Ludovic Courtès <ludo@gnu.org> writes:

>> Simply propagate "gnutls" with "guix"?  The %load-path trick was
>> stolen from (guix download), so I assumed it was safe ;-)
>
> The gexp in (guix download) that does that is a different story: it’s a
> situation where we spawn a new process and we know which Guile and which
> GnuTLS package is being used, so it’s completely safe.

Ok, thanks for the clarification. Can we do the same in "pull"? IMO it
should work without intervention, when the user runs `guix pull` for the
first time.

On foreign distributions, the `guix` executable is often a symlink to
the profile of the "root" user. In such cases, each user would have to
install GnuTLS in their profile before `guix pull` works.

>>> It’s also a case where I think we might want to use the
>>> already-installed certificates.
>>
>> If the URL is not from savannah, the GnuTLS defaults will be used (which
>> should consult SSL_CERT_DIR). Or did you mean instead of "le-certs"?
>
> Yes, I was talking about le-certs.

I have a strong preference for "hard coding" le-certs here. If the user
don't have certs in their profile, they would have to both install some
*and* configure the SSL_CERT_DIR variable before `guix pull` works.

Using "le-certs" instead of one of the "kitchen sink" trust stores such
as "nss-certs" also provides strong guarantees against MITM attacks even
from state-level actors due to the certificate transparency program.

LE's signing certificate expires in 2021 and the root in 2035, so it's
not a huge maintenance overhead.