Re: `guix pull` over HTTPS

[Bob Proulx]

Leo Famulari wrote:
> GNU Guix is discussing the possibilities created by Savannah's
> offering of Git-over-HTTPS:
...
> If anyone from Savannah has anything to add to the discussion, feel
> free to jump in :)

Thanks for the invite!  I'll jump in. :-)

I am not subscribed.  Please CC me on anything you want me to see.
Although I will check back periodically it won't be timely.

I see many things over multiple messages.  I will try to coalesce
several things here in one place.

> The Savannah admins have been working tirelessly to improve the Savannah
> infrastructure, and they will soon announce the public availability of
> Git served over HTTPS. [1]

I think things are working pretty solidly.  After having previously
needed several flip-flops back and forth I think things are going to
stick in the current configuration now.  Haven't had any new
showstopper problem reports recently and I think by now there would
have been reports if something was significantly problematic.

I need to write up a more official announcement but I think it is safe
to rely upon using the current git over https configuration.

Ludovic Courtès wrote:
> Alternately we could have a package that provides only the Let’s
> Encrypt certificate chain, if that’s what Savannah uses.

Yes.  Previously the FSF furnished purchased static certificates
yearly but with this migration we are now using Let's Encrypt on all
of the Savannah servers.

As you know Let's Encrypt have a maximum expiration of three months.
The typical renewal schedule is to check daily and renew after two
months giving a month of schedule exposure to ensure renewal before
expiration.  In practice this means the certificates are renewed and
updated every two months.

There have been problems elsewhere with people pinning certificates on
their client and then finding that every two months they get a
certificate change notice.  With Let's Encrypt that is every two
months but even with the previous commercial authority that change
occurred every year.

Marius Bakke wrote:
> I think pinning the public key could work, if the Savannah
> administrators are aware of it. But we'd need a reliable fallback
> mechanism in case the private key needs to be updated.

As you note the are both advantages and disadvantages to certificate
pinning.  At the moment we are not planning on implementing pinning.
This is not a permanent statement.  Just the current state of things
at this time.  Continuous incremental improvement is happening.

Ludovic Courtès wrote:
> Agreed, let’s improve things incrementally.

That is a good summary of my own philosophy too.

> But as you write, the eventual goal is to authenticate the code rather
> the server, which will provide much better assurance.

As a long time user of a distro that does that I agree completely and
would like to encourage this.  And of course then it would work on
other transports such as physical media and other paths. :-)

Bob

signature.asc
Description: PGP signature