Hi, zimoun <[email protected]> skribis:
> On Thu, 16 Sep 2021 at 09:33, zimoun <[email protected]> wrote: >> On Tue, 27 Feb 2018 at 17:00, [email protected] (Ludovic Courtès) wrote: >>> Andreas Enge <[email protected]> skribis: >>> >>>> the cuirass service requires TLS certificates to do continuous integration >>>> of guix (or more generally, git repositories served over https). This works >>>> when nss-certs is installed as a global package in the system. >>>> >>>> Should the service depend on the nss-certs package? Or maybe take as an >>>> optional configuration parameter a certificate package? >>> >>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass >>> service could use (file-append nss-certs >>> "/etc/ssl/certs/ca-certificates.crt"). >>> That would make it self-contained. >>> >>> That’s currently not possible though because this certificate bundle is >>> built as a profile hook. We would first need to export the procedure >>> that creates bundles, possibly by moving it to a new (guix >>> x509-certificates) module. >> >> What is the status of this old bug [1]? Well, if it is not fixed yet, >> it seems a forgotten bug. :-) >> >> 1: <http://issues.guix.gnu.org/issue/30619> > > From my understanding, this old bug could be closed. But I am not sure > to get it right about this TLS story. So closing? The Cuirass Shepherd service still does: #:environment-variables (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …) which means that users still need to install certificates globally. Now, whether it’s an issue, I don’t know. Maybe we can close? Thanks, Ludo’.
