From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id WNYxBDPzIGYzCwAA62LTzQ:P1 (envelope-from ) for ; Thu, 18 Apr 2024 12:17:23 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id WNYxBDPzIGYzCwAA62LTzQ (envelope-from ) for ; Thu, 18 Apr 2024 12:17:23 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=fabionatali.com header.s=gm1 header.b=JDqsRFoO; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713435443; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=9tq/g3a1y3jSF99ZgRffNtYpLZwa/f193zj2IUnN7d0=; b=qBdt8N22KpvKXLEV/2tfz5k92Ryz8F7/OitnemLhnwCkiywWHZIhAvd1BUEbGjDXhazV5c OuHWDj5J49nlW2s1+XShTBHln8QwrvsPJzoxAYqMZ2xvTJZKtP2hiSHrNXE9F23OkaSeiJ ewBG5IAzZByiwezusnpmed078FG74dgXt7QxQYBGIOGEE9SyVvUnIIznmQbon93cvD/2FM UbI+qzr1cjfv8cQ4IieehQ9xNgFWwg/UGoGceP83QLW+9A2Xjw4Y+wMqJHCRfLlxaGteHA NmIT5PFR+Kw/OyE5fE+6W2jlMYh5SNKnsekrFZV0ZKfkeb8abT/gG5oIRoWXjw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713435443; a=rsa-sha256; cv=none; b=bveXjM2PyYnJogb1BhdG55mmvb6Tc6f8k5cyHVuArcKMsKAp4SNuLWy6eOxkINLYRWMb+S 4L2uMVxhs9B7RU2L9IeT6dU+bbaBwGEeP7KpOXMQMfLcOtQm1zBFqjcffVoTDe6m/o4SnT z6mNITpELhVi5YtFIq4ARHE7Hpy9+dhLR/RXBgVy5x+WkyQtkN54KdTMFE+zNEYip/4D/x Cx4Ou9eH34AQd+QkRW0UCVdj0KlRXn240G4mnmfsH6LH8Nm5ZBjEhvFJOY7T4ki6JbuA6g ZKMtOpgpHn8kUNwBMkYsaWHBau7jn6BwCv6KE2OKoIWFpacxhJjO7eK2hy1rsQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=fabionatali.com header.s=gm1 header.b=JDqsRFoO; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 82BCC1D0E1 for ; Thu, 18 Apr 2024 12:17:22 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxOpF-0002xo-W3; Thu, 18 Apr 2024 06:17:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOpE-0002xe-2n for guix-patches@gnu.org; Thu, 18 Apr 2024 06:17:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rxOpC-0005wO-Vy; Thu, 18 Apr 2024 06:17:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rxOpP-0007U1-Rr; Thu, 18 Apr 2024 06:17:15 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70451] [PATCH] gnu: system: Add nss-certs to %base-packages. Resent-From: Fabio Natali Original-Sender: "Debbugs-submit" Resent-CC: dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, guix-patches@gnu.org Resent-Date: Thu, 18 Apr 2024 10:17:12 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70451 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70451@debbugs.gnu.org Cc: Fabio Natali , Josselin Poiret , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Josselin Poiret , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Mathieu Othacehe Received: via spool by submit@debbugs.gnu.org id=B.171343539828545 (code B ref -1); Thu, 18 Apr 2024 10:17:12 +0000 Received: (at submit) by debbugs.gnu.org; 18 Apr 2024 10:16:38 +0000 Received: from localhost ([127.0.0.1]:51517 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxOoX-0007Om-Ma for submit@debbugs.gnu.org; Thu, 18 Apr 2024 06:16:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:51106) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxOmB-00078c-BR for submit@debbugs.gnu.org; Thu, 18 Apr 2024 06:14:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOll-0005xD-Od for guix-patches@gnu.org; Thu, 18 Apr 2024 06:13:33 -0400 Received: from relay7-d.mail.gandi.net ([2001:4b98:dc4:8::227]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOlh-00059F-67 for guix-patches@gnu.org; Thu, 18 Apr 2024 06:13:28 -0400 Received: by mail.gandi.net (Postfix) with ESMTPSA id E139120010; Thu, 18 Apr 2024 10:13:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com; s=gm1; t=1713435200; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9tq/g3a1y3jSF99ZgRffNtYpLZwa/f193zj2IUnN7d0=; b=JDqsRFoOzmQOZ5okaNG6KvHUMLajNkQMmEScstjQa0ztepiC3u/59B4vrD0taGJWrtAX6r DuQuDTWRtZNIESMiyfcKdaYSxP4uIPLVWomUz6HnWnkhhKiCLj64tQ1va9HCBKK2f0EnnY egEqF8diIB63k4D2ES0joNeA08YcpxGtnFVWysqMDk0DD5IaEKB8nAPvMHDwO+wHqmYFl9 9ZemMxVO0HTHmmQIL/sWXdL6792RHuTg6WB9x4+cQocv2iymZjlPSJyodMJDpoYwliRwHc 1vKdXTRzbZLHxz0aRKwCF3Kx4n4UNGFX+C/DtH3lcueU/1B51CaXC175fWfpRg== Date: Thu, 18 Apr 2024 11:07:06 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-GND-Sasl: me@fabionatali.com Received-SPF: pass client-ip=2001:4b98:dc4:8::227; envelope-from=me@fabionatali.com; helo=relay7-d.mail.gandi.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Fabio Natali X-ACL-Warn: , Fabio Natali via Guix-patches From: Fabio Natali via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.48 X-Spam-Score: -6.48 X-Migadu-Queue-Id: 82BCC1D0E1 X-Migadu-Scanner: mx12.migadu.com X-TUID: 130mFmUuiQqf * gnu/system.scm (%base-packages-networking): Add 'nss-certs'. * gnu/installer/services.scm (%system-services): Remove the 'nss-certs' system service. * doc/guix.texi (Using the Configuration System): Remove various 'nss-certs' occurrences as the package is now part of '%default-packages' already. * doc/guix.texi (Web Services): Update to reflect that 'nss-certs' is part of '%default-packages'. * doc/guix.texi (Certificates): Update to reflect that 'nss-certs' is part of '%default-packages'. * gnu/system/examples/bare-bones.tmpl: Update to reflect that 'nss-certs' is part of '%default-packages'. * gnu/system/examples/lightweight-desktop.tmpl: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/examples/raspberry-pi-64-nfs-root.tmpl: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/images/orangepi-r1-plus-lts-rk3328.scm: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/images/pine64.scm: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/install.scm: Remove 'nss-certs' as it is part of '%default-packages' already. Change-Id: Icad8f5461e03c32c21c7ef715af6bd3a96eac5a9 --- Hi, This is a little patch to add the 'nss-certs' certificates package to the list of '%default-packages'. This has been discussed in this email thread: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html Thanks, best wishes, Fabio. doc/guix.texi | 21 ++++++++++--------- gnu/installer/services.scm | 5 ----- gnu/system.scm | 2 ++ gnu/system/examples/bare-bones.tmpl | 5 ----- gnu/system/examples/lightweight-desktop.tmpl | 4 +--- .../examples/raspberry-pi-64-nfs-root.tmpl | 3 +-- .../images/orangepi-r1-plus-lts-rk3328.scm | 3 +-- gnu/system/images/pine64.scm | 3 +-- gnu/system/install.scm | 3 +-- 9 files changed, 18 insertions(+), 31 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f4f21c4744..dc46ccf962 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17152,7 +17152,7 @@ Using the Configuration System (operating-system ;; ... (packages (append (map specification->package+output - '("nss-certs" "git" "git:send-email")) + '("git" "git:send-email")) %base-packages))) @end lisp @@ -17240,8 +17240,7 @@ Using the Configuration System as returned by the @command{blkid} command. @xref{Desktop Services}, for the exact list of services provided by -@code{%desktop-services}. @xref{X.509 Certificates}, for background -information about the @code{nss-certs} package that is used here. +@code{%desktop-services}. Again, @code{%desktop-services} is just a list of service objects. If you want to remove services from there, you can do so using the @@ -32457,9 +32456,11 @@ Web Services so that it can authenticate Git servers when communicating over HTTPS, and it assumes that @file{/etc/ssl/certs} contains those certificates. -Thus, make sure to add @code{nss-certs} or another certificate package to the -@code{packages} field of your configuration. @ref{X.509 Certificates}, for -more information on X.509 certificates. +The @code{nss-certs} certificate package is provided by default as part +@code{%base-packages}. Should you not be using @code{%base-packages}, +make sure that @code{nss-certs} (or a similar certificate package) is +added to the @code{packages} field of your configuration. @ref{X.509 +Certificates}, for more information on X.509 certificates. @end quotation @subsubheading gmnisrv @@ -41006,10 +41007,10 @@ X.509 Certificates is a set of CA certificates provided as part of Mozilla's Network Security Services. -Note that it is @emph{not} part of @code{%base-packages}, so you need to -explicitly add it. The @file{/etc/ssl/certs} directory, which is where -most applications and libraries look for certificates by default, points -to the certificates installed globally. +This package is part of @code{%base-packages}, so there's usually no +need to explicitly add it. The @file{/etc/ssl/certs} directory, which +is where most applications and libraries look for certificates by +default, points to the certificates installed globally. Unprivileged users, including users of Guix on a foreign distro, can also install their own certificate package in diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm index 4dfed78785..1cb9dc579c 100644 --- a/gnu/installer/services.scm +++ b/gnu/installer/services.scm @@ -110,11 +110,6 @@ (define %system-services (name (G_ "Tor anonymous network router")) (type 'networking) (snippet '((service tor-service-type)))) - (system-service - (name (G_ "Mozilla NSS certificates, for HTTPS access")) - (type 'networking) - (packages '((specification->package "nss-certs"))) - (recommended? #t)) ;; Miscellaneous system administration services. (system-service diff --git a/gnu/system.scm b/gnu/system.scm index 9b5c96d0ad..91bce727a8 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -50,6 +50,7 @@ (define-module (gnu system) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages bash) + #:use-module (gnu packages certs) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages firmware) @@ -925,6 +926,7 @@ (define %base-packages-networking ;; Default set of networking packages. (list inetutils isc-dhcp iproute + nss-certs wget ;; wireless-tools is deprecated in favor of iw, but it's still what ;; many people are familiar with, so keep it around. diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl index dc6aff5273..7b6a4b09b0 100644 --- a/gnu/system/examples/bare-bones.tmpl +++ b/gnu/system/examples/bare-bones.tmpl @@ -4,9 +4,6 @@ (use-modules (gnu)) (use-service-modules networking ssh) -;; If you want to use HTTPS, you most likely want to include -;; "certs" in the line below. Also read the comment about -;; "nss-certs" later in this file. (use-package-modules screen ssh) (operating-system @@ -46,8 +43,6 @@ %base-user-accounts)) ;; Globally-installed packages. - ;; Add "nss-certs" for Mozilla's approved CA certs. You would - ;; have to have included "certs" in use-package-modules above. (packages (cons screen %base-packages)) ;; Add services to the baseline: a DHCP client and an SSH diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/examples/lightweight-desktop.tmpl index 4cb3c38311..f581a669c2 100644 --- a/gnu/system/examples/lightweight-desktop.tmpl +++ b/gnu/system/examples/lightweight-desktop.tmpl @@ -47,9 +47,7 @@ ratpoison i3-wm i3status dmenu emacs emacs-exwm emacs-desktop-environment ;; terminal emulator - xterm - ;; for HTTPS access - nss-certs) + xterm) %base-packages)) ;; Use the "desktop" services, which include the X11 diff --git a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl index 2203375270..7d1a9bf66e 100644 --- a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl +++ b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl @@ -56,8 +56,7 @@ (supplementary-groups '("wheel" "netdev" "audio" "video")) (home-directory "/home/pi")) %base-user-accounts)) - (packages (cons* nss-certs - openssh + (packages (cons* openssh %base-packages)) (services (cons* (service avahi-service-type) (service dhcp-client-service-type) diff --git a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm index eaaa12ba78..f871c63078 100644 --- a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm +++ b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm @@ -55,8 +55,7 @@ (define orangepi-r1-plus-lts-rk3328-barebones-os (term "vt100") (tty "ttyS2"))) (service dhcp-client-service-type) - (service ntp-service-type) %base-services)) - (packages (cons nss-certs %base-packages)))) + (service ntp-service-type) %base-services)))) (define orangepi-r1-plus-lts-rk3328-image-type (image-type (name 'orangepi-r1-plus-lts-rk3328-raw) diff --git a/gnu/system/images/pine64.scm b/gnu/system/images/pine64.scm index 3feb69764d..457ff4345f 100644 --- a/gnu/system/images/pine64.scm +++ b/gnu/system/images/pine64.scm @@ -59,8 +59,7 @@ (define pine64-barebones-os (tty "ttyS0"))) (service dhcp-client-service-type) (service ntp-service-type) - %base-services)) - (packages (cons nss-certs %base-packages)))) + %base-services)))) (define pine64-image-type (image-type diff --git a/gnu/system/install.scm b/gnu/system/install.scm index 371bfc2a63..0c9556e087 100644 --- a/gnu/system/install.scm +++ b/gnu/system/install.scm @@ -551,8 +551,7 @@ (define installation-os (list glibc ; for 'tzselect' & co. fontconfig font-dejavu font-gnu-unifont - grub ; mostly so xrefs to its manual work - nss-certs) ; To access HTTPS, use git, etc. + grub) ; mostly so xrefs to its manual work %installer-disk-utilities %base-packages)))) base-commit: 2126dab4cd81db4cbde4566d8c638e45a4c0077c -- 2.41.0