn7FyN9B32H3rJ9drm/Ui29Mxh9204
TM0y+lUfxabap658RkYJUTd+aMhKWu6amVDN35ENRSjEDvyi2A1t7EAcH4JNQe/b
+lbCwYRjsxA0QROkS3o4zBb3DmLz3FDNSjQmSRbqnR65R+FUTvUlpF2ldQnZboCZ
5KXbmeecSELbJzsjpm2bKCR/urg/vA==
=iJih
-----END PGP SIGNATURE-----
--==-=-=--

--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline; filename=0001-pull-Default-to-HTTPS.patch

>From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Tue, 28 Feb 2017 22:34:29 +0100
Subject: [PATCH] pull: Default to HTTPS.

* guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
  search string for certificates.
* guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
(guix-pull): Verify against the store path of NSS-CERTS.
---
 guix/build/download.scm | 7 +++++--
 guix/scripts/pull.scm   | 8 ++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/guix/build/download.scm b/guix/build/download.scm
index 203338b52..88da1776f 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -342,13 +342,16 @@ way."
 
 (define* (tls-wrap port server #:key (verify-certificate? #t))
   "Return PORT wrapped in a TLS connection to SERVER.  SERVER must be a DNS
-host name without trailing dot."
+host name without trailing dot.  If VERIFY-CERTIFICATE? is a string, it is
+assumed to be the search path for TLS certificates passed to gnutls."
   (define (log level str)
     (format (current-error-port)
             "gnutls: [~a|~a] ~a" (getpid) level str))
 
   (let ((session  (make-session connection-end/client))
-        (ca-certs (%x509-certificate-directory)))
+        (ca-certs (if (string? verify-certificate?)
+                      verify-certificate?
+                      (%x509-certificate-directory))))
 
     ;; Some servers such as 'cloud.github.com' require the client to support
     ;; the 'SERVER NAME' extension.  However, 'set-session-server-name!' is
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index a4824e4fd..402332192 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -30,6 +30,7 @@
   #:use-module ((guix build utils)
                 #:select (with-directory-excursion delete-file-recursively))
   #:use-module (gnu packages base)
+  #:use-module ((gnu packages certs) #:select (nss-certs))
   #:use-module (gnu packages guile)
   #:use-module ((gnu packages bootstrap)
                 #:select (%bootstrap-guile))
@@ -45,7 +46,7 @@
 
 (define %snapshot-url
   ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
-  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
+  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
   )
 
 (define-syntax-rule (with-environment-variable variable value body ...)
@@ -224,8 +225,11 @@ contained therein."
   (with-error-handling
     (let* ((opts  (parse-options))
            (store (open-connection))
+           (certs (string-append (package-output store nss-certs)
+                                 "/etc/ssl/certs"))
            (url   (assoc-ref opts 'tarball-url)))
-      (let ((tarball (download-to-store store url "guix-latest.tar.gz")))
+      (let ((tarball (download-to-store store url "guix-latest.tar.gz"
+                                        #:verify-certificate? certs)))
         (unless tarball
           (leave (_ "failed to download up-to-date source, exiting\n")))
         (parameterize ((%guile-for-build
-- 
2.12.0


--=-=-=--