`guix pull` over HTTPS

[Leo Famulari]

Currently, the default source for `guix pull` is
<http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz>.

It's suboptimal to download the Guix source code over HTTP, since the
data can be mutated and recorded in transit. [0]

The Savannah admins have been working tirelessly to improve the Savannah
infrastructure, and they will soon announce the public availability of
Git served over HTTPS. [1]

HTTPS is not a security panacea but, in my opinion, we should use it if
it's available, at least until `guix pull` can verify commit signatures.

However, it's a little harder to get right than HTTP. For example, `guix
pull` could fail if there is a problem with the user's certificate
store, or if their clock is wrong.

Does anyone have any specific concerns or advice about changing the
value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
Should the change be that simple, or should we do more?

The attached patch works for me on a foreign distro when SSL_CERT_DIR
and SSL_CERT_FILE are set as described in the manual (section 7.2.9
X.509 Certificates) and GnuTLS-Guile is available in my environment.

[0] Discussion of the general problems with `guix pull`:
http://bugs.gnu.org/22883

[1]
http://lists.gnu.org/archive/html/savannah-hackers-public/2017-02/msg00034.html

0001-pull-Download-GNU-Guix-with-HTTPS.patch
Description: Text document

signature.asc
Description: PGP signature