From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 4EWqJbnYdWAzGQEAgWs5BA (envelope-from ) for ; Tue, 13 Apr 2021 19:45:29 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id AKp3H7nYdWB0XwAAB5/wlQ (envelope-from ) for ; Tue, 13 Apr 2021 17:45:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C075917050 for ; Tue, 13 Apr 2021 19:45:28 +0200 (CEST) Received: from localhost ([::1]:39452 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWN6M-0004Kg-Gm for larch@yhetil.org; Tue, 13 Apr 2021 13:45:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37036) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWN60-0004KO-Pv for bug-guix@gnu.org; Tue, 13 Apr 2021 13:45:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49154) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lWN5y-0000Rs-Ij for bug-guix@gnu.org; Tue, 13 Apr 2021 13:45:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lWN5y-0004U9-FG for bug-guix@gnu.org; Tue, 13 Apr 2021 13:45:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#46829: `guix pull` uses incorrect certificate store Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 13 Apr 2021 17:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46829 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 46829-submit@debbugs.gnu.org id=B46829.161833589917217 (code B ref 46829); Tue, 13 Apr 2021 17:45:02 +0000 Received: (at 46829) by debbugs.gnu.org; 13 Apr 2021 17:44:59 +0000 Received: from localhost ([127.0.0.1]:60700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWN5v-0004Td-Dz for submit@debbugs.gnu.org; Tue, 13 Apr 2021 13:44:59 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:54827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWN5t-0004TQ-Om for 46829@debbugs.gnu.org; Tue, 13 Apr 2021 13:44:58 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id AA75AFA6; Tue, 13 Apr 2021 13:44:51 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 13 Apr 2021 13:44:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=W3bPkx24WoQsk25ENwejZhWz eANzvsHIX3pLeilwSy8=; b=ElKQE7uSgdSWoPqv0AdTo33UEexant+hpy+ck/Rb tOJijdb9zUw0nfUD2ULyNpomR1zsGzpU5bvPXQVQPvxs0Q0FZBYgGfMBicM+KyyJ P4PNWRPkVbUanJWkDYbHroA+jnRw98/DlV4hAxiZyK+IRYlUTe0p1w6EHEO6FPMP qWM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=W3bPkx 24WoQsk25ENwejZhWzeANzvsHIX3pLeilwSy8=; b=uqzwPQ/3Jvi975+SLnIVI7 2uxK6xwMaCBO6ngaRW5jIt305XIwKtuusc/OJAYD2hqJTyX0HCiFWbud0XiYnX6r gGeExjAC09mP2WgDvZK06gj8iyJajdYDuUcovqv3HjQyIrTL2am4bsoqwnkGN41w tLd1x3Nr9Mgl575lqrjhjEb5wUiVgL+jt9UYCQBx/6fSnpHTcCHdRtYcze/rcLNo uH9h9lrSK/XG8h83xR60xzLL/A3+nNTxR4DJzaxbd0In+6AHauk3ZBVYghSXTlYl JwUOckm4s9ZkYOu2pNpwYiFt9KrFkcONN77mkyAmuG7fADr0lMfiPF+B3A8nmE3w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekledgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhephfekvdduieehfedttdduledvgfehleevleejheettddvffevgeejgeetueff keetnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id DF513108005F; Tue, 13 Apr 2021 13:44:50 -0400 (EDT) Date: Tue, 13 Apr 2021 13:44:49 -0400 From: Leo Famulari Message-ID: References: <871rd0ebd5.fsf@cbaines.net> <877dmrtbvn.fsf@gnu.org> <877dm54zk3.fsf@gnu.org> <87zgy2leg9.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CSoFWXpCLyzlrnCo" Content-Disposition: inline In-Reply-To: <87zgy2leg9.fsf_-_@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46829@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618335929; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=W3bPkx24WoQsk25ENwejZhWzeANzvsHIX3pLeilwSy8=; b=YJ/FEb9BFvZ6JK/eD/5Yp40Cn7SoMeSYVkEwarijsBZx7AaxcWscbtp8szyEXD4qx5XTR4 6W0U5q8Btoz2R1b+9n+YihoROUR9kNzHUxoDABItZDwGmsdZruDqBYJL6STvbNrvmxLgGt NaVtKXPaJucQJHLL/FtB+IWlYcxfw8M7j9mSMRy9ZBsQogPUI+E5sGGRqwRqEqPVztzfq4 Al0ar5oYZYI/07cnL9nsZDMl6f+kcEP4Hie5nq9mJZ0BxfWpH+cPOlvM8EA2X/cftlcmmE QdTPE/njr8sWybQhyryRWS3kj7wUnYUv+ivm91n3DDsmqwRw6wZLupv05WPROQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618335929; a=rsa-sha256; cv=none; b=a6izq5IfisXfzgQfVMVPEA2azjrL+IoZQppzoTZRsIk9c0JwpaJr5rh1M6I+SXva5axPuz dHwm28FSqrxwy6r7yF6DQOxEMhnJ9VRq5rmJBL4pM2zzPAA19SGLqZgWZOgdX4TBm3/fq1 eW2+tHdnSKZGm/RlamyoP8zFq8juCuXsio6HDDz0uoJD74nM38KrzM6Z+gms2XdsZ5ZSHI jQyhz7EK37T7f8ex3KgOgZcbsipCGUcGIO9YP5tjWkjZ9b5dRnbCYg23LaEquPgAzmo2gn lbHdpqhi5G+C0O9jsUhetmRORGfpCNCUwlZQuQVi3a+ji9DEJn88TuYl3taLRw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=ElKQE7uS; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b="uqzwPQ/3"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=ElKQE7uS; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b="uqzwPQ/3"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: C075917050 X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: IvbnRpTMvvCc --CSoFWXpCLyzlrnCo Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Court=C3=A8s wrote: > So I think the issue is that, when =E2=80=98nss-certs=E2=80=99 is not ins= talled, =E2=80=98guix > pull=E2=80=99 uses the LE certs, but these certificates expire quite freq= uently, > whereas if you have =E2=80=98nss-certs=E2=80=99 installed, there=E2=80=99= s =E2=80=9Calways=E2=80=9D a valid > authentication chain from the roots. No, that's incorrect. The certificates in le-certs expired after 5 years, so it's not frequent. These are the root and intermediate certificates for the Let's Encrypt certificate authority =E2=80=94 they are not the 90 day certificates used b= y a webserver. The problem is that we (I) failed to pay attention and let our le-certs package go stale. > For those who do not have =E2=80=98nss-certs=E2=80=99 installed, a workar= ound is to do > avoid HTTPS: The original motivation of le-certs was that nss-certs would not be required, and that `guix pull` would always work. I think we should still try to achieve this. > guix pull --url=3Dhttp://git.savannah.gnu.org/git/guix.git >=20 > This is fine because the =E2=80=98guix=E2=80=99 channel is authenticated = anyway. Yes, that works and is pretty safe. Although Guix will complain because it can't tell that this is the same repo. > We could also add a =E2=80=98--no-check-certificates=E2=80=99 option to = =E2=80=98guix pull=E2=80=99. I think we should avoid adding "use insecure connection" options. Even if the code itself is signed. I'm going to figure out how to subscribe to Let's Encrypt announcements and I'll report back with ideas about how to avoid a repeat of the problem. --CSoFWXpCLyzlrnCo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmB12I0ACgkQJkb6MLrK fwgBkBAAimaqfE2V3M0HYK0V/guKj4FLgEEM+DQ0T+G5v2VbqkSG4fJW5xxHyY+g oO79+nlNx5xrCKKOBo5Ka9Vyk/TXS4fIFXpqMPxOox8czRGXD/MdUVazXeyrfaor P5BFISc5pT9TYE0iCa7JL/Ttas1Uhv2OdhAydfe9pcsgJFg7c4ou/qXO0CgVsZY6 DKLvKAPZjT5bIpdpzTWASq4yYxj5Bwzr5j4Hg8KGF6drG3juMZK+v0OG7mpLgFa3 lkRUCADKgbG4ig1vILOZpijQ8PN0foOtBY9MbOXjYUjwsHZyo2wTWsP95IkcXBMT TjnlKbu8U/FtgmmD48g7U1FWaaQQ1h0YTIE2lJaW8fnafgo4q98TUTUrjhd1a4in uXOp37gKeBwage7RiTyFx4/2G34EIvGq8vBY5uIJE8O/7UrzPg0TJ6jxq/BngwXE da0z1Pyx6hefk7jVlZjcDNS9aHoKM/uv/T1dG+bNRrwZ0CCzGrNIf/jgxHWzLHBC iZiowjmj2NYzneYM7PNre+vHsT1MG/iV4o7Nh+HFsAcuyzFfMnQU3rT1aXngc0PG wSYRV//mdmPYAco1ZKapPUaaFNKj1IIE8jB48K0NdhdJOxY3fqzqOJbHOZKBhOWw umQ4y6Yc7xx/cRxzjZqvMk6ABXCwHXE9qadpxX1yiFHxqLBv2J4= =iN7B -----END PGP SIGNATURE----- --CSoFWXpCLyzlrnCo--