From: "Ludovic Courtès" <ludo@gnu.org>
To: Richard Sent <richard@freakingpenguin.com>
Cc: Josselin Poiret <dev@jpoiret.xyz>,
Simon Tournier <zimon.toutoune@gmail.com>,
Mathieu Othacehe <othacehe@gnu.org>,
Tobias Geerinckx-Rice <me@tobias.gr>,
Ricardo Wurmus <rekado@elephly.net>,
Christopher Baines <guix@cbaines.net>,
70314@debbugs.gnu.org
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Date: Wed, 04 Sep 2024 15:33:30 +0200 [thread overview]
Message-ID: <87jzfree6t.fsf@gnu.org> (raw)
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
Hi Richard,
Richard Sent <richard@freakingpenguin.com> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
Apparently this patch fell through the cracks, despite the long Cc:
list.
> Given the discussion on IRC and guix-devel [1] recently about making
> nss-certs easier to use, this patch modifies guix environment (and
> thus guix shell) to automatically add nss-certs to the profile when
> sharing the network namespace, as well as setting the
> mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
> variables.
>
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.
[...]
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
Instead of adding the ‘nss-certs’ package, I would rather expose
/etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
certificates will be used, and (2) it’s less expensive than having to
compute the derivation of ‘nss-certs’.
Users who definitely want Guix’s ‘nss-certs’ can always add it to the
shell and it will take precedence over /etc/ssl/certs, assuming
SSL_CERT_{FILE,DIR} is defined.
WDYT?
Thanks,
Ludo’.
next prev parent reply other threads:[~2024-09-04 13:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-09 19:05 [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Richard Sent
2024-09-04 13:33 ` Ludovic Courtès [this message]
2024-09-04 15:01 ` Richard Sent
2024-09-15 21:39 ` Ludovic Courtès
2024-09-16 0:04 ` Ryan Prior via Guix-patches via
2024-09-15 21:49 ` Ludovic Courtès
2024-09-16 15:22 ` Richard Sent
2024-09-20 15:19 ` Simon Tournier
2024-09-20 15:04 ` Simon Tournier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jzfree6t.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=70314@debbugs.gnu.org \
--cc=dev@jpoiret.xyz \
--cc=guix@cbaines.net \
--cc=me@tobias.gr \
--cc=othacehe@gnu.org \
--cc=rekado@elephly.net \
--cc=richard@freakingpenguin.com \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.