Re: `guix pull` over HTTPS

Ludovic Courtès writes: > Hi! > > Marius Bakke skribis: > >> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Tue, 28 Feb 2017 22:34:29 +0100 >> Subject: [PATCH] pull: Default to HTTPS.

Re: `guix pull` over HTTPS

Hi! Marius Bakke skribis: > From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Tue, 28 Feb 2017 22:34:29 +0100 > Subject: [PATCH] pull: Default to HTTPS. > > * guix/build/download.scm (tls-wrap): Allow

Re: `guix pull` over HTTPS

Leo Famulari skribis: > On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote: >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter. >> (open-connection-for-uri): Adjust parameters to match. >>

Re: `guix pull` over HTTPS

Leo Famulari writes: > On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote: >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter. >> (open-connection-for-uri): Adjust parameters to match. >>

Re: `guix pull` over HTTPS

On Wed, Mar 01, 2017 at 03:36:11AM +0100, Marius Bakke wrote: > Subject: [PATCH] pull: Default to HTTPS. > > * guix/build/download.scm (tls-wrap): Add CERTIFICATE-DIRECTORY parameter. > (open-connection-for-uri): Adjust parameters to match. > (http-fetch): Likewise. > (url-fetch): Likewise. > *

Re: `guix pull` over HTTPS

Marius Bakke writes: > Marius Bakke writes: > >> @@ -224,8 +225,11 @@ contained therein." >>(with-error-handling >> (let* ((opts (parse-options)) >> (store (open-connection)) >> + (certs (string-append (package-output

Re: `guix pull` over HTTPS

On Wed, Mar 01, 2017 at 12:05:57AM +0100, Marius Bakke wrote: > The ISRG trust chain is supported by NSS since 3.26[0] and Firefox 50. > > [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1204656 > > As long as the ISRG chain works with all software in Guix, I don't see a > reason to include the

Re: `guix pull` over HTTPS

Leo Famulari writes: > On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote: >> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work >> for `guix download`, but having just the one file in SSL_CERT_DIR does. >> That's good enough for me! Could you

Re: `guix pull` over HTTPS

Marius Bakke writes: > @@ -224,8 +225,11 @@ contained therein." >(with-error-handling > (let* ((opts (parse-options)) > (store (open-connection)) > + (certs (string-append (package-output store nss-certs) > +

Re: `guix pull` over HTTPS

Marius Bakke writes: >>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix >>> pull` to know to use the le-certs bundle when pulling from >>> %snapshot-url. For other URLs, users will have to take care of it >>> themselves. >> >> This sounds like a

Re: `guix pull` over HTTPS

>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix >> pull` to know to use the le-certs bundle when pulling from >> %snapshot-url. For other URLs, users will have to take care of it >> themselves. > > This sounds like a better approach. Also, I did not see this email >

Re: `guix pull` over HTTPS

Leo Famulari writes: > On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote: >> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work >> for `guix download`, but having just the one file in SSL_CERT_DIR does. >> That's good enough for me! Could you

Re: `guix pull` over HTTPS

On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote: > For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work > for `guix download`, but having just the one file in SSL_CERT_DIR does. > That's good enough for me! Could you make this into a Guix package? I plan to make a

Re: `guix pull` over HTTPS

Leo Famulari writes: > On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote: >> Marius Bakke skribis: >> > I think having a separate 'le-certs' package that can verify the Lets >> > Encrypt chain sounds like the easiest option. Presumably new

Re: `guix pull` over HTTPS

On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote: > Marius Bakke skribis: > > I think having a separate 'le-certs' package that can verify the Lets > > Encrypt chain sounds like the easiest option. Presumably new > > intermediates etc will be known well in

Re: `guix pull` over HTTPS

Leo Famulari wrote: > GNU Guix is discussing the possibilities created by Savannah's > offering of Git-over-HTTPS: ... > If anyone from Savannah has anything to add to the discussion, feel > free to jump in :) Thanks for the invite! I'll jump in. :-) I am not subscribed. Please CC me on

Re: `guix pull` over HTTPS

Ricardo Wurmus skribis: > Leo Famulari writes: > >> However, I think that pulling code over HTTPS using a certificate store >> like nss-certs or from the host distro is a huge improvement over what >> we have now. If we can do that sooner, we should. > >

Re: `guix pull` over HTTPS

Leo Famulari writes: > However, I think that pulling code over HTTPS using a certificate store > like nss-certs or from the host distro is a huge improvement over what > we have now. If we can do that sooner, we should. I agree. If it’s easy to make the “le-certs” idea

Re: `guix pull` over HTTPS

On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote: > Marius Bakke skribis: > > I think pinning the public key could work, if the Savannah > > administrators are aware of it. But we'd need a reliable fallback > > mechanism in case the private key needs to be

Re: `guix pull` over HTTPS

Marius Bakke skribis: > Ludovic Courtès writes: > >> Marius Bakke skribis: [...] >>> If the private key used on https://git.savannah.gnu.org/ is static, one >>> option would be to "pin" the corresponding public key. However, some LE >>>

Re: `guix pull` over HTTPS

On 17-02-10 23:43:45, Marius Bakke wrote: > Ludovic Courtès writes: > > > Marius Bakke skribis: > > > >> Ludovic Courtès writes: > >> > >>> Leo Famulari skribis: > >>> > > > > [...] > > > >>> Initially, I didn’t want to have

Re: `guix pull` over HTTPS

Ludovic Courtès writes: > Marius Bakke skribis: > >> Ludovic Courtès writes: >> >>> Leo Famulari skribis: >>> > > [...] > >>> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or >>> anything like that, on the

Re: `guix pull` over HTTPS

Marius Bakke skribis: > Ludovic Courtès writes: > >> Leo Famulari skribis: >> [...] >> Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or >> anything like that, on the grounds that the whole X.509 CA story is >>

Re: `guix pull` over HTTPS

Leo Famulari writes: > On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote: >> Does anyone have any specific concerns or advice about changing the >> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL? >> Should the change be that simple, or should we do more? > > While

Re: `guix pull` over HTTPS

Ludovic Courtès writes: > Leo Famulari skribis: > >> On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote: >>> Does anyone have any specific concerns or advice about changing the >>> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?

Re: `guix pull` over HTTPS

Leo Famulari skribis: > On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote: >> Does anyone have any specific concerns or advice about changing the >> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL? >> Should the change be that simple, or should

Re: `guix pull` over HTTPS

Hi Leo! Leo Famulari skribis: > HTTPS is not a security panacea but, in my opinion, we should use it if > it's available, at least until `guix pull` can verify commit signatures. Agreed. At least it prevents eavesdropping and allows us to authenticate the server (assuming

Re: `guix pull` over HTTPS

On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote: > Does anyone have any specific concerns or advice about changing the > value of %snapshot-url in (guix scripts pull) to use the HTTPS URL? > Should the change be that simple, or should we do more? While testing, I realized that an