[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: `guix pull` over HTTPS
|
From: |
Marius Bakke |
|
Subject: |
Re: `guix pull` over HTTPS |
|
Date: |
Tue, 28 Feb 2017 22:44:21 +0100 |
|
User-agent: |
Notmuch/0.23.5 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Marius Bakke <address@hidden> writes:
>>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
>>> pull` to know to use the le-certs bundle when pulling from
>>> %snapshot-url. For other URLs, users will have to take care of it
>>> themselves.
>>
>> This sounds like a better approach. Also, I did not see this email
>> before sending the patch! If you package it up, I can look into
>> realizing the package in `guix pull` directly.
>
> I gave this a go using "nss-certs", but can't figure out how to set
> SSL_CERT_DIR (or GUIX_TLS_CERTIFICATE_DIRECTORY) in `guix pull`. The
> naive approach of setting the variable before calling
> "download-to-store" does not work because %x509-certificate-directory
> has already been evaluated.
>
> I wonder what's the best approach here. Parameterizing this and
> propagating it all the way down to (tls-wrap) similar to
> #:verify-certificate? could work, but seems awkward. Any suggestions?
I made it work with the attached hack. It breaks all conventions by
allowing #:verify-certificate? to be a search path for certificates.
If it wasn't for the implied boolean nature of "#:verify-certificate?" I
would be happy with this solution. But I think setting the
GUIX_TLS_CERTIFICATE_DIRECTORY environment variable before pulling in
(guix download) would be better.
signature.asc
Description: PGP signature
>From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
From: Marius Bakke <address@hidden>
Date: Tue, 28 Feb 2017 22:34:29 +0100
Subject: [PATCH] pull: Default to HTTPS.
* guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
search string for certificates.
* guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
(guix-pull): Verify against the store path of NSS-CERTS.
---
guix/build/download.scm | 7 +++++--
guix/scripts/pull.scm | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/guix/build/download.scm b/guix/build/download.scm
index 203338b52..88da1776f 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -342,13 +342,16 @@ way."
(define* (tls-wrap port server #:key (verify-certificate? #t))
"Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS
-host name without trailing dot."
+host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is
+assumed to be the search path for TLS certificates passed to gnutls."
(define (log level str)
(format (current-error-port)
"gnutls: [~a|~a] ~a" (getpid) level str))
(let ((session (make-session connection-end/client))
- (ca-certs (%x509-certificate-directory)))
+ (ca-certs (if (string? verify-certificate?)
+ verify-certificate?
+ (%x509-certificate-directory))))
;; Some servers such as 'cloud.github.com' require the client to support
;; the 'SERVER NAME' extension. However, 'set-session-server-name!' is
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index a4824e4fd..402332192 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -30,6 +30,7 @@
#:use-module ((guix build utils)
#:select (with-directory-excursion delete-file-recursively))
#:use-module (gnu packages base)
+ #:use-module ((gnu packages certs) #:select (nss-certs))
#:use-module (gnu packages guile)
#:use-module ((gnu packages bootstrap)
#:select (%bootstrap-guile))
@@ -45,7 +46,7 @@
(define %snapshot-url
;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download";
- "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
+ "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
)
(define-syntax-rule (with-environment-variable variable value body ...)
@@ -224,8 +225,11 @@ contained therein."
(with-error-handling
(let* ((opts (parse-options))
(store (open-connection))
+ (certs (string-append (package-output store nss-certs)
+ "/etc/ssl/certs"))
(url (assoc-ref opts 'tarball-url)))
- (let ((tarball (download-to-store store url "guix-latest.tar.gz")))
+ (let ((tarball (download-to-store store url "guix-latest.tar.gz"
+ #:verify-certificate? certs)))
(unless tarball
(leave (_ "failed to download up-to-date source, exiting\n")))
(parameterize ((%guile-for-build
--
2.12.0
- Re: `guix pull` over HTTPS, (continued)
- Re: `guix pull` over HTTPS, ng0, 2017/02/10
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/11
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/11
- Re: `guix pull` over HTTPS, Ricardo Wurmus, 2017/02/11
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/12
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS,
Marius Bakke <=
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- [PATCH] pull: Use HTTPS by default., Marius Bakke, 2017/02/28
- Re: [PATCH] pull: Use HTTPS by default., Leo Famulari, 2017/02/28
Re: `guix pull` over HTTPS, Christopher Allan Webber, 2017/02/10
Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/10
Re: `guix pull` over HTTPS, Bob Proulx, 2017/02/13