guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: `guix pull` over HTTPS


From: Ludovic Courtès
Subject: Re: `guix pull` over HTTPS
Date: Mon, 06 Mar 2017 11:06:13 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hi!

Marius Bakke <address@hidden> skribis:

> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <address@hidden>
> Date: Tue, 28 Feb 2017 22:34:29 +0100
> Subject: [PATCH] pull: Default to HTTPS.
>
> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
>   search string for certificates.
> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
> (guix-pull): Verify against the store path of NSS-CERTS.
> ---
>  guix/build/download.scm | 7 +++++--
>  guix/scripts/pull.scm   | 8 ++++++--
>  2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/guix/build/download.scm b/guix/build/download.scm
> index 203338b52..88da1776f 100644
> --- a/guix/build/download.scm
> +++ b/guix/build/download.scm
> @@ -342,13 +342,16 @@ way."
>  
>  (define* (tls-wrap port server #:key (verify-certificate? #t))
>    "Return PORT wrapped in a TLS connection to SERVER.  SERVER must be a DNS
> -host name without trailing dot."
> +host name without trailing dot.  If VERIFY-CERTIFICATE? is a string, it is
> +assumed to be the search path for TLS certificates passed to gnutls."
>    (define (log level str)
>      (format (current-error-port)
>              "gnutls: [~a|~a] ~a" (getpid) level str))
>  
>    (let ((session  (make-session connection-end/client))
> -        (ca-certs (%x509-certificate-directory)))
> +        (ca-certs (if (string? verify-certificate?)
> +                      verify-certificate?
> +                      (%x509-certificate-directory))))

Nitpick: I would prefer to use a different argument for the certificate
directory.  Something like this:

  (define* (tls-wrap port server #:key (verify-certificate? #t)
                                 (certificate-directory
                                  (%x509-certificate-directory)))
    …)                                 

Also the ‘guix pull’ part should be a separate patch.

Great work, thank you!

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]