Ludovic Courtès writes:
> Hi!
>
> Marius Bakke skribis:
>
>> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke
>> Date: Tue, 28 Feb 2017 22:34:29 +0100
>> Subject: [PATCH] pull: Default to HTTPS.
Hi!
Marius Bakke skribis:
> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001
> From: Marius Bakke
> Date: Tue, 28 Feb 2017 22:34:29 +0100
> Subject: [PATCH] pull: Default to HTTPS.
>
> * guix/build/download.scm (tls-wrap): Allow
Leo Famulari skribis:
> On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote:
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter.
>> (open-connection-for-uri): Adjust parameters to match.
>>
Leo Famulari writes:
> On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote:
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter.
>> (open-connection-for-uri): Adjust parameters to match.
>>
On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote:
> Subject: [PATCH] pull: Default to HTTPS.
>
> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter.
> (open-connection-for-uri): Adjust parameters to match.
> (http-fetch): Likewise.
> (url-fetch): Likewise.
> *
Marius Bakke writes:
> Marius Bakke writes:
>
>> @@ -224,8 +225,11 @@ contained therein."
>>(with-error-handling
>> (let* ((opts (parse-options))
>> (store (open-connection))
>> + (certs (string-append (package-output
On Wed, Mar 01, 2017 at 12:05:57AM +0100, Marius Bakke wrote:
> The ISRG trust chain is supported by NSS since 3.26[0] and Firefox 50.
>
> [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
>
> As long as the ISRG chain works with all software in Guix, I don't see a
> reason to include the
Leo Famulari writes:
> On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
>> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
>> for `guix download`, but having just the one file in SSL_CERT_DIR does.
>> That's good enough for me! Could you
Marius Bakke writes:
> @@ -224,8 +225,11 @@ contained therein."
>(with-error-handling
> (let* ((opts (parse-options))
> (store (open-connection))
> + (certs (string-append (package-output store nss-certs)
> +
Marius Bakke writes:
>>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
>>> pull` to know to use the le-certs bundle when pulling from
>>> %snapshot-url. For other URLs, users will have to take care of it
>>> themselves.
>>
>> This sounds like a
>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
>> pull` to know to use the le-certs bundle when pulling from
>> %snapshot-url. For other URLs, users will have to take care of it
>> themselves.
>
> This sounds like a better approach. Also, I did not see this email
>
Leo Famulari writes:
> On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
>> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
>> for `guix download`, but having just the one file in SSL_CERT_DIR does.
>> That's good enough for me! Could you
On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
> for `guix download`, but having just the one file in SSL_CERT_DIR does.
> That's good enough for me! Could you make this into a Guix package?
I plan to make a
Leo Famulari writes:
> On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote:
>> Marius Bakke skribis:
>> > I think having a separate 'le-certs' package that can verify the Lets
>> > Encrypt chain sounds like the easiest option. Presumably new
On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote:
> Marius Bakke skribis:
> > I think having a separate 'le-certs' package that can verify the Lets
> > Encrypt chain sounds like the easiest option. Presumably new
> > intermediates etc will be known well in
Leo Famulari wrote:
> GNU Guix is discussing the possibilities created by Savannah's
> offering of Git-over-HTTPS:
...
> If anyone from Savannah has anything to add to the discussion, feel
> free to jump in :)
Thanks for the invite! I'll jump in. :-)
I am not subscribed. Please CC me on
Ricardo Wurmus skribis:
> Leo Famulari writes:
>
>> However, I think that pulling code over HTTPS using a certificate store
>> like nss-certs or from the host distro is a huge improvement over what
>> we have now. If we can do that sooner, we should.
>
>
Leo Famulari writes:
> However, I think that pulling code over HTTPS using a certificate store
> like nss-certs or from the host distro is a huge improvement over what
> we have now. If we can do that sooner, we should.
I agree. If it’s easy to make the “le-certs” idea
On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote:
> Marius Bakke skribis:
> > I think pinning the public key could work, if the Savannah
> > administrators are aware of it. But we'd need a reliable fallback
> > mechanism in case the private key needs to be
Marius Bakke skribis:
> Ludovic Courtès writes:
>
>> Marius Bakke skribis:
[...]
>>> If the private key used on https://git.savannah.gnu.org/ is static, one
>>> option would be to "pin" the corresponding public key. However, some LE
>>>
On 17-02-10 23:43:45, Marius Bakke wrote:
> Ludovic Courtès writes:
>
> > Marius Bakke skribis:
> >
> >> Ludovic Courtès writes:
> >>
> >>> Leo Famulari skribis:
> >>>
> >
> > [...]
> >
> >>> Initially, I didn’t want to have
Ludovic Courtès writes:
> Marius Bakke skribis:
>
>> Ludovic Courtès writes:
>>
>>> Leo Famulari skribis:
>>>
>
> [...]
>
>>> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or
>>> anything like that, on the
Marius Bakke skribis:
> Ludovic Courtès writes:
>
>> Leo Famulari skribis:
>>
[...]
>> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or
>> anything like that, on the grounds that the whole X.509 CA story is
>>
Leo Famulari writes:
> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
>> Does anyone have any specific concerns or advice about changing the
>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
>> Should the change be that simple, or should we do more?
>
> While
Ludovic Courtès writes:
> Leo Famulari skribis:
>
>> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
>>> Does anyone have any specific concerns or advice about changing the
>>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
Leo Famulari skribis:
> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
>> Does anyone have any specific concerns or advice about changing the
>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
>> Should the change be that simple, or should
Hi Leo!
Leo Famulari skribis:
> HTTPS is not a security panacea but, in my opinion, we should use it if
> it's available, at least until `guix pull` can verify commit signatures.
Agreed. At least it prevents eavesdropping and allows us to
authenticate the server (assuming
On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote:
> Does anyone have any specific concerns or advice about changing the
> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
> Should the change be that simple, or should we do more?
While testing, I realized that an
28 matches
Mail list logo