all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 46829@debbugs.gnu.org
Subject: bug#46829: `guix pull` uses incorrect certificate store
Date: Wed, 14 Apr 2021 12:50:39 +0200	[thread overview]
Message-ID: <87im4pf8cg.fsf@gnu.org> (raw)
In-Reply-To: <YHXYkTHmMk3FbxMu@jasmine.lan> (Leo Famulari's message of "Tue, 13 Apr 2021 13:44:49 -0400")

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
>> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
>> pull’ uses the LE certs, but these certificates expire quite frequently,
>> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
>> authentication chain from the roots.
>
> No, that's incorrect. The certificates in le-certs expired after 5
> years, so it's not frequent.
>
> These are the root and intermediate certificates for the Let's Encrypt
> certificate authority — they are not the 90 day certificates used by a
> webserver.
>
> The problem is that we (I) failed to pay attention and let our le-certs
> package go stale.

OK.  5 years still looks kinda “frequent” to me.  I would think that old
software installations (including “appliances”) would live longer than
that, no?

You install Guix on a laptop, you leave it in a drawer, and you come a
few years later and you can neither access HTTPS web sites nor run ‘guix
pull’?

>> For those who do not have ‘nss-certs’ installed, a workaround is to do
>> avoid HTTPS:
>
> The original motivation of le-certs was that nss-certs would not be
> required, and that `guix pull` would always work. I think we should
> still try to achieve this.

OK.

>> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
>
> I think we should avoid adding "use insecure connection" options. Even
> if the code itself is signed.

“Insecure” is a strong word: it still prevents eavesdropping, which is
the only property that matters in the presence of authenticated
channels.

> I'm going to figure out how to subscribe to Let's Encrypt announcements
> and I'll report back with ideas about how to avoid a repeat of the
> problem.

Yes, that’s the better option.  Thank you!

Ludo’.




  reply	other threads:[~2021-04-14 10:53 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
2021-02-28 11:06 ` Andreas Enge
2021-02-28 11:10 ` Andreas Enge
2021-03-01 10:15   ` Ludovic Courtès
2021-03-01  9:49 ` zimoun
2021-03-05 10:49   ` Christopher Baines
2021-03-01 10:19 ` Ludovic Courtès
2021-03-01 12:03   ` Andreas Enge
2021-03-17 14:36   ` Ludovic Courtès
2021-04-11 20:41     ` Leo Famulari
2021-04-12  1:29       ` Leo Famulari
2021-04-12  6:42         ` Leo Famulari
2021-04-12  8:30           ` Leo Famulari
2021-04-12 12:25             ` Ludovic Courtès
2021-04-12 17:15               ` Leo Famulari
2021-04-12 17:32                 ` Leo Famulari
2021-04-13  8:12                   ` Ludovic Courtès
2021-04-13 18:09                     ` Leo Famulari
2021-04-21 13:14                       ` Ludovic Courtès
2021-04-12 12:25             ` Ludovic Courtès
2021-04-12 17:02               ` Leo Famulari
2021-04-12 18:26                 ` Leo Famulari
2021-04-13 17:47                   ` Leo Famulari
2021-04-13  9:29           ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
2021-04-13 17:44             ` Leo Famulari
2021-04-14 10:50               ` Ludovic Courtès [this message]
2021-04-14 19:57                 ` Maxime Devos
2021-05-31 19:17                 ` Leo Famulari
2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
2021-04-10 19:45   ` Christopher Baines
2021-04-10 20:30     ` Leo Famulari
2021-04-10 21:09       ` Leo Famulari
2021-04-10 21:21         ` Christopher Baines
2021-04-10 22:54           ` Leo Famulari
2021-04-10 23:04 ` Leo Famulari
2021-04-10 23:13 ` Leo Famulari
2021-04-14  1:08 ` Leo Famulari
2021-04-14  9:44   ` François

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87im4pf8cg.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=46829@debbugs.gnu.org \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.