* Should we include nss-certs out of the box?
@ 2024-04-03 18:06 Maxim Cournoyer
2024-04-03 19:21 ` Ryan Prior
` (5 more replies)
0 siblings, 6 replies; 15+ messages in thread
From: Maxim Cournoyer @ 2024-04-03 18:06 UTC (permalink / raw)
To: guix-devel
Hi,
It's been Guix policy to let people choose whether to install or not TLS
root certificates and which one to their machine. While I applaud the
idea to have the users make a conscious decision about it, in practice I
suppose very few of us choose to *not* install any as that basically
breaks using web browsers, especially ones like IceCat which (by
default) ensures HTTPS is used on every page.
It apparently even makes it impossible to run 'guix pull', if I am to
believe bug#62026.
Should we do as in bug#62026 and have this package be part of the
recommended basic installation? It'd be in the basic set of an
operating-system packages (via its default %base-packages set). It
could still be manipulated via the Guix API (filtered out/replaced with
something else).
Is anyone opposed to having nss-certs in %base-packages?
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
@ 2024-04-03 19:21 ` Ryan Prior
2024-04-03 20:10 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
` (4 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Ryan Prior @ 2024-04-03 19:21 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
On Wednesday, April 3rd, 2024 at 1:06 PM, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> Is anyone opposed to having nss-certs in %base-packages?
I applaud that plan. Not only that, I think that Guix should warn if you don't have nss-certs in your profile on a foreign distro (with a mechanism to suppress that, ofc)
Lacking the nss-certs package causes all manner of trouble and is a stumbling block to adoption. It's practically a dependency; the ability to operate without it is kind of a party trick.
Ryan
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
2024-04-03 19:21 ` Ryan Prior
@ 2024-04-03 20:10 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-04-05 16:45 ` Jan Wielkiewicz
` (3 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2024-04-03 20:10 UTC (permalink / raw)
To: Maxim Cournoyer, guix-devel
Hi Maxim,
On Wed, Apr 03 2024, Maxim Cournoyer wrote:
> I applaud the idea to have the users make a conscious decision
Who does?
> It apparently even makes it impossible to run 'guix pull'
More than that, the references to online sources in our package
declarations are useless. Would it be possible to install nss-certs
from source?
> [nss-certs would] be in the basic set of an operating-system packages
That strikes me as rational but it would be valuable to hear from the
other side---if there is one.
Kind regards
Felix
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
2024-04-03 19:21 ` Ryan Prior
2024-04-03 20:10 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2024-04-05 16:45 ` Jan Wielkiewicz
2024-04-08 18:56 ` Richard Sent
` (2 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Jan Wielkiewicz @ 2024-04-05 16:45 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
On Wed, 03 Apr 2024 14:06:37 -0400
Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> Hi,
>
> It's been Guix policy to let people choose whether to install or not
> TLS root certificates and which one to their machine. While I
> applaud the idea to have the users make a conscious decision about
> it, in practice I suppose very few of us choose to *not* install any
> as that basically breaks using web browsers, especially ones like
> IceCat which (by default) ensures HTTPS is used on every page.
>
> It apparently even makes it impossible to run 'guix pull', if I am to
> believe bug#62026.
>
> Should we do as in bug#62026 and have this package be part of the
> recommended basic installation? It'd be in the basic set of an
> operating-system packages (via its default %base-packages set). It
> could still be manipulated via the Guix API (filtered out/replaced
> with something else).
>
> Is anyone opposed to having nss-certs in %base-packages?
>
Hello,
IMO everything should work out of the box. Power users will be able to
do their stuff if they need to, so the feature should be opt-out.
--
Jan Wielkiewicz
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
` (2 preceding siblings ...)
2024-04-05 16:45 ` Jan Wielkiewicz
@ 2024-04-08 18:56 ` Richard Sent
2024-04-10 14:50 ` Ludovic Courtès
2024-04-23 14:18 ` Clément Lassieur
5 siblings, 0 replies; 15+ messages in thread
From: Richard Sent @ 2024-04-08 18:56 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
I wonder if instead (or in addition to) a step should be added to the
default profile to symlink nss-certs to
/etc/ssl/certs/ca-certificates.crt?
Consider running $ guix shell rust:cargo nss-certs -CN -- cargo search
ox.
On c9cd16c630 this will fail with
--8<---------------cut here---------------start------------->8---
Updating crates.io index
error: download of config.json failed
Caused by:
failed to download from `https://index.crates.io/config.json`
Caused by:
[60] SSL peer certificate or SSH remote key was not OK (server certificate verification failed. CAfile: none CRLfile: none)
--8<---------------cut here---------------end--------------->8---
This is because /etc/ssl/certs doesn't exist in the shell's container.
A user could work around this by running in the shell:
--8<---------------cut here---------------start------------->8---
export SSL_CERT_FILE=$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt
--8<---------------cut here---------------end--------------->8---
but this complicates the handle $ guix shell ... -- <command> syntax.
The only package that seems to escape this nonfunctional trap is git
because the package definition explicitly sets a GIT_SSL_CAINFO search
path specification.
IMO, if we agree to add nss-certs to %base-packages, we should also set
up a /etc/ssl/certs symlink to %default-profile-hooks. It's very odd to
see `building CA certificate bundle...` printed to the console yet not
be able to use https except for git in shell containers.
Power users will still be able to override the normal behavior by
setting the package-specific environment variables. This change would
just change the default state from "nonfunctional" to "working".
--
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
` (3 preceding siblings ...)
2024-04-08 18:56 ` Richard Sent
@ 2024-04-10 14:50 ` Ludovic Courtès
2024-04-19 1:58 ` Maxim Cournoyer
2024-04-23 14:18 ` Clément Lassieur
5 siblings, 1 reply; 15+ messages in thread
From: Ludovic Courtès @ 2024-04-10 14:50 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> It's been Guix policy to let people choose whether to install or not TLS
> root certificates and which one to their machine. While I applaud the
> idea to have the users make a conscious decision about it, in practice I
> suppose very few of us choose to *not* install any as that basically
> breaks using web browsers, especially ones like IceCat which (by
> default) ensures HTTPS is used on every page.
Right.
> It apparently even makes it impossible to run 'guix pull', if I am to
> believe bug#62026.
I don’t think that’s the case: see use of ‘le-certs’ in (guix scripts
pull).
> Should we do as in bug#62026 and have this package be part of the
> recommended basic installation? It'd be in the basic set of an
> operating-system packages (via its default %base-packages set). It
> could still be manipulated via the Guix API (filtered out/replaced with
> something else).
>
> Is anyone opposed to having nss-certs in %base-packages?
No objection from me. I’m partly responsible for the initial choice to
not include nss-certs by default, but as you write, most likely everyone
installs it these days.
Note that we’ll also need to remove that choice from the installer in
(gnu installer services).
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
@ 2024-04-18 10:45 Fabio Natali
2024-04-19 15:25 ` Maxim Cournoyer
0 siblings, 1 reply; 15+ messages in thread
From: Fabio Natali @ 2024-04-18 10:45 UTC (permalink / raw)
To: guix-devel; +Cc: ludo, maxim.cournoyer
Hi,
Here's my attempt at adding 'nss-certs' to '%default-packages'.
https://lists.gnu.org/archive/html/guix-patches/2024-04/msg01187.html
I've removed the 'nss-certs' entry from the installer, as suggested by
Ludo, and I've updated the docs, hopefully all the relevant parts. Can
you think of anything else that may need to be updated?
Thanks, best wishes, Fabio.
--
Fabio Natali
https://fabionatali.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-10 14:50 ` Ludovic Courtès
@ 2024-04-19 1:58 ` Maxim Cournoyer
0 siblings, 0 replies; 15+ messages in thread
From: Maxim Cournoyer @ 2024-04-19 1:58 UTC (permalink / raw)
To: Ludovic Courtès
Cc: guix-devel, richard, tona_kosmicznego_smiecia, felix.lechner
Hello,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> It apparently even makes it impossible to run 'guix pull', if I am to
>> believe bug#62026.
>
> I don’t think that’s the case: see use of ‘le-certs’ in (guix scripts
> pull).
OK, good to know!
>
>> Should we do as in bug#62026 and have this package be part of the
>> recommended basic installation? It'd be in the basic set of an
>> operating-system packages (via its default %base-packages set). It
>> could still be manipulated via the Guix API (filtered out/replaced with
>> something else).
>>
>> Is anyone opposed to having nss-certs in %base-packages?
>
> No objection from me. I’m partly responsible for the initial choice to
> not include nss-certs by default, but as you write, most likely everyone
> installs it these days.
>
> Note that we’ll also need to remove that choice from the installer in
> (gnu installer services).
I went ahead and have now done so, and included a news entry for it.
I've adjusted the OSes templates accordingly, the doc, and the
installer in 65e8472a4b6fc6f66871ba0dad518b7d4c63595e. Let me know if
I've missed anything.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-18 10:45 Fabio Natali
@ 2024-04-19 15:25 ` Maxim Cournoyer
2024-04-20 10:06 ` Fabio Natali
0 siblings, 1 reply; 15+ messages in thread
From: Maxim Cournoyer @ 2024-04-19 15:25 UTC (permalink / raw)
To: Fabio Natali; +Cc: guix-devel, ludo
Hi Fabio,
Fabio Natali <me@fabionatali.com> writes:
> Hi,
>
> Here's my attempt at adding 'nss-certs' to '%default-packages'.
>
> https://lists.gnu.org/archive/html/guix-patches/2024-04/msg01187.html
>
> I've removed the 'nss-certs' entry from the installer, as suggested by
> Ludo, and I've updated the docs, hopefully all the relevant parts. Can
> you think of anything else that may need to be updated?
It seems we were working on a similar thing at a similar time :-).
Could you please take a look at
'65e8472a4b6fc6f66871ba0dad518b7d4c63595e', which I hope didn't leave
no longer useful 'nss-certs' doc/examples behind ?
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-19 15:25 ` Maxim Cournoyer
@ 2024-04-20 10:06 ` Fabio Natali
2024-04-21 19:29 ` Fabio Natali
0 siblings, 1 reply; 15+ messages in thread
From: Fabio Natali @ 2024-04-20 10:06 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel, ludo
On 2024-04-19, 11:25 -0400, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> Could you please take a look at
> '65e8472a4b6fc6f66871ba0dad518b7d4c63595e', which I hope didn't leave
> no longer useful 'nss-certs' doc/examples behind ?
Hi Maxim, absolutely, I should be able to give a look today or
tomorrow. I'll send an update here.
Thanks, best wishes, Fabio.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-20 10:06 ` Fabio Natali
@ 2024-04-21 19:29 ` Fabio Natali
2024-04-23 6:11 ` pelzflorian (Florian Pelz)
0 siblings, 1 reply; 15+ messages in thread
From: Fabio Natali @ 2024-04-21 19:29 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel, ludo
On 2024-04-20, 11:06 +0100, Fabio Natali <me@fabionatali.com> wrote:
> I'll send an update here.
Hi Maxim,
There's a couple of mentions of 'nss-certs' in the manual that might be
rephrased to reflect '65e8472a4b6fc6f66871ba0dad518b7d4c63595e'.
For what it's worth, I put together a micro-patch and sent it over as a
follow-up to #70451.
https://issues.guix.gnu.org/70451#4
Thanks, cheers, Fabio.
--
Fabio Natali
https://fabionatali.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-21 19:29 ` Fabio Natali
@ 2024-04-23 6:11 ` pelzflorian (Florian Pelz)
0 siblings, 0 replies; 15+ messages in thread
From: pelzflorian (Florian Pelz) @ 2024-04-23 6:11 UTC (permalink / raw)
To: Fabio Natali; +Cc: 70451-done, Maxim Cournoyer, guix-devel, ludo
Fabio Natali <me@fabionatali.com> writes:
> For what it's worth, I put together a micro-patch and sent it over as a
> follow-up to #70451.
Pushed as 67a3a83170c038d2eb084d3f53a7ea7b033aea74.
Thank you!
Regards,
Florian
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
` (4 preceding siblings ...)
2024-04-10 14:50 ` Ludovic Courtès
@ 2024-04-23 14:18 ` Clément Lassieur
2024-04-25 15:35 ` Maxim Cournoyer
5 siblings, 1 reply; 15+ messages in thread
From: Clément Lassieur @ 2024-04-23 14:18 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
On Wed, Apr 03 2024, Maxim Cournoyer wrote:
> It's been Guix policy to let people choose whether to install or not TLS
> root certificates and which one to their machine. While I applaud the
> idea to have the users make a conscious decision about it, in practice I
> suppose very few of us choose to *not* install any as that basically
> breaks using web browsers, especially ones like IceCat which (by
> default) ensures HTTPS is used on every page.
I'd be surprised Icecat breaks from this as it uses its own cert
database and allows HTTP when HTTPS doesn't work.
Kind regards,
Clément
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-23 14:18 ` Clément Lassieur
@ 2024-04-25 15:35 ` Maxim Cournoyer
2024-04-25 22:42 ` Clément Lassieur
0 siblings, 1 reply; 15+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:35 UTC (permalink / raw)
To: Clément Lassieur; +Cc: guix-devel
Hello!
Clément Lassieur <clement@lassieur.org> writes:
> On Wed, Apr 03 2024, Maxim Cournoyer wrote:
>
>> It's been Guix policy to let people choose whether to install or not TLS
>> root certificates and which one to their machine. While I applaud the
>> idea to have the users make a conscious decision about it, in practice I
>> suppose very few of us choose to *not* install any as that basically
>> breaks using web browsers, especially ones like IceCat which (by
>> default) ensures HTTPS is used on every page.
>
> I'd be surprised Icecat breaks from this as it uses its own cert
> database and allows HTTP when HTTPS doesn't work.
I didn't know Icecat had its own cert database.
About allowing HTTP, it can access pages using it, but not without going
through a "Continue despite security risks" dialog, and perhaps turning
off the HTTPS everywhere add-on for the page, which is installed by
default.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Should we include nss-certs out of the box?
2024-04-25 15:35 ` Maxim Cournoyer
@ 2024-04-25 22:42 ` Clément Lassieur
0 siblings, 0 replies; 15+ messages in thread
From: Clément Lassieur @ 2024-04-25 22:42 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: guix-devel
Hello!
On Thu, Apr 25 2024, Maxim Cournoyer wrote:
> Clément Lassieur <clement@lassieur.org> writes:
>
>> On Wed, Apr 03 2024, Maxim Cournoyer wrote:
>>
>>> It's been Guix policy to let people choose whether to install or not TLS
>>> root certificates and which one to their machine. While I applaud the
>>> idea to have the users make a conscious decision about it, in practice I
>>> suppose very few of us choose to *not* install any as that basically
>>> breaks using web browsers, especially ones like IceCat which (by
>>> default) ensures HTTPS is used on every page.
>>
>> I'd be surprised Icecat breaks from this as it uses its own cert
>> database and allows HTTP when HTTPS doesn't work.
>
> I didn't know Icecat had its own cert database.
>
> About allowing HTTP, it can access pages using it, but not without going
> through a "Continue despite security risks" dialog, and perhaps turning
> off the HTTPS everywhere add-on for the page, which is installed by
> default.
Indeed! (Well it's not an add-on anymore, but a Firefox native mode
called HTTPS-only.)
https://support.mozilla.org/en-US/kb/https-only-prefs
Cheers,
Clément
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-04-25 22:43 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-03 18:06 Should we include nss-certs out of the box? Maxim Cournoyer
2024-04-03 19:21 ` Ryan Prior
2024-04-03 20:10 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-04-05 16:45 ` Jan Wielkiewicz
2024-04-08 18:56 ` Richard Sent
2024-04-10 14:50 ` Ludovic Courtès
2024-04-19 1:58 ` Maxim Cournoyer
2024-04-23 14:18 ` Clément Lassieur
2024-04-25 15:35 ` Maxim Cournoyer
2024-04-25 22:42 ` Clément Lassieur
-- strict thread matches above, loose matches on Subject: below --
2024-04-18 10:45 Fabio Natali
2024-04-19 15:25 ` Maxim Cournoyer
2024-04-20 10:06 ` Fabio Natali
2024-04-21 19:29 ` Fabio Natali
2024-04-23 6:11 ` pelzflorian (Florian Pelz)
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.