Re: `guix pull` over HTTPS

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: `guix pull` over HTTPS

From:	Marius Bakke
Subject:	Re: `guix pull` over HTTPS
Date:	Mon, 06 Mar 2017 13:27:47 +0100
User-agent:	Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Ludovic Courtès <address@hidden> writes:

> Hi!
>
> Marius Bakke <address@hidden> skribis:
>
>> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <address@hidden>
>> Date: Tue, 28 Feb 2017 22:34:29 +0100
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
>>   search string for certificates.
>> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
>> (guix-pull): Verify against the store path of NSS-CERTS.
>> ---
>>  guix/build/download.scm | 7 +++++--
>>  guix/scripts/pull.scm   | 8 ++++++--
>>  2 files changed, 11 insertions(+), 4 deletions(-)
>>
>> diff --git a/guix/build/download.scm b/guix/build/download.scm
>> index 203338b52..88da1776f 100644
>> --- a/guix/build/download.scm
>> +++ b/guix/build/download.scm
>> @@ -342,13 +342,16 @@ way."
>>  
>>  (define* (tls-wrap port server #:key (verify-certificate? #t))
>>    "Return PORT wrapped in a TLS connection to SERVER.  SERVER must be a DNS
>> -host name without trailing dot."
>> +host name without trailing dot.  If VERIFY-CERTIFICATE? is a string, it is
>> +assumed to be the search path for TLS certificates passed to gnutls."
>>    (define (log level str)
>>      (format (current-error-port)
>>              "gnutls: [~a|~a] ~a" (getpid) level str))
>>  
>>    (let ((session  (make-session connection-end/client))
>> -        (ca-certs (%x509-certificate-directory)))
>> +        (ca-certs (if (string? verify-certificate?)
>> +                      verify-certificate?
>> +                      (%x509-certificate-directory))))
>
> Nitpick: I would prefer to use a different argument for the certificate
> directory.  Something like this:
>
>   (define* (tls-wrap port server #:key (verify-certificate? #t)
>                                  (certificate-directory
>                                   (%x509-certificate-directory)))
>     …)                                 
>
> Also the ‘guix pull’ part should be a separate patch.
>
> Great work, thank you!

Hello!

Please see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25975

... for the latest version of this patch.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: `guix pull` over HTTPS, Leo Famulari, 2017/03/01
- [PATCH v3] pull: Default to HTTPS., Marius Bakke, 2017/03/01
  - Re: [PATCH v3] pull: Default to HTTPS., Leo Famulari, 2017/03/01
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/03/01
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/03/06
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/03/06
  - Re: `guix pull` over HTTPS, Marius Bakke <=

Prev by Date: hiawatha package description
Next by Date: Re: Let’s freeze and build ‘core-updates’!
Previous by thread: Re: `guix pull` over HTTPS
Next by thread: Re: gnu-patches back log
Index(es):
- Date
- Thread