[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: `guix pull` over HTTPS
|
From: |
Ludovic Courtès |
|
Subject: |
Re: `guix pull` over HTTPS |
|
Date: |
Fri, 10 Feb 2017 16:29:31 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi Leo!
Leo Famulari <address@hidden> skribis:
> HTTPS is not a security panacea but, in my opinion, we should use it if
> it's available, at least until `guix pull` can verify commit signatures.
Agreed. At least it prevents eavesdropping and allows us to
authenticate the server (assuming the CA is trustworthy).
But as you write, the eventual goal is to authenticate the code rather
the server, which will provide much better assurance.
> However, it's a little harder to get right than HTTP. For example, `guix
> pull` could fail if there is a problem with the user's certificate
> store, or if their clock is wrong.
>
> Does anyone have any specific concerns or advice about changing the
> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
> Should the change be that simple, or should we do more?
I think it should be this simple.
Of course there will be issues with people having the wrong SSL_CERT_DIR
& co. settings. Also that means Guile-GnuTLS becomes a hard dependency,
which I think is fine.
Thanks,
Ludo’.
- Re: `guix pull` over HTTPS, (continued)
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/10
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/10
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/10
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/10
- Re: `guix pull` over HTTPS, ng0, 2017/02/10
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/11
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/11
- Re: `guix pull` over HTTPS, Ricardo Wurmus, 2017/02/11
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/12
Re: `guix pull` over HTTPS, Christopher Allan Webber, 2017/02/10
Re: `guix pull` over HTTPS,
Ludovic Courtès <=
Re: `guix pull` over HTTPS, Bob Proulx, 2017/02/13