From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: `guix pull` over HTTPS
Date: Mon, 06 Mar 2017 13:27:47 +0100
Message-ID: <87mvcy614s.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine>
	<87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<20170228162919.GA10253@jasmine>
	<87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87mvcywwh6.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40931)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1ckrk3-0007An-PL
	for guix-devel@gnu.org; Mon, 06 Mar 2017 07:27:56 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1ckrk0-0000ch-K6
	for guix-devel@gnu.org; Mon, 06 Mar 2017 07:27:55 -0500
In-Reply-To: <87mvcywwh6.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Hi!
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Tue, 28 Feb 2017 22:34:29 +0100
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
>>   search string for certificates.
>> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
>> (guix-pull): Verify against the store path of NSS-CERTS.
>> ---
>>  guix/build/download.scm | 7 +++++--
>>  guix/scripts/pull.scm   | 8 ++++++--
>>  2 files changed, 11 insertions(+), 4 deletions(-)
>>
>> diff --git a/guix/build/download.scm b/guix/build/download.scm
>> index 203338b52..88da1776f 100644
>> --- a/guix/build/download.scm
>> +++ b/guix/build/download.scm
>> @@ -342,13 +342,16 @@ way."
>>=20=20
>>  (define* (tls-wrap port server #:key (verify-certificate? #t))
>>    "Return PORT wrapped in a TLS connection to SERVER.  SERVER must be a=
 DNS
>> -host name without trailing dot."
>> +host name without trailing dot.  If VERIFY-CERTIFICATE? is a string, it=
 is
>> +assumed to be the search path for TLS certificates passed to gnutls."
>>    (define (log level str)
>>      (format (current-error-port)
>>              "gnutls: [~a|~a] ~a" (getpid) level str))
>>=20=20
>>    (let ((session  (make-session connection-end/client))
>> -        (ca-certs (%x509-certificate-directory)))
>> +        (ca-certs (if (string? verify-certificate?)
>> +                      verify-certificate?
>> +                      (%x509-certificate-directory))))
>
> Nitpick: I would prefer to use a different argument for the certificate
> directory.  Something like this:
>
>   (define* (tls-wrap port server #:key (verify-certificate? #t)
>                                  (certificate-directory
>                                   (%x509-certificate-directory)))
>     =E2=80=A6)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20
>
> Also the =E2=80=98guix pull=E2=80=99 part should be a separate patch.
>
> Great work, thank you!

Hello!

Please see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D25975

... for the latest version of this patch.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli9VcMACgkQoqBt8qM6
VPrDQQf8C4G9V/eB3I2nusvHbuT8XVzD/tKcebm5+YhOzWocLtr0p5huBs6fyqvT
ti4OYLsqg/E1/apBcZqBrZr2/1EfunO/+yw1jXmBc360gWaHCzcUQqD4Twv6sbut
SlrpSN9S6u7MxHeflZ06gi7mVpzKAeTAyP5zZaayinTR9rnTatuLHG40n8iYrDeZ
lZJ+xxvjmZx9Df7iZgZdGNc4KYb+7IOw6NueKFbxBQMpl2Stoo0yGYD0wAieHEGP
E1FZKkubvvnL5pSk6m75rXah9RYETjJz9pJsRM/S8uNhIypMIolhvzgO9FJPD9z4
CwT8qwxwY1WBDOMLr6P5V5LrxkMHSg==
=4cCJ
-----END PGP SIGNATURE-----
--=-=-=--