guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: `guix pull` over HTTPS

From: Ludovic Courtès
Subject: Re: `guix pull` over HTTPS
Date: Fri, 10 Feb 2017 16:33:43 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Leo Famulari <address@hidden> skribis:

> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
>> Does anyone have any specific concerns or advice about changing the
>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
>> Should the change be that simple, or should we do more?
>
> While testing, I realized that an X.509 certificate store is not a
> standard feature of GuixSD, so using Savannah's HTTPS URL will not work
> in all cases.
>
> SSL_CERT_FILE and SSL_CERT_DIR appear to be set unconditionally in (gnu
> system operating-system-environment-variables), so it's not enough to
> test that they are set in order to decide which protocol to download the
> Guix source code with.
>
> Any advice on how to proceed?

Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or
anything like that, on the grounds that the whole X.509 CA story is
completely broken IMO.  I wonder if we should revisit that, on the
grounds that “it’s better than nothing.”

The next question is what to do with foreign distros, and whether we
should bundle ‘nss-certs’ in the binary tarball, which is not exciting.

Alternately we could have a package that provides only the Let’s Encrypt
certificate chain, if that’s what Savannah uses.

Thoughts?

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]