[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: `guix pull` over HTTPS
|
From: |
Ludovic Courtès |
|
Subject: |
Re: `guix pull` over HTTPS |
|
Date: |
Mon, 06 Mar 2017 11:06:13 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi!
Marius Bakke <address@hidden> skribis:
> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <address@hidden>
> Date: Tue, 28 Feb 2017 22:34:29 +0100
> Subject: [PATCH] pull: Default to HTTPS.
>
> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a
> search string for certificates.
> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
> (guix-pull): Verify against the store path of NSS-CERTS.
> ---
> guix/build/download.scm | 7 +++++--
> guix/scripts/pull.scm | 8 ++++++--
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/guix/build/download.scm b/guix/build/download.scm
> index 203338b52..88da1776f 100644
> --- a/guix/build/download.scm
> +++ b/guix/build/download.scm
> @@ -342,13 +342,16 @@ way."
>
> (define* (tls-wrap port server #:key (verify-certificate? #t))
> "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS
> -host name without trailing dot."
> +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is
> +assumed to be the search path for TLS certificates passed to gnutls."
> (define (log level str)
> (format (current-error-port)
> "gnutls: [~a|~a] ~a" (getpid) level str))
>
> (let ((session (make-session connection-end/client))
> - (ca-certs (%x509-certificate-directory)))
> + (ca-certs (if (string? verify-certificate?)
> + verify-certificate?
> + (%x509-certificate-directory))))
Nitpick: I would prefer to use a different argument for the certificate
directory. Something like this:
(define* (tls-wrap port server #:key (verify-certificate? #t)
(certificate-directory
(%x509-certificate-directory)))
…)
Also the ‘guix pull’ part should be a separate patch.
Great work, thank you!
Ludo’.