Re: `guix pull` over HTTPS

[Marius Bakke]

Leo Famulari <address@hidden> writes:

> On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
>> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
>> for `guix download`, but having just the one file in SSL_CERT_DIR does.
>> That's good enough for me! Could you make this into a Guix package? 
>
> I plan to make a package once these issues are resolved:
>
> 1) Which "trust path" should we use? The one using ISRG (the "native"
> Let's Encrypt root certificate authority), or the one that is
> cross-signed by IdenTrust? Or should we keep it as-is, where both are
> included? This is my first time creating a custom set of certificates,
> so I don't know all the issues.
>
> They recommend that server operators used the cross-signed trust chain
> because the ISRG trust chain is not yet widely deployed in web browsers,
> but that's not an issue for this use case.

I don't fully understand the differences here, but will do some reading.

> 2) I'd like at least two other Guix developers to try recreating the
> repository "from scratch", and to send signed email to this thread
> saying that they were able to successfully recreate this custom
> certificate store.

I will do this later.

>> I wonder what happens if we simply switch %snapshot-url to HTTPS in
>> `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
>> configured? I think it would be sufficient to mention in the manual to
>> install one of "nss-certs" or "le-certs" before running `guix pull` for
>> the first time. How does that sound?
>
> I think it's too much of a regression if users have to fiddle with
> environment variables for `guix pull` to work reliably. People are
> constantly asking for help with environment variables in the #guix chat
> room.
>
> I want to bundle a 'le-certs' package with GNU Guix, and change `guix
> pull` to know to use the le-certs bundle when pulling from
> %snapshot-url. For other URLs, users will have to take care of it
> themselves. 

This sounds like a better approach. Also, I did not see this email
before sending the patch! If you package it up, I can look into
realizing the package in `guix pull` directly.

> This should preserve the existing user experience of `guix pull`, which
> is that the default invocation "just works", at least in terms of
> downloading the source code. It could fail anyways if their clock is way
> off... any other ideas about how it could fail?

Not off the top of my head. But see the patch for a fallback
"--insecure" option if all else fails.

Thanks a lot for taking this on!

signature.asc
Description: PGP signature