While testing Nicolas's patch "Update giac-xcas", I found that `guix download` accepts expired TLS certificates.
I tried visiting the upstream site in order to verify the hash of the updated package, and my browsers (Firefox and Chromium) warned me that the site's certificate had expired ~1 day ago. However, `guix build -S` did not warn me or prevent me from downloading the source code. Perhaps it doesn't matter for the case of `guix build -S`, since we already know what we expect to download. But, for `guix download`, this is a bug.  http://lists.gnu.org/archive/html/guix-devel/2016-09/msg01460.html
Description: PGP signature