From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 17:45:48 +0100
Message-ID: <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine>
	<87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<20170228162919.GA10253@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60229)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cikuS-0005sV-E9
	for guix-devel@gnu.org; Tue, 28 Feb 2017 11:45:57 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cikuN-0007LE-7O
	for guix-devel@gnu.org; Tue, 28 Feb 2017 11:45:56 -0500
In-Reply-To: <20170228162919.GA10253@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
>> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
>> for `guix download`, but having just the one file in SSL_CERT_DIR does.
>> That's good enough for me! Could you make this into a Guix package?=20
>
> I plan to make a package once these issues are resolved:
>
> 1) Which "trust path" should we use? The one using ISRG (the "native"
> Let's Encrypt root certificate authority), or the one that is
> cross-signed by IdenTrust? Or should we keep it as-is, where both are
> included? This is my first time creating a custom set of certificates,
> so I don't know all the issues.
>
> They recommend that server operators used the cross-signed trust chain
> because the ISRG trust chain is not yet widely deployed in web browsers,
> but that's not an issue for this use case.

I don't fully understand the differences here, but will do some reading.

> 2) I'd like at least two other Guix developers to try recreating the
> repository "from scratch", and to send signed email to this thread
> saying that they were able to successfully recreate this custom
> certificate store.

I will do this later.

>> I wonder what happens if we simply switch %snapshot-url to HTTPS in
>> `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
>> configured? I think it would be sufficient to mention in the manual to
>> install one of "nss-certs" or "le-certs" before running `guix pull` for
>> the first time. How does that sound?
>
> I think it's too much of a regression if users have to fiddle with
> environment variables for `guix pull` to work reliably. People are
> constantly asking for help with environment variables in the #guix chat
> room.
>
> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
> pull` to know to use the le-certs bundle when pulling from
> %snapshot-url. For other URLs, users will have to take care of it
> themselves.=20

This sounds like a better approach. Also, I did not see this email
before sending the patch! If you package it up, I can look into
realizing the package in `guix pull` directly.

> This should preserve the existing user experience of `guix pull`, which
> is that the default invocation "just works", at least in terms of
> downloading the source code. It could fail anyways if their clock is way
> off... any other ideas about how it could fail?

Not off the top of my head. But see the patch for a fallback
"--insecure" option if all else fails.

Thanks a lot for taking this on!

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli1qTwACgkQoqBt8qM6
VPqvzQf/eXaQPeooOhWR9W4Ck+XlhqLKlaHOQ21Hwyy7koQ1IFMNCcaJtWXFQY1k
41ZA8WDeyCapoVFmUIF9CjCF4UzFHU33ciP446OTWN59o9Jj3Yy8SDULc1w3Rlqg
ica2LMPReVr9IaiJJ+5i57ST/b6OGlNJW72U9OGW6H5Nqz0jYZ1BN9Vk4I7bwtyX
AgvDv/9I+DK2yUU99OllHXhJJ2QiHIKPlEgG0WVdKGJzZfyDMZBcdVyc63cuu5Kz
9/5VfDuXSTWUqwjiBl8MVRUQjzKQH0opN0fz5iehU96eYDhBpCcHp05u7aoe9sSq
6uZh42CKQnbDng0LGH8XUKeHMLy4pA==
=zKZy
-----END PGP SIGNATURE-----
--=-=-=--