From unknown Tue Aug 19 10:03:31 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#25975 <25975@debbugs.gnu.org> To: bug#25975 <25975@debbugs.gnu.org> Subject: Status: Use HTTPS in `guix pull` Reply-To: bug#25975 <25975@debbugs.gnu.org> Date: Tue, 19 Aug 2025 17:03:31 +0000 retitle 25975 Use HTTPS in `guix pull` reassign 25975 guix-patches submitter 25975 Marius Bakke severity 25975 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 09:59:30 2017 Received: (at submit) by debbugs.gnu.org; 5 Mar 2017 14:59:30 +0000 Received: from localhost ([127.0.0.1]:41082 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckXdC-00057M-G5 for submit@debbugs.gnu.org; Sun, 05 Mar 2017 09:59:30 -0500 Received: from eggs.gnu.org ([208.118.235.92]:44497) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckXdB-000578-Jy for submit@debbugs.gnu.org; Sun, 05 Mar 2017 09:59:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckXd5-0005Hq-19 for submit@debbugs.gnu.org; Sun, 05 Mar 2017 09:59:24 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:52479) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckXd4-0005Hm-Ub for submit@debbugs.gnu.org; Sun, 05 Mar 2017 09:59:22 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35462) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckXd3-0001jD-JE for guix-patches@gnu.org; Sun, 05 Mar 2017 09:59:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckXd0-0005HB-HB for guix-patches@gnu.org; Sun, 05 Mar 2017 09:59:21 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44506) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckXd0-0005H5-Cq for guix-patches@gnu.org; Sun, 05 Mar 2017 09:59:18 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 05DCB208CB for ; Sun, 5 Mar 2017 09:59:18 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sun, 05 Mar 2017 09:59:18 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=4QF p0tshXdmt6XTbHrFOhuToef0=; b=YL9FoVKmb4IuuNr7pc1BEbrbP/rfZagKqYZ XsjwiTa2XX0uUwwskfkyf0yPizgHW2QuamsG5r2lhC1aWdr2YNbdbS+HjPFUBjB4 U2F5PJgMqzsc6d/3TgnNjyRnRJGmzt5xHqKmxULdabWBbv2y+6ZYT9kOMCcM+00z Cq9UdQM4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=smtpout; bh=4QFp0tshXdmt6XTbHrFOhuToef0=; b=fF3qX bycBxHbzi9mTeiLMfrqVUQq7fNTRXKnU1ovGbqzeCYABbW3lYYB+vuQO1f9ePdLl QTcH9yBGYOUATk4XtlOxn4zfA1wjjnswEL1qXGUDW6LFAU0PsUApEHd30uD5bzOF mNDAW1lvtXVy283OxiUm1jITHxoCfgffCdp1vA= X-ME-Sender: X-Sasl-enc: e+tl+MEOJabakOjhJa8pklC/3XxP1oxjxJ2SXLpAkOZb 1488725957 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 8FB8124132 for ; Sun, 5 Mar 2017 09:59:17 -0500 (EST) From: Marius Bakke To: guix-patches@gnu.org Subject: Use HTTPS in `guix pull` User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) Date: Sun, 05 Mar 2017 15:59:16 +0100 Message-ID: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain I've tried a number of times to send this through `git send-email`, but it seems to get caught in a spam filter or similar. Trying as attachment now. Note that this uses 'nss-certs' for easy testing, but is intended to use 'le-certs' from this thread: https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-pull-Default-to-HTTPS.patch Content-Transfer-Encoding: quoted-printable From=206667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 1 Mar 2017 22:11:02 +0100 Subject: [PATCH] pull: Default to HTTPS. * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. =2D-- guix/scripts/pull.scm | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index a4824e4fd..4031f1d32 100644 =2D-- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -29,12 +29,16 @@ #:use-module (guix monads) #:use-module ((guix build utils) #:select (with-directory-excursion delete-file-recursively= )) + #:use-module ((guix build download) + #:select (%x509-certificate-directory)) #:use-module (gnu packages base) #:use-module (gnu packages guile) #:use-module ((gnu packages bootstrap) #:select (%bootstrap-guile)) + #:use-module ((gnu packages certs) #:select (nss-certs)) #:use-module (gnu packages compression) #:use-module (gnu packages gnupg) + #:use-module ((gnu packages tls) #:select (gnutls)) #:use-module (srfi srfi-1) #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) @@ -45,7 +49,7 @@ =20 (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" =2D "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) =20 (define-syntax-rule (with-environment-variable variable value body ...) @@ -221,11 +225,35 @@ contained therein." (leave (_ "~A: unexpected argument~%") arg)) %default-options)) =20 + (define (use-gnutls? url) + (string-prefix? "https://" url)) + + (define (use-le-certs? url) + (string-prefix? "https://git.savannah.gnu.org" url)) + + (define (fetch-tarball store url) + (download-to-store store url "guix-latest.tar.gz")) + (with-error-handling (let* ((opts (parse-options)) (store (open-connection)) (url (assoc-ref opts 'tarball-url))) =2D (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) + (let ((tarball + (if (use-gnutls? url) + (begin + ;; Add GnuTLS to inputs and load path. + (set! %load-path + (cons (string-append (package-output store gnutls) + "/share/guile/site/" + (effective-version)) + %load-path)) + (if (use-le-certs? url) + (parameterize ((%x509-certificate-directory + (string-append (package-output stor= e nss-certs) + "/etc/ssl/certs"))) + (fetch-tarball store url)) + (fetch-tarball store url))) + (fetch-tarball store url)))) (unless tarball (leave (_ "failed to download up-to-date source, exiting\n"))) (parameterize ((%guile-for-build =2D-=20 2.12.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli8J8QACgkQoqBt8qM6 VPqsGAf+IEMYi8wtlArLCVT42MDlWVTiF4lVL+IVUOhKZLnTU7+6DhFp7je9i3BC Pe6pFOhxFA2jGwOuHeAk+YrB9kdsZCV9pPMqUKEGJIQMuQgDD4n3B0xsi+7guJOk 9tm2xtLBfX3ct9qaaYu+LUFyv0c8u2hbG5sWdB+vIlLV4op7Xb1ozy7HSjQR6kcx XJokTOwcVBX1JCJazAr0JmvjuIapEHRiEEKmpHdODy4jy0jDCQ7xtEz2fSIjowTJ uaNWCdXxVlEhjTuCMC/cugH21LFXe6mSyD7WPQTVDWmPIVatqeQXl2jI9zBFkl56 uDrMAEJRFvdj+D5RuVJra02x+kMrgw== =XcA6 -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 13:44:38 2017 Received: (at 25975) by debbugs.gnu.org; 5 Mar 2017 18:44:38 +0000 Received: from localhost ([127.0.0.1]:41298 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckb94-0004AH-EQ for submit@debbugs.gnu.org; Sun, 05 Mar 2017 13:44:38 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60116) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckb92-0004A9-JY for 25975@debbugs.gnu.org; Sun, 05 Mar 2017 13:44:37 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 17945208B7; Sun, 5 Mar 2017 13:44:36 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sun, 05 Mar 2017 13:44:36 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=zFxDtd/KizYZTmI7a/3pb3UG8uY=; b=b/vb5m ocdnqqg9EsVDMo0ZUavBaQBRBRrkT2xWnoxt6x0VzfD/nz4vX4nx0ID32LrpgaHj sVeSvYnjVzLBkDLfg3YsCzL/ST0x+1NWWMvcRRT6stxraxJZn/rfwp0v6hevp4jz LsNKXJZFb7D1wk7HMPswVNn6eLSkb6XLAaN80= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=zFxDtd/KizYZTm I7a/3pb3UG8uY=; b=uPNAUHrH8sF1WQqzPKeEVyzUfbfvS6cZOLrYgFUxDLznPy IZMIMHK48QxHZhDq3xCpg554hGpxEwRqZvjimbZDNCe9ndFkPGLtjSBIaIlGL4d1 tp9VZnzYJMxHdu7Qy/tCS510EDNUnQKGtcOFjkqqtjOGUch8e/Xjo4yzGXfUg= X-ME-Sender: X-Sasl-enc: mESo+mtAC6/7o20ZRSfc6jYV8aIql++MNMIbI6v936tg 1488739475 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id C61527E1D7; Sun, 5 Mar 2017 13:44:35 -0500 (EST) Date: Sun, 5 Mar 2017 13:44:34 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170305184434.GA12778@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 05, 2017 at 03:59:16PM +0100, Marius Bakke wrote: > Note that this uses 'nss-certs' for easy testing, but is intended to use > 'le-certs' from this thread: >=20 > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html I am ready to prepare the le-certs package, but I am waiting for one more Guix project member to reproduce the repository, as requested in the message linked above. We should not use a custom certificate store that has not been inspected by several people. > From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Wed, 1 Mar 2017 22:11:02 +0100 > Subject: [PATCH] pull: Default to HTTPS. >=20 > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. It works for me! Like I said before, I'm hoping a stronger Schemer than me will review it. And we should think about how it might fail and try to work-around those issues before anybody hits them in practice. --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli8XJIACgkQJkb6MLrK fwhBJBAAvb8dXuXVfvr+GFrEW2qQzbrJdLeoC6RyhVLsn2gUfqTjcnhf4cNn5UQ7 R81phrO+erDOwwNc0FpjckgUrHgVvtA5mdyQ5WVRzDdD3xReO/bK/7AdxJwbaq0u 5tTSOoOnVUMC5PkeIXR2xoapuni0a9zEVrcmFu8hOXejkcqg+2PMZ/T+MB73DY46 ZKdQd/PVNEtGFJm2+H3Zvkecx2+M+9VeQNxGHbRXTjKMuBOxj29sRgM2nz6NBYc5 zAZQOH36DfPkznf71bjMjPj6wQBc5OGQ5ABh3L3dH4sG7xN3QA0gs2gPSlZC+ase rYk5pFF18a83WP7hdcMMiAXTWPSjfCdcevDWi0cZnQyLGOiWHse9rnVuZt4EbMKx jlzgF8XuLfrMcyx3NbkN7n3Lme40yhWKUIKi9GtWWLz9O48p3rIQ76Cj9NrkAU5L zASmMgLxKk/mMNkZ2LWbDIWnjWfnhICOgQRQ9youHTcm1BpGhEm1HlPjZSyv8Ctv OvN94lXNqwXbo/+MSFMaAWbt5VvuhPMdjIpFK3EJMBAvWUwgRcqw5xOCUpfutaUA qpaROBJbX76Xxj3PqUvbQJtGqH+azijnYv4PLEncCJbCQUht/+yMiXpHfAhU4FLp jTw5R6/KWd38IYkklrhVOZAswPIyNtqAYNADFNlZtPIuyTxxZV0= =SDAK -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 14:43:16 2017 Received: (at 25975) by debbugs.gnu.org; 5 Mar 2017 19:43:16 +0000 Received: from localhost ([127.0.0.1]:41329 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckc3o-0005c2-BW for submit@debbugs.gnu.org; Sun, 05 Mar 2017 14:43:16 -0500 Received: from lb1.openmailbox.org ([5.79.108.160]:44711 helo=mail.openmailbox.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckc3m-0005bt-An for 25975@debbugs.gnu.org; Sun, 05 Mar 2017 14:43:14 -0500 Received: by mail.openmailbox.org (Postfix, from userid 20002) id E44AB5414A9; Sun, 5 Mar 2017 20:43:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1488742992; bh=M+xlptbO6xM/TtRDmrZmPRtuDw9ia9LaaWlCdTHJccs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=lHavRaQ9/HOXJM/vZC16c5TiF/fYOgw7taeZRnUMA5ipubzyvvT+KO6gMe8UdGK3X uue0UxvC5nh3STpGKYCo2ee2Sd6g0TOBSq1aRzVV86ZEpw9gmMj1EKSazIFF5QctfE VcFwm5C4c2x/AEaC8DviUl8YqzOVhWD3XVHbpAzU= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ZDZR002 X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=NO_RECEIVED,NO_RELAYS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=disabled version=3.4.0 From: Kei Kebreau DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1488742992; bh=M+xlptbO6xM/TtRDmrZmPRtuDw9ia9LaaWlCdTHJccs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=lHavRaQ9/HOXJM/vZC16c5TiF/fYOgw7taeZRnUMA5ipubzyvvT+KO6gMe8UdGK3X uue0UxvC5nh3STpGKYCo2ee2Sd6g0TOBSq1aRzVV86ZEpw9gmMj1EKSazIFF5QctfE VcFwm5C4c2x/AEaC8DviUl8YqzOVhWD3XVHbpAzU= To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170305184434.GA12778@jasmine> Date: Sun, 05 Mar 2017 14:42:58 -0500 In-Reply-To: <20170305184434.GA12778@jasmine> (Leo Famulari's message of "Sun, 5 Mar 2017 13:44:34 -0500") Message-ID: <8760jnik71.fsf@openmailbox.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sun, Mar 05, 2017 at 03:59:16PM +0100, Marius Bakke wrote: >> Note that this uses 'nss-certs' for easy testing, but is intended to use >> 'le-certs' from this thread: >>=20 >> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html > > I am ready to prepare the le-certs package, but I am waiting for one > more Guix project member to reproduce the repository, as requested in > the message linked above. We should not use a custom certificate store > that has not been inspected by several people. > Reproduce the repository using GIT_SSL_CAINFO=3D"/tmp/le-certs/le-certs.pem" git clone --depth=3D1 https://git.savannah.gnu.org/git/guix.git? If so, I just did successfully. If not, how can I help? >> From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Wed, 1 Mar 2017 22:11:02 +0100 >> Subject: [PATCH] pull: Default to HTTPS. >>=20 >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. > > It works for me! Like I said before, I'm hoping a stronger Schemer than > me will review it. > > And we should think about how it might fail and try to work-around those > issues before anybody hits them in practice. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAli8akIACgkQ5qXuPBlG eg1fOg//abAFj8MGHQIcQEe1yl6bkcrcBcLoalOhPReQUpJ/6a8NbS1b/f/7S+1q Ipm8Kfja5KcFrZB0qN1w51SxI34+ZeH1torNeHiz1tZG1ybiNbOiAkCLhDLVIg7C ixb3lIR5QC8C9GYh0jWHZehe2A6q4rzLVZoCRUkiROL/1C9lgZAR9EFusYP6G8wQ W3r0AjXLBGltK4qnOHQ+2m4oHeGDCnzIfUt+38HEthEjAD79LJmKfAaDBgxCxq2p 8XHMnLufDpOpkVRio+thRSMfftMa1Y84sgy1jlfSmLDdcR+IGRw8jfJlGh93Cd9h keps55R/MNtFh9gzK8gvplQvTzpawy6WA5cG2JExQfzaAn2BH+1WR6N+nuOxm/UD nvfGoHLEn8Q93H7e7AXpRzKeIs9T/4XQWkePcyE6gSUI3rAYk9JFd3WKZNXCJi2l eTmWLbTaJBq1yFJfAsXGe+gXNTYFyC39SPHCeDBR1L6pysqfJvXKU22pqUEFXCPt +lOkYo+SOOsj+68pxmQL2it6I0ALc5iuq6vqibpHq7yU/MZdKNYTqs3zl8OrdHvx lBFfCQaJ62jLhwbNgQK3KehmqCEsvm/EC2vOS4kTdwEWMz6v7LR7Daqpezu9Vbiz Ke5TXHywJrcVEoXq6ll63pijK6eTV42qLEAl0kifIA0SFIO8SV0= =7oot -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 15:31:49 2017 Received: (at 25975) by debbugs.gnu.org; 5 Mar 2017 20:31:49 +0000 Received: from localhost ([127.0.0.1]:41359 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckcon-0006ok-3A for submit@debbugs.gnu.org; Sun, 05 Mar 2017 15:31:49 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:58957) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckcok-0006ob-RC for 25975@debbugs.gnu.org; Sun, 05 Mar 2017 15:31:47 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 551E920635; Sun, 5 Mar 2017 15:31:46 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sun, 05 Mar 2017 15:31:46 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=NIjv+2Re7LpD6dg1G05902+DRZU=; b=g+5aBb WCD2IUM3IondN9Jqt3B1NBcj5/WqntmW4mKungC/gQXCZ0HDieMFCbeDRkb/g27y toal6JVAix5hOk5rFfuC3PcTRT1DE/rh/84jY1i2DWI1xH0E6VhLkMDGirisFkIq DRxIdCkXKK1oEJuk/uMM42rdKdtNEYtRB7Obs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=NIjv+2Re7LpD6d g1G05902+DRZU=; b=tT+LAexqbkuysL6GJtKbxHYQAuu3vMbdaB7Vnt7nR1zjDH pNSpz/1wpI/ZhldBTOiZpNodXRwaaX+uorHpQycaSzaC7OSoXrWfcJpwx9B0B9ML xOAiHUtYzauzgsKpiC926PtvE4GLyeFeFz5+KZX08p1IkiF5H8y3O+zmgNjGg= X-ME-Sender: X-Sasl-enc: H3zv07gvM857+Bu5HwnChM9pUFH1sYPz6psPjXh2IPbC 1488745906 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 1597724077; Sun, 5 Mar 2017 15:31:46 -0500 (EST) Date: Sun, 5 Mar 2017 15:31:44 -0500 From: Leo Famulari To: Kei Kebreau Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170305203144.GA20668@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170305184434.GA12778@jasmine> <8760jnik71.fsf@openmailbox.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <8760jnik71.fsf@openmailbox.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 05, 2017 at 02:42:58PM -0500, Kei Kebreau wrote: > Reproduce the repository using >=20 > GIT_SSL_CAINFO=3D"/tmp/le-certs/le-certs.pem" git clone --depth=3D1 > https://git.savannah.gnu.org/git/guix.git? >=20 > If so, I just did successfully. If not, how can I help? What I meant is that I'd like for people to try reproducing the contents of the le-certs repository. Basically, download the certificates and check that they match what I am distributing here: https://github.com/lfam/le-certs/commit/a2528f9be72aaaceb210d516e9315175810= 8683f If you try it, please send a signed email to that thread with your results. For example, Marius did it here: https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01156.html --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli8da0ACgkQJkb6MLrK fwjcQRAA14SmBY2tgilfIVEWAPtWunqDTQe82jvaigBLjnmGL6k6S2Js09yMWyep t8pSEXy3wNMJ0QS/9JCR+VJg5yukSLPsL8UmjwLF1293VJUugYkojZX6d3XjTm4D dOiDBFWZDWb7i092M/rfPCfFVY3T7/wgW1ql8Pj0vXX75chzRGWo40eFEbZZOD5u l3HqNoUBrBD5y0SQ2sitLHLG6uM5vmxK1X3OT1iLNFOjBCbCFPJf7c6C9PILUmKT A2NB3WIfrsuZ3LdJISDC2qnWTcDlrdaa+3L9OrxPxorp0Q14/kuX4NS9Ota/Z6uF 26eGt15AprOGaZ3zDnRbmUd3eLk3jhbFvrZqqpDDE+br3xuXmrxaADfNpg4D980D DU+Qo0ip2IPxYKEqqKTNR0AbG6Vfkrmc9AtNPTRxU4WVn5BTr82vdlqYrioTx0eR WUpX5Baex0Iwyz/iLd6wYQqvyk6SW0vgpY/jEDF8H47g2KyQyFn4G5CGuV4OH9Hb X/vjGrCnZhwc7zTN0d1DltAUoo/4B8mJgrLbUs2kNaGEdqGGL6hpC3yMEG44KJiY p75JGNx8hUnCuQn1WjSmkB2CPeETwSmtb5eeV3KBCdTpudoDABIGptesddUBxUkm SWOtuckNF4L0YVE+hvUjoGKXOQ5NVf0yOp1sbaVoCHftm+ujnvE= =xmRu -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 17:23:42 2017 Received: (at 25975) by debbugs.gnu.org; 5 Mar 2017 22:23:43 +0000 Received: from localhost ([127.0.0.1]:41469 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckeZ4-0001DA-MZ for submit@debbugs.gnu.org; Sun, 05 Mar 2017 17:23:42 -0500 Received: from lb1.openmailbox.org ([5.79.108.160]:35793 helo=mail.openmailbox.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckeZ2-0001D1-O4 for 25975@debbugs.gnu.org; Sun, 05 Mar 2017 17:23:41 -0500 Received: by mail.openmailbox.org (Postfix, from userid 20002) id 9E3CA541C85; Sun, 5 Mar 2017 23:23:39 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1488752619; bh=+YQV8DYNDjvpe6hvX3laDFE5IVGIQQxHOWqRrkRGM7A=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=zxB0WVQpUdYTqt0/s1ZFbwO3sTaVx/iOtI68zK+vwbw5cMrIC0bDv86NvTH8NrqOH pwVTISFKnFPhdlTc3N7JQe+UclOM47llfFuCXnXsPNBhMvb9TOvKKczrdrFA96rAv2 y3Ll7Nkuo91r+R08a5jiucznmtrUomFZ5jHbkQOw= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ZDZR003 X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=NO_RECEIVED,NO_RELAYS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=disabled version=3.4.0 From: Kei Kebreau DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1488752618; bh=+YQV8DYNDjvpe6hvX3laDFE5IVGIQQxHOWqRrkRGM7A=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=GL0r5bKELNTbQJeA4fam7/mn0clGcLdFCyr5kVZExnnUKLgR5bAVQUrVfKdFTMrK/ KF0kMQI6sERDyndE6RP3lih3L33yXBCDtO/uOE7M0HIHV1FhwnsuiHxrtewHFzsga6 ODg5+14NzurP1XP4U2GIvmd2AQwxJifMsOhIXFd0= To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170305184434.GA12778@jasmine> <8760jnik71.fsf@openmailbox.org> <20170305203144.GA20668@jasmine> Date: Sun, 05 Mar 2017 17:23:19 -0500 In-Reply-To: <20170305203144.GA20668@jasmine> (Leo Famulari's message of "Sun, 5 Mar 2017 15:31:44 -0500") Message-ID: <8737ericrs.fsf@openmailbox.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sun, Mar 05, 2017 at 02:42:58PM -0500, Kei Kebreau wrote: >> Reproduce the repository using >>=20 >> GIT_SSL_CAINFO=3D"/tmp/le-certs/le-certs.pem" git clone --depth=3D1 >> https://git.savannah.gnu.org/git/guix.git? >>=20 >> If so, I just did successfully. If not, how can I help? > > What I meant is that I'd like for people to try reproducing the contents > of the le-certs repository. > > Basically, download the certificates and check that they match what I am > distributing here: > > https://github.com/lfam/le-certs/commit/a2528f9be72aaaceb210d516e93151758= 108683f > > If you try it, please send a signed email to that thread with your > results. For example, Marius did it here: > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01156.html Here are my SHA256 checksums: f8a8316dcc1f813774e7d7e2f85d7069d8b387c98a81b6073ef9f415be62410e letsencry= ptauthorityx1.pem 3f67c48667781f7a7221320ee5b76c353aa4e0f4b2ed24a8a41113e6638f9724 letsencry= ptauthorityx2.pem 735a28bd5d93161769dd3a5d1d6337f24d1f2662cfe355930c1cffc38cac6a7d letsencry= ptauthorityx3.pem 04f703429322d699af9e4d47e558cb696378fa20073700c9309263c448626d00 letsencry= ptauthorityx4.pem 6c0a324bb803e9d66b8986ea2085bb9d6bdfe33f5c04a03a3f7024f4aa8e7a2d lets-encr= ypt-x1-cross-signed.pem b5791649cc21518a9757d7e1809bc47c5e60edc45c9dddaaf6c060cbe03bcb1d lets-encr= ypt-x2-cross-signed.pem e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a lets-encr= ypt-x3-cross-signed.pem f524491d9c2966c01ecec75c7803c7169ff46bc5cfd44c396d418cd7053d8015 lets-encr= ypt-x4-cross-signed.pem 3e6cf961c196c63a39bd99e5e34ff42c83669e3d7bcc2e4a0f9c7c7df40d0d7e isrgrootx= 1.pem 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99 dstrootx3= .pem 87db2e52cc9e03ed7fb79080545452f730bc5b8e38ace968f55753a612235d5f le-certs.= pem b28d49140a5192c210a9d7fdc265807bdf256ae5a13d396477dac18a43f7fd2b le-certs-= dstrootx3.pem --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAli8j9cACgkQ5qXuPBlG eg3Daw//fFSW4iWh0BlQY4L6IL9adeOsZQR6VBjQIJg0smEnLM68cLf4ZcwfKFAg sEQ0Ay+cJfq/IKYb4QmHgMI8RjPIOaJxa0us3bE/Ns0bo3a74NuAqwoSIXStf/O9 ig4FHfYVT0dmBXbrimuHozsTkp+GRD7rWNS8WnAS8lm0msMJdRacUyDyoKtW8UVg z9Zq7sd/AQWo8QOaTxkZhE+GCr7Olg1d0PjQ4EgCUe/RGWkFYHUe1fY/6KlMvk1r s9Q1qvu2gIShxw+qC8NPduF1CZ5IsT4EKmP+KLZ5drxIhDP/vgO5kFTCMpBFjs3A dV5fAzPYvYHMctne7TcCIekCn7pZsWcWDf7PJ9dKNj3CxziCbgTHFKUuNmCRZf+J 6W8kKGNpDR+t6BzLwM0r3bm3LkcGvz7Fe1n88x7evtSJY+WhQE5DwwuvtB28KHOT O/gkXrIbZMzEWOCzPuO2pwx9lrD4LAgUD4AQwxbxSeyW76QB4eC+eQy9aNEQK2xO r4LBSlzh1eASQfFq/p2Nd4csSrBotJCH6EiG+jD97ZPsjvTZF1Oc6mJxerecBv7T 2zK150aiTxTGIzLfS28501qP4Xzq0yh9Yy/22RCVnD1SW6LnUJHtDNNlXHHA5TU6 sbA2pQtwSqwIRV2lPCbFfhgFRGDI1UVRduFvca4Actlm8JYogFQ= =aO4T -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 08 15:46:58 2017 Received: (at 25975) by debbugs.gnu.org; 8 Mar 2017 20:46:58 +0000 Received: from localhost ([127.0.0.1]:46738 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cliU6-0007L2-7j for submit@debbugs.gnu.org; Wed, 08 Mar 2017 15:46:58 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:44684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cliU4-0007Jb-He for 25975@debbugs.gnu.org; Wed, 08 Mar 2017 15:46:56 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 312D0209AD; Wed, 8 Mar 2017 15:46:56 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Wed, 08 Mar 2017 15:46:56 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=wSuUpAaB06h0yNYSX/PzGY6B9YI=; b=w2vRlU kGrCQ1DXZ0JFP/836MhqqVro4dRwaZwoag/mAOoKvB7FNpvIhPb+P2RMg8pdoa/t G+m11R4iKPgb8oYvyao8pA0Nvu3/6a86NRCFxfZ/NcMxIKWdu6PNIJ0YJe4fJF20 0y7DJcDxE2bFkFX1wy/mGbscP4AFfIdJJStY4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=wSuUpAaB06h0yN YSX/PzGY6B9YI=; b=hKgw8MSypaZDesSSuCkXOOcfsB2xG3oQltD52nRZ+MaR0R Vpj0uOaLcm8qkhF0qY3WJxQHTti6ZPDMaS0GUC8DD53GKZtvIOw/4vu1wlPSHsUR 0iTQ1NtyAci1Gt4LnPakHRJL3CC0xH+TsM0wI0FGEBIQjHyRDekY2uyZbSjI0= X-ME-Sender: X-Sasl-enc: NucmXsV1xk7tVZNQSpJdil0/9sqXLTR7GtDxTf9JclXU 1489006015 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id DC9DB7E5A8; Wed, 8 Mar 2017 15:46:55 -0500 (EST) Date: Wed, 8 Mar 2017 15:46:54 -0500 From: Leo Famulari To: Kei Kebreau Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170308204654.GA13640@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170305184434.GA12778@jasmine> <8760jnik71.fsf@openmailbox.org> <20170305203144.GA20668@jasmine> <8737ericrs.fsf@openmailbox.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline In-Reply-To: <8737ericrs.fsf@openmailbox.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 05, 2017 at 05:23:19PM -0500, Kei Kebreau wrote: > Here are my SHA256 checksums: >=20 > f8a8316dcc1f813774e7d7e2f85d7069d8b387c98a81b6073ef9f415be62410e letsenc= ryptauthorityx1.pem > 3f67c48667781f7a7221320ee5b76c353aa4e0f4b2ed24a8a41113e6638f9724 letsenc= ryptauthorityx2.pem > 735a28bd5d93161769dd3a5d1d6337f24d1f2662cfe355930c1cffc38cac6a7d letsenc= ryptauthorityx3.pem > 04f703429322d699af9e4d47e558cb696378fa20073700c9309263c448626d00 letsenc= ryptauthorityx4.pem > 6c0a324bb803e9d66b8986ea2085bb9d6bdfe33f5c04a03a3f7024f4aa8e7a2d lets-en= crypt-x1-cross-signed.pem > b5791649cc21518a9757d7e1809bc47c5e60edc45c9dddaaf6c060cbe03bcb1d lets-en= crypt-x2-cross-signed.pem > e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a lets-en= crypt-x3-cross-signed.pem > f524491d9c2966c01ecec75c7803c7169ff46bc5cfd44c396d418cd7053d8015 lets-en= crypt-x4-cross-signed.pem > 3e6cf961c196c63a39bd99e5e34ff42c83669e3d7bcc2e4a0f9c7c7df40d0d7e isrgroo= tx1.pem > 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99 dstroot= x3.pem > 87db2e52cc9e03ed7fb79080545452f730bc5b8e38ace968f55753a612235d5f le-cert= s.pem > b28d49140a5192c210a9d7fdc265807bdf256ae5a13d396477dac18a43f7fd2b le-cert= s-dstrootx3.pem Thanks Kei! Based on the review of the le-certs repository from Kei and Marius, I've submitted an le-certs package for review: http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00180.html --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljAbb4ACgkQJkb6MLrK fwiBcA/8CgarP9cNzpNWascxaLCdz3iYUZvP6BscULOLkzmpPIGpEf/NQyytmUht UJf6h4t9TYGTR6QaSohqsvhkUhT9DQA1VDTeX1CHMhTD+hVQof0TreRrG41KGyPF iq2bKHujTkxGOSd0O/vIibvsDjqpCE6Ilk8OfE+GkIrLEds30McbegqDdSn5pMYM sgYpHp9JoJxuyEh0saONRg4H4HCNbwrNzyc9kSe+B/GhfCUO8pgO/PXuo6X7t+Cj YCME8yRlxPLGeuodUbEtjiyr//PwCRsU65nm57vV3k/JPe9SE/qhwx9ppuGs1Le3 jn1IGcXuEefkhnzTLM64OEc9ZTT8cW5JY/uMnK9+DO06uwKbGn8cpEIM/etDa1kG N256E4OSIcC77FeWilhIM9tg9rFhHGCyRRIdAEUSMx/YdpVd73n8Bke9u0PnXM9Q vNG70zeJqqtFtF8zwaz0Iq3UBWctUFjyVy4lOOTXjexjhJVTwAzJw9/ethOkrfwb I1eJ+WJZge41kLVh7KpbuxotUU94eS3vsnwGVozoWhOTuP7HHjkCIFSyr/n6IhNy djVjBxQRCNI1MLhoKxUQ3YZyaDUq0swerp6VaY0KI+aZMw8s0WQXWPLrUntXG1GC X7+iNY1VKkp25Yp0HAPraJ6QzrjKfmu48txtAVwW/posiPj40UU= =4hj4 -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 08 15:51:52 2017 Received: (at 25975) by debbugs.gnu.org; 8 Mar 2017 20:51:52 +0000 Received: from localhost ([127.0.0.1]:46743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cliYq-0007gF-1p for submit@debbugs.gnu.org; Wed, 08 Mar 2017 15:51:52 -0500 Received: from eggs.gnu.org ([208.118.235.92]:52999) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cliYo-0007g2-17 for 25975@debbugs.gnu.org; Wed, 08 Mar 2017 15:51:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cliYf-0004Pc-Pl for 25975@debbugs.gnu.org; Wed, 08 Mar 2017 15:51:44 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35419) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cliYf-0004PY-N8; Wed, 08 Mar 2017 15:51:41 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:34380 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cliYe-0006IX-JU; Wed, 08 Mar 2017 15:51:41 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Date: Wed, 08 Mar 2017 21:51:37 +0100 In-Reply-To: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Sun, 05 Mar 2017 15:59:16 +0100") Message-ID: <87varjjxuu.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Marius, Marius Bakke skribis: > I've tried a number of times to send this through `git send-email`, but > it seems to get caught in a spam filter or similar. > > Trying as attachment now. > > Note that this uses 'nss-certs' for easy testing, but is intended to use > 'le-certs' from this thread: > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html Cool. > From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Wed, 1 Mar 2017 22:11:02 +0100 > Subject: [PATCH] pull: Default to HTTPS. > > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. [...] > (with-error-handling > (let* ((opts (parse-options)) > (store (open-connection)) > (url (assoc-ref opts 'tarball-url))) > - (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) > + (let ((tarball > + (if (use-gnutls? url) > + (begin > + ;; Add GnuTLS to inputs and load path. > + (set! %load-path > + (cons (string-append (package-output store gnutls) > + "/share/guile/site/" > + (effective-version)) > + %load-path)) > + (if (use-le-certs? url) > + (parameterize ((%x509-certificate-directory > + (string-append (package-output st= ore nss-certs) > + "/etc/ssl/certs"))) > + (fetch-tarball store url)) > + (fetch-tarball store url))) > + (fetch-tarball store url)))) This doesn=E2=80=99t really work, contrary to what you may experience. ;-) Namely, =E2=80=98package-output=E2=80=99 is risky because it returns the ou= tput file name of a package but doesn=E2=80=99t ensure that the store item actually exists. So the above code works as intended when your store already contains nss-certs and GnuTLS, but it breaks otherwise. Instead we need to do something like this, though it=E2=80=99s not great ei= ther: (let* ((drv (package-derivation store nss-certs)) (certs (string-append (derivation->output-path drv) "/etc/=E2=80= =A6"))) (build-derivation store (list drv)) ;ugly: builds something right here =E2=80=A6) Another problem is changing =E2=80=98%load-path=E2=80=99 for the current pr= ocess: this will fail weirdly if GnuTLS is linked against a different libguile or libc than the Guile executing =E2=80=98guix pull=E2=80=99. We should refra= in from doing that and instead rely on the already install GnuTLS (I think we can officially make it a hard requirement). The code checks for =E2=80=98use-le-certs?=E2=80=99 but then uses all the N= SS certs, whereas the name implies something LE-specific. Is that intended? :-) It=E2=80=99s also a case where I think we might want to use the already-installed certificates. Thoughts? Thanks for working on it! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 08 16:12:02 2017 Received: (at 25975) by debbugs.gnu.org; 8 Mar 2017 21:12:02 +0000 Received: from localhost ([127.0.0.1]:46752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clisM-0008A1-3f for submit@debbugs.gnu.org; Wed, 08 Mar 2017 16:12:02 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:37390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clisL-00089g-Eb for 25975@debbugs.gnu.org; Wed, 08 Mar 2017 16:12:01 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9DEDF20954; Wed, 8 Mar 2017 16:11:59 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Wed, 08 Mar 2017 16:11:59 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=KlLpsNfjX4lakOR mm3J0MYWCg/k=; b=uj5lqaeZByOcCtYmz9zFwrvt2QsmmUN+12MyH0uTP6qbVrV xrIiQnD9PGxZfBMRsZcRdJ32SU+eRrAZMf+msIznlklTjy4HrulcfvKoG+Qzy1SC ggOuRWQzdFE/AdmaBSkn0ttLp9GCBedRrBXvl3ZGqL3eACQJdF8pKlndWW9U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= smtpout; bh=KlLpsNfjX4lakORmm3J0MYWCg/k=; b=d46Rbpr4JV+gwRAyqpa0 TSU7waUqTU+68dIbVcfXWqG5k4i/UWi0XxC1wphCP5onzJTx3FnBG4/sHeq6H7iB LJu/fT4VwwGKk/UCOtZ1S8EvI8ZjNGN2b4hLvEzWnZiTylwILptrENuGqpZJHxu7 zNDoPZlWzBQEZFHN9RfF6B4= X-ME-Sender: X-Sasl-enc: +hgyvhKuajdaLL3y7z9PNgHKPOX4OovUsB6iFBpA+8oN 1489007519 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 45AF97E525; Wed, 8 Mar 2017 16:11:59 -0500 (EST) Date: Wed, 8 Mar 2017 16:11:58 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170308211158.GA14342@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87varjjxuu.fsf@gnu.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Wed, Mar 08, 2017 at 09:51:37PM +0100, Ludovic Courtès wrote: > The code checks for ‘use-le-certs?’ but then uses all the NSS certs, > whereas the name implies something LE-specific. Is that intended? :-) There wasn't an LE certs package ready yet. I think we should avoid depending on nss-certs for `guix pull` because nss-certs depends on perl, python, and openssl. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 08 17:50:12 2017 Received: (at 25975) by debbugs.gnu.org; 8 Mar 2017 22:50:12 +0000 Received: from localhost ([127.0.0.1]:46819 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clkPL-0003rF-Pl for submit@debbugs.gnu.org; Wed, 08 Mar 2017 17:50:12 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36720) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clkPJ-0003r7-Sr for 25975@debbugs.gnu.org; Wed, 08 Mar 2017 17:50:10 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 37CD3208B2; Wed, 8 Mar 2017 17:50:06 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Wed, 08 Mar 2017 17:50:06 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=b9kesiZvAtSwpg6KirvvtBqG4HA=; b=KUzT6O DIZsLliMY+vdpuNbXlWvf70fCXGX9ncdnJpKWYzr2zjFRgt0rPYSYM4skxo7XDS4 G4iVtPuxBQPl/Q6Bnco3EROaW1MOcHeBJyhwveFhlWApWs0Jjl6chEfrywNGKZqs UaBI3fS08myfCW2gHdMeeGv0YSTfiSwLsDPCQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=b9kesiZvAtSwpg 6KirvvtBqG4HA=; b=hVS1VwL6dCBAfV9RlhkB5oz3Xi7qODxM2s5fve6XBEJKv5 I15sGh7z2ViMLNlDOlmhHuMfgPFnnMsICfhcc+aRSXPOVg1h4Qt+/AYtcKFnFHV4 eOa1wpkvX2AmE2eOW91+qiz9EoU5sS8Y9k/+geZgvwfHfZmy9ASgDAM/XNxVI= X-ME-Sender: X-Sasl-enc: YYJL5fEB69HbwnbrllXlA9SL43TTwQJzycecAlMwEnhD 1489013405 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 9E79C2444E; Wed, 8 Mar 2017 17:50:05 -0500 (EST) From: Marius Bakke To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` In-Reply-To: <87varjjxuu.fsf@gnu.org> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) Date: Wed, 08 Mar 2017 23:49:54 +0100 Message-ID: <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Wed, 1 Mar 2017 22:11:02 +0100 >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. > > [...] > >> (with-error-handling >> (let* ((opts (parse-options)) >> (store (open-connection)) >> (url (assoc-ref opts 'tarball-url))) >> - (let ((tarball (download-to-store store url "guix-latest.tar.gz")= )) >> + (let ((tarball >> + (if (use-gnutls? url) >> + (begin >> + ;; Add GnuTLS to inputs and load path. >> + (set! %load-path >> + (cons (string-append (package-output store gnutls) >> + "/share/guile/site/" >> + (effective-version)) >> + %load-path)) >> + (if (use-le-certs? url) >> + (parameterize ((%x509-certificate-directory >> + (string-append (package-output s= tore nss-certs) >> + "/etc/ssl/certs")= )) >> + (fetch-tarball store url)) >> + (fetch-tarball store url))) >> + (fetch-tarball store url)))) > > This doesn=E2=80=99t really work, contrary to what you may experience. ;= -) > > Namely, =E2=80=98package-output=E2=80=99 is risky because it returns the = output file > name of a package but doesn=E2=80=99t ensure that the store item actually > exists. So the above code works as intended when your store already > contains nss-certs and GnuTLS, but it breaks otherwise. I suspected as much[0], but when I tested it with Leos "le-certs" package that was not in my store, it actually got built by this code. Not sure what's up with that. [0] https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01161.html > Instead we need to do something like this, though it=E2=80=99s not great = either: > > (let* ((drv (package-derivation store nss-certs)) > (certs (string-append (derivation->output-path drv) "/etc/=E2=80= =A6"))) > (build-derivation store (list drv)) ;ugly: builds something right he= re > =E2=80=A6) I'll give this a go, thanks! > Another problem is changing =E2=80=98%load-path=E2=80=99 for the current = process: this > will fail weirdly if GnuTLS is linked against a different libguile or > libc than the Guile executing =E2=80=98guix pull=E2=80=99. We should ref= rain from doing > that and instead rely on the already install GnuTLS (I think we can > officially make it a hard requirement). What is the best way to do this? Simply propagate "gnutls" with "guix"? The %load-path trick was stolen from (guix download), so I assumed it was safe ;-) > The code checks for =E2=80=98use-le-certs?=E2=80=99 but then uses all the= NSS certs, > whereas the name implies something LE-specific. Is that intended? :-) That was for easier testing/review while waiting for the "le-certs" package. > It=E2=80=99s also a case where I think we might want to use the > already-installed certificates. If the URL is not from savannah, the GnuTLS defaults will be used (which should consult SSL_CERT_DIR). Or did you mean instead of "le-certs"? Thanks for the feedback! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAljAipMACgkQoqBt8qM6 VPphVggAonFURv6KZcp1U6bruNR5drYX0e1dkDjYxT9ba3f9Qby2CoCt/ygxGwKo o3BKrJZE8RBEYRVEYMEJMgMJzc1YDijTbnZRmkSMd2AtW5v/BSkwjDK0NDNm+4ke haQJxUvEjjX/HHIP2YEqVMXMX5D68MZmH+YNEB3kBtCmiP7XbQFF9HC9hWtd1Fpm GizsiWAM/9JWnYX1m8HnHh0jTBnE0L6WI4BtPWeebdX+lGAlB1/HmynXkc3UbAGo mzqTfOEMWz+hDvxPjKr054qWM0kTBT5twwqsn9tO8VzChhmTKwZpv6Yfcz4ERKsT FhmMZIrORVwKuOrctenTYpMjQJ4mTg== =38E4 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 05:48:30 2017 Received: (at 25975) by debbugs.gnu.org; 9 Mar 2017 10:48:30 +0000 Received: from localhost ([127.0.0.1]:47165 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clvcT-0000aW-NZ for submit@debbugs.gnu.org; Thu, 09 Mar 2017 05:48:29 -0500 Received: from eggs.gnu.org ([208.118.235.92]:55858) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clvcR-0000aI-Gw for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 05:48:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1clvcI-0002GE-EU for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 05:48:22 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44809) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1clvcI-0002GA-BR; Thu, 09 Mar 2017 05:48:18 -0500 Received: from [193.50.110.248] (port=36304 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1clvcH-00011q-O3; Thu, 09 Mar 2017 05:48:18 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 19 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 09 Mar 2017 11:48:15 +0100 In-Reply-To: <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Wed, 08 Mar 2017 23:49:54 +0100") Message-ID: <8737emenf4.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Marius, Marius Bakke skribis: > Ludovic Court=C3=A8s writes: > >>> From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001 >>> From: Marius Bakke >>> Date: Wed, 1 Mar 2017 22:11:02 +0100 >>> Subject: [PATCH] pull: Default to HTTPS. >>> >>> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >>> (guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate. >> >> [...] >> >>> (with-error-handling >>> (let* ((opts (parse-options)) >>> (store (open-connection)) >>> (url (assoc-ref opts 'tarball-url))) >>> - (let ((tarball (download-to-store store url "guix-latest.tar.gz"= ))) >>> + (let ((tarball >>> + (if (use-gnutls? url) >>> + (begin >>> + ;; Add GnuTLS to inputs and load path. >>> + (set! %load-path >>> + (cons (string-append (package-output store gnutls) >>> + "/share/guile/site/" >>> + (effective-version)) >>> + %load-path)) >>> + (if (use-le-certs? url) >>> + (parameterize ((%x509-certificate-directory >>> + (string-append (package-output = store nss-certs) >>> + "/etc/ssl/certs"= ))) >>> + (fetch-tarball store url)) >>> + (fetch-tarball store url))) >>> + (fetch-tarball store url)))) >> >> This doesn=E2=80=99t really work, contrary to what you may experience. = ;-) >> >> Namely, =E2=80=98package-output=E2=80=99 is risky because it returns the= output file >> name of a package but doesn=E2=80=99t ensure that the store item actually >> exists. So the above code works as intended when your store already >> contains nss-certs and GnuTLS, but it breaks otherwise. > > I suspected as much[0], but when I tested it with Leos "le-certs" > package that was not in my store, it actually got built by this code. > Not sure what's up with that. > > [0] https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01161.html Weird. =E2=80=98package-output=E2=80=99 definitely doesn=E2=80=99t build t= he thing. >> Instead we need to do something like this, though it=E2=80=99s not great= either: >> >> (let* ((drv (package-derivation store nss-certs)) >> (certs (string-append (derivation->output-path drv) "/etc/=E2= =80=A6"))) >> (build-derivation store (list drv)) ;ugly: builds something right h= ere >> =E2=80=A6) > > I'll give this a go, thanks! > >> Another problem is changing =E2=80=98%load-path=E2=80=99 for the current= process: this >> will fail weirdly if GnuTLS is linked against a different libguile or >> libc than the Guile executing =E2=80=98guix pull=E2=80=99. We should re= frain from doing >> that and instead rely on the already install GnuTLS (I think we can >> officially make it a hard requirement). > > What is the best way to do this? Simply assume that GnuTLS is already available and thus do nothing. :-) > Simply propagate "gnutls" with "guix"? The %load-path trick was > stolen from (guix download), so I assumed it was safe ;-) The gexp in (guix download) that does that is a different story: it=E2=80= =99s a situation where we spawn a new process and we know which Guile and which GnuTLS package is being used, so it=E2=80=99s completely safe. >> The code checks for =E2=80=98use-le-certs?=E2=80=99 but then uses all th= e NSS certs, >> whereas the name implies something LE-specific. Is that intended? :-) > > That was for easier testing/review while waiting for the "le-certs" > package. OK. >> It=E2=80=99s also a case where I think we might want to use the >> already-installed certificates. > > If the URL is not from savannah, the GnuTLS defaults will be used (which > should consult SSL_CERT_DIR). Or did you mean instead of "le-certs"? Yes, I was talking about le-certs. Thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 10:47:02 2017 Received: (at 25975) by debbugs.gnu.org; 9 Mar 2017 15:47:02 +0000 Received: from localhost ([127.0.0.1]:47868 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm0HO-0001Ae-EE for submit@debbugs.gnu.org; Thu, 09 Mar 2017 10:47:02 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57223) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm0HL-0001AB-Lp for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 10:47:00 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id BFB0020D56; Thu, 9 Mar 2017 10:46:58 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Thu, 09 Mar 2017 10:46:58 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=Ki49t5APLHqPxD7fPffeqA/ZbBY=; b=nLL6hm Mujb6Cplnpxrw6pQ6F/FLudzy0L2vrpGZkZbiUBu4xoABb1jX6gJDjgn1fgVZUs5 YQDpbm1ZiNF+67sYcsNgBg+/osYmMQklPZIjOD9pOB7IlDHWqYd72csLiI5r5ce5 gtB6zYUf1eBGxPedbIbsc9tMn9UA2VOGtgXT0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Ki49t5APLHqPxD 7fPffeqA/ZbBY=; b=Z2ziWyY41JSe6tHJRjl2JHgXkUmcrFCDcJSukRm/Rc/96V 6yVKZMobWw9Fl+Qmoj+SMSiwrnONmvW+UF5e8e+IIHfHK3ecSH6gCY2xsI32vcWv xQXvoB0gziJvsGFFJ1xKTeOooyF/qjmucd405ykhTE7VQddwaH77EcstZ4MOw= X-ME-Sender: X-Sasl-enc: N0ve63M8V3iTCK1Bbg8YnaxUl7DaQNDMI6EW1YsPpuZy 1489074418 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 69FE17E525; Thu, 9 Mar 2017 10:46:58 -0500 (EST) From: Marius Bakke To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` In-Reply-To: <8737emenf4.fsf@gnu.org> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) Date: Thu, 09 Mar 2017 16:46:56 +0100 Message-ID: <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> Simply propagate "gnutls" with "guix"? The %load-path trick was >> stolen from (guix download), so I assumed it was safe ;-) > > The gexp in (guix download) that does that is a different story: it=E2=80= =99s a > situation where we spawn a new process and we know which Guile and which > GnuTLS package is being used, so it=E2=80=99s completely safe. Ok, thanks for the clarification. Can we do the same in "pull"? IMO it should work without intervention, when the user runs `guix pull` for the first time. On foreign distributions, the `guix` executable is often a symlink to the profile of the "root" user. In such cases, each user would have to install GnuTLS in their profile before `guix pull` works. >>> It=E2=80=99s also a case where I think we might want to use the >>> already-installed certificates. >> >> If the URL is not from savannah, the GnuTLS defaults will be used (which >> should consult SSL_CERT_DIR). Or did you mean instead of "le-certs"? > > Yes, I was talking about le-certs. I have a strong preference for "hard coding" le-certs here. If the user don't have certs in their profile, they would have to both install some *and* configure the SSL_CERT_DIR variable before `guix pull` works. Using "le-certs" instead of one of the "kitchen sink" trust stores such as "nss-certs" also provides strong guarantees against MITM attacks even from state-level actors due to the certificate transparency program. LE's signing certificate expires in 2021 and the root in 2035, so it's not a huge maintenance overhead. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAljBePEACgkQoqBt8qM6 VPqLUAgAj11CSQbsokNn1IUA/zkcYt8V7TaG5lDEaas+odXz2/LFks0rrnTjVnaO h4qidAjANIfpzSXWgCSkR1vBhYMhk7EyPqBWVaAt1ZVSrBlngXDcOmd3avTAKE8l pszghqnRlo2aGRyM3RWKsrJSy+Oyk/FJE2q4J3XsjoDScHNYB/4BuvSYTr2a6j1G uC1Fw6r55O4oWv7N9CHAmgOtarQPjIuKDLvRlEO+VvvrUdBltWo5/jfFq9ndWrSC mg/we8bo9H2k0el+iIgl2SzFYh4leusUPVDB91pAsffntSY0eGcLi+O9Jw17TvLI 1n7scu6Whk+H+U1slAueDmpCMyyJOw== =ZSAM -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 11:14:13 2017 Received: (at 25975) by debbugs.gnu.org; 9 Mar 2017 16:14:13 +0000 Received: from localhost ([127.0.0.1]:47905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm0hg-0003aM-NZ for submit@debbugs.gnu.org; Thu, 09 Mar 2017 11:14:12 -0500 Received: from eggs.gnu.org ([208.118.235.92]:35259) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm0he-0003a9-Vy for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 11:14:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cm0hT-0001lR-1M for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 11:14:05 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49549) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cm0hS-0001iV-S2; Thu, 09 Mar 2017 11:13:58 -0500 Received: from [193.50.110.248] (port=45218 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cm0fK-0001mj-Pu; Thu, 09 Mar 2017 11:11:47 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 19 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 09 Mar 2017 17:11:44 +0100 In-Reply-To: <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Thu, 09 Mar 2017 16:46:56 +0100") Message-ID: <87tw7277lr.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Marius Bakke skribis: > Ludovic Court=C3=A8s writes: > >>> Simply propagate "gnutls" with "guix"? The %load-path trick was >>> stolen from (guix download), so I assumed it was safe ;-) >> >> The gexp in (guix download) that does that is a different story: it=E2= =80=99s a >> situation where we spawn a new process and we know which Guile and which >> GnuTLS package is being used, so it=E2=80=99s completely safe. > > Ok, thanks for the clarification. Can we do the same in "pull"? No, but we don=E2=80=99t have to: just assume GnuTLS is available and use t= he https URL unconditionally. We=E2=80=99ll update configure.ac and the manual to mention that GnuTLS is = now a requirement. Sounds good? >>>> It=E2=80=99s also a case where I think we might want to use the >>>> already-installed certificates. >>> >>> If the URL is not from savannah, the GnuTLS defaults will be used (which >>> should consult SSL_CERT_DIR). Or did you mean instead of "le-certs"? >> >> Yes, I was talking about le-certs. > > I have a strong preference for "hard coding" le-certs here. If the user > don't have certs in their profile, they would have to both install some > *and* configure the SSL_CERT_DIR variable before `guix pull` works. > > Using "le-certs" instead of one of the "kitchen sink" trust stores such > as "nss-certs" also provides strong guarantees against MITM attacks even > from state-level actors due to the certificate transparency program. > > LE's signing certificate expires in 2021 and the root in 2035, so it's > not a huge maintenance overhead. OK, that makes sense to me. So you can add a =E2=80=98build-derivations=E2= =80=99 call for this package and that should be enough. Or we could just as well ship the LE certificate instead of having a package that downloads it etc.? Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 13:13:27 2017 Received: (at 25975) by debbugs.gnu.org; 9 Mar 2017 18:13:27 +0000 Received: from localhost ([127.0.0.1]:47978 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm2Z5-0008Lu-0y for submit@debbugs.gnu.org; Thu, 09 Mar 2017 13:13:27 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:42928) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cm2Z3-0008Lm-7q for 25975@debbugs.gnu.org; Thu, 09 Mar 2017 13:13:25 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A143120B79; Thu, 9 Mar 2017 13:13:24 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 09 Mar 2017 13:13:24 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=tucFV5XZGTwqrswMdGYIDS/4f3o=; b=ia97PA NhMc2EdI3+ZH58LVRvlbxlKlw+mKj0C7SCphKV25G/U/1ZTbvrsF5Ror9Jhq5q9k GpYFcjjd5AmApe1obmJKtQbgU/4yk0pywufxUhdb0iAjsSJ7F0NXi18sfdItADC2 OzMtWnD2tWLQV0G6fKDQzdJKBCdLNvTqgA3Rc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=tucFV5XZGTwqrs wMdGYIDS/4f3o=; b=UO7Vm3ssyg895hYq9ggLD6X1CoQ5x2KsLD4GtGNthnXLit /p6d1UOavc5EbsVsbLxR9qAbrYi1I8j5JoVQ1+xvs00dhmx8LyUlJQwFZ14zOsRu 87yPv5o63CDERRqOyEg2PH21GY//jRHP08DmP3NZPvuzqKPJywRleFA+WF4RY= X-ME-Sender: X-Sasl-enc: PuefV42UfsUO2rCJwyLy2Tj9OUvOVRpoC0ZotBvgZT5y 1489083204 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 635B524346; Thu, 9 Mar 2017 13:13:24 -0500 (EST) Date: Thu, 9 Mar 2017 13:13:21 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170309181321.GA8081@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <87tw7277lr.fsf@gnu.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 09, 2017 at 05:11:44PM +0100, Ludovic Court=E8s wrote: > Or we could just as well ship the LE certificate instead of having a > package that downloads it etc.? I thought about this a bit yesterday. Only three certificate files are needed for the Let's Encrypt certificate store: the root certificate, the active intermediate, and the backup intermediate.* We know where they can be downloaded from, and we know their SHA256 hash, so we could download them directly instead of using a package. We could also bundle them with Guix, as you suggest. What does everyone think? * Technically we could leave out the backup, but I think we should include it so that everything is "smooth" whenever it needs to become active. --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljBmz4ACgkQJkb6MLrK fwh9JA/+P7BPrBxcJkVaZV5wMQUuSzzE6ed1+6joMr1FjQZItu3Q0cqE5Et4V27N 5kO4XjA8lJ1usbtkrqImtnFytxerx24K6tmqVvsoIHu4Xtby4b4+Owa6936ziXE5 dj4lPmHEYO7cKkuXf86NgbZP2CWcrTktTF7AS+5AyrYpZl4UvFnT2kO3neyOJcT+ GurCsf6hYwWJIIt7yVAlAaVF46iRB57OkiEUBejJ0IGhwA5dsd57ARw8cYohFxgN yAqIrwD9SyRqLfeZCuXvMeVF8iZpQJXbnF0bazoJ3BkE81274uTFETiu9gYpdYAe 3CTlkFYgUOYZP2/6bC4ZO6rhdj22HSxHTbihafDAVzn31Ir11yTNNjA7XbY8ghg9 AhTYQHnRbDYzol9frjdJ6esJkrPTpVG1i4W2mz5g8CU2YNS2QaDXHYYRtk3A8kcK SSm/xfs/4FZtXs4o9z2g5Ld1RsbwDK4CC2O2pdYP9ewoSJXVjHkN8e7a442TIgX8 8Xt1a/5naZpYStdN/ohjyOKOZIhq1aVdfpM+VYRrGisVG2JUUIRuF35g8oZsTveb Re8Fpp/CRGs2ht+GxuYO+q38Paua+WiUHcoJxWpV/qoQ21+39p2WLsBkqqNImLfi gFeX5c3y5cKXthLWoGC/w4gc0Pq8MuTdtRzEJ/ZH2SJW9bnwZkA= =h9Do -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 10 05:33:57 2017 Received: (at 25975) by debbugs.gnu.org; 10 Mar 2017 10:33:57 +0000 Received: from localhost ([127.0.0.1]:48519 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmHrx-0000jX-ET for submit@debbugs.gnu.org; Fri, 10 Mar 2017 05:33:57 -0500 Received: from eggs.gnu.org ([208.118.235.92]:39359) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmHrv-0000jK-Sq for 25975@debbugs.gnu.org; Fri, 10 Mar 2017 05:33:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cmHrm-0001dh-P0 for 25975@debbugs.gnu.org; Fri, 10 Mar 2017 05:33:50 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36552) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cmHrm-0001dd-MM; Fri, 10 Mar 2017 05:33:46 -0500 Received: from [193.50.110.248] (port=33008 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cmHrk-0000LN-8g; Fri, 10 Mar 2017 05:33:44 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Fri, 10 Mar 2017 11:33:41 +0100 In-Reply-To: <20170309181321.GA8081@jasmine> (Leo Famulari's message of "Thu, 9 Mar 2017 13:13:21 -0500") Message-ID: <87y3wda0ai.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Thu, Mar 09, 2017 at 05:11:44PM +0100, Ludovic Court=C3=A8s wrote: >> Or we could just as well ship the LE certificate instead of having a >> package that downloads it etc.? > > I thought about this a bit yesterday. Only three certificate files are > needed for the Let's Encrypt certificate store: the root certificate, > the active intermediate, and the backup intermediate.* > > We know where they can be downloaded from, and we know their SHA256 > hash, so we could download them directly instead of using a package. > > We could also bundle them with Guix, as you suggest. > > What does everyone think? Maybe a trivial-build-system package to download these 3 files and put them in a directory would do. Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 10 07:10:34 2017 Received: (at 25975) by debbugs.gnu.org; 10 Mar 2017 12:10:34 +0000 Received: from localhost ([127.0.0.1]:48589 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmJNS-0003D1-5w for submit@debbugs.gnu.org; Fri, 10 Mar 2017 07:10:34 -0500 Received: from latitanza.investici.org ([82.94.249.234]:20544) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmJNP-0003Cq-RH for 25975@debbugs.gnu.org; Fri, 10 Mar 2017 07:10:32 -0500 Received: from [82.94.249.234] (latitanza [82.94.249.234]) (Authenticated sender: niasterisk@grrlz.net) by localhost (Postfix) with ESMTPSA id 13D68120CA6; Fri, 10 Mar 2017 12:10:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptolab.net; s=stigmate; t=1489147830; bh=MUVYaoD4W+JfH6RSDdT15ANl2WKUesg7UfCckikr3fk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=UjmLHouSCW0gXLHmXKOGcU0+B/LhtRPqCIIFvL0Iwb04ovHQkYvqKDhbmngioUMPu QrI7fcLFbSD6foZeJE3e+ktasyPB3qow0wh4Y4OT82oFpNdK3k/XeQcIUW0S6l66iM kwEa+mwLhSYNr/zs2L4KJAae5QTIQMT2pqk79KHU= Date: Fri, 10 Mar 2017 13:19:09 +0000 From: ng0 To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170310131909.ont23sb4nwfgrp32@abyayala> Mail-Followup-To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Leo Famulari , 25975@debbugs.gnu.org References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87y3wda0ai.fsf@gnu.org> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ludovic Courtès transcribed 0.8K bytes: > Leo Famulari skribis: > > > On Thu, Mar 09, 2017 at 05:11:44PM +0100, Ludovic Courtès wrote: > >> Or we could just as well ship the LE certificate instead of having a > >> package that downloads it etc.? > > > > I thought about this a bit yesterday. Only three certificate files are > > needed for the Let's Encrypt certificate store: the root certificate, > > the active intermediate, and the backup intermediate.* > > > > We know where they can be downloaded from, and we know their SHA256 > > hash, so we could download them directly instead of using a package. > > > > We could also bundle them with Guix, as you suggest. > > > > What does everyone think? > > Maybe a trivial-build-system package to download these 3 files and put > them in a directory would do. > > Thoughts? > > Ludo’. > > Sounds like a good idea. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 01:43:06 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 06:43:06 +0000 Received: from localhost ([127.0.0.1]:50195 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmak0-0008Uv-K9 for submit@debbugs.gnu.org; Sat, 11 Mar 2017 01:43:06 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45291) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmajy-0008Un-HZ for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 01:42:59 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 08B8620936; Sat, 11 Mar 2017 01:42:55 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 11 Mar 2017 01:42:55 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=JPmvCz/NdFwdMbsbgHRbOurRZw0=; b=zclQ5m h9px5k99TV9ui49tjGsHi23fkeCxpOoBZNkf7Kd+8xD6r6CYBOa9454EBlIHg3YR 79eRGZM5PSjUMkZ8W8WRW3xXiOPUGA9ZdfqKql1vej0n/6Oozyjk9JU9W+qebJRe TRZggprfK6B6MSeINA1fOJuHxm30guLnfz/0g= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=JPmvCz/NdFwdMb sbgHRbOurRZw0=; b=bhQzYXqFXj1ifeLfE/Cn0D4ZR/AbpWy7pn60fJbl78otk5 MMnDuYGACztujGCmaHyNNuqvVeoEK/c2Ll20nPGsRijVkK2ciWLybbMe9oSloUcG GJ2dWAtNLmoRu7nM7U1L3XfmIQvb7T+DiEoVnAOrPjY3TLY/FKtD0kMuZCBDk= X-ME-Sender: X-Sasl-enc: n3/ovowt0Wcy6PclCaOnwt6MD/ul3L9ctM9dqFl734Nq 1489214574 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id B2D8F2400E; Sat, 11 Mar 2017 01:42:54 -0500 (EST) Date: Sat, 11 Mar 2017 01:42:48 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170311064248.GA11697@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3uo+9/B/ebqu+fSQ" Content-Disposition: inline In-Reply-To: <87y3wda0ai.fsf@gnu.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) --3uo+9/B/ebqu+fSQ Content-Type: multipart/mixed; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 10, 2017 at 11:33:41AM +0100, Ludovic Court=E8s wrote: > > I thought about this a bit yesterday. Only three certificate files are > > needed for the Let's Encrypt certificate store: the root certificate, > > the active intermediate, and the backup intermediate.* > > > > We know where they can be downloaded from, and we know their SHA256 > > hash, so we could download them directly instead of using a package. >=20 > Maybe a trivial-build-system package to download these 3 files and put > them in a directory would do. Here's a patch. --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-Add-le-certs.patch" Content-Transfer-Encoding: quoted-printable =46rom 6fea91135a625a13d92d6951d150d8dc5eb68dc1 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 28 Feb 2017 20:21:10 -0500 Subject: [PATCH] gnu: Add le-certs. * gnu/packages/certs.scm (le-certs): New variable. --- gnu/packages/certs.scm | 57 ++++++++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 57 insertions(+) diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index 246e5ca14..fb96b6994 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -2,6 +2,7 @@ ;;; Copyright =C2=A9 2015 Andreas Enge ;;; Copyright =C2=A9 2015 Mark H Weaver ;;; Copyright =C2=A9 2016 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -139,3 +140,59 @@ taken from the NSS package and thus ultimately from the Mozilla project.") (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/= NSS") (license license:mpl2.0))) + +(define-public le-certs + (package + (name "le-certs") + (version "0") + (source #f) + (build-system trivial-build-system) + (arguments + '(#:modules ((guix build utils)) + #:builder + (begin + (use-modules (guix build utils)) + (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) + (intermediate (assoc-ref %build-inputs "letsencryptauthorit= yx3.pem")) + (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pe= m")) + (out (string-append (assoc-ref %outputs "out") "/etc/ssl/ce= rts"))) + (mkdir-p out) + (map (lambda (cert) + (copy-file cert (string-append out "/" + (strip-store-file-name ce= rt)))) + (list root intermediate backup)))))) + (inputs + `(; The Let's Encrypt root certificate, "ISRG Root X1". + ("isrgrootx1.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/isrgrootx1.pem") + (sha256 + (base32 + "0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y")))) + ;; "Let=E2=80=99s Encrypt Authority X3 ", the active Let's Encrypt = intermediate + ;; certificate. + ("letsencryptauthorityx3.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem") + (sha256 + (base32 + "0zbamj6c7zqw1j9mbqygc8k1ykgj6xiisp9svmlif5lkbnyjhnkk")))) + ;; "Let=E2=80=99s Encrypt Authority X4", the backup Let's Encrypt i= ntermediate + ;; certificate. This will be used for disaster recovery and will o= nly be + ;; used should Let's Encrypt lose the ability to issue with "Let=E2= =80=99s + ;; Encrypt Authority X3". + ("letsencryptauthorityx4.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem") + (sha256 + (base32 + "003dc94c8qwj634h0dq743x7hqv9rdcfaisdksprkmi2jd107xq4")))))) + (home-page "https://github.com/lfam/le-certs") + (synopsis "Let's Encrypt root and intermediate certificates") + (description "This package provides a certificate store containing onl= y the +Let's Encrypt root and intermediate certificates. It is intended to be us= ed +within Guix.") + (license license:public-domain))) ; XXX what license? --=20 2.12.0 --BOKacYhQ+x31HxR3-- --3uo+9/B/ebqu+fSQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljDnF8ACgkQJkb6MLrK fwhXLBAA3zMR3K9aA6VF5qBYKqNEyPESoHB+cy8JWgvljBD88kyJnltDffrw/p6F F7opU1m4LFlmMEVXUkaLK5MOsv5VIYCfhjjNubGev+iu/6BF/+kYaz49CqyvVGFu 8SHCdPnZp3UHZddkT95P9dvYyUmZp9tJNv/ZtN1fCXI7FOEOzbflnW2Y+F2bm6VZ Es3WeH86qnPBvg5R6stn5V9ao6ERu85rdmbyKStEzCqFh6lpADpC4/c4d35npw9e aU8I9iuutNTFfb0FifAEjXhXy48iuO8r3xGQ60PbtGFJZ+xyPzD86NI0mK6ZzRX7 4S9nXCT9tpFD9YkAwnCGkDQAuR6RA/vHJ/5fvMbpLoyah3Zh5jvb+UJ7Uvs9g/Fm tAY0kzlYiz4Oiy2K1TJ9Izb1um/DnjgE8/nI+e4ZOFOCcTDi07TFXG7fR1oK67By HfDvH+g6kfTKajXXvA68CYWjFbd6XfnE+RQuw+rNPqhwjQrLftN8ChGJggYK4BsA 8HALLlqNe+iXQ1CHIXHc0g4O44gDYUWNMdSa3pMs/56jT1zSCfpdQK5NEFqPVcZk azacuYAo1i1kvWImrndXYQzYCX+lcDjyQzQnGxJ1e+NDH8eoG4C7EP2YCT1gdmdn vhjQxDRJs/ONgO1j9OB7XtEYVeHBDcrvAS8gF8Arvt2W71mLcL8= =dkuL -----END PGP SIGNATURE----- --3uo+9/B/ebqu+fSQ-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 05:26:28 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 10:26:28 +0000 Received: from localhost ([127.0.0.1]:50308 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmeEG-0005L2-37 for submit@debbugs.gnu.org; Sat, 11 Mar 2017 05:26:28 -0500 Received: from eggs.gnu.org ([208.118.235.92]:33569) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmeEE-0005Kp-QY for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 05:26:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cmeE4-0000T8-Jl for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 05:26:21 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41785) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cmeE4-0000T4-GT; Sat, 11 Mar 2017 05:26:16 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:33466 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cmeE3-00054Z-Ld; Sat, 11 Mar 2017 05:26:16 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 21 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sat, 11 Mar 2017 11:26:12 +0100 In-Reply-To: <20170311064248.GA11697@jasmine> (Leo Famulari's message of "Sat, 11 Mar 2017 01:42:48 -0500") Message-ID: <87bmt8az3v.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Fri, Mar 10, 2017 at 11:33:41AM +0100, Ludovic Court=C3=A8s wrote: >> > I thought about this a bit yesterday. Only three certificate files are >> > needed for the Let's Encrypt certificate store: the root certificate, >> > the active intermediate, and the backup intermediate.* >> > >> > We know where they can be downloaded from, and we know their SHA256 >> > hash, so we could download them directly instead of using a package. >>=20 >> Maybe a trivial-build-system package to download these 3 files and put >> them in a directory would do. > > Here's a patch. > > From 6fea91135a625a13d92d6951d150d8dc5eb68dc1 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Tue, 28 Feb 2017 20:21:10 -0500 > Subject: [PATCH] gnu: Add le-certs. > > * gnu/packages/certs.scm (le-certs): New variable. Great, that was fast! > + (arguments > + '(#:modules ((guix build utils)) > + #:builder > + (begin > + (use-modules (guix build utils)) > + (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) > + (intermediate (assoc-ref %build-inputs "letsencryptauthor= ityx3.pem")) > + (backup (assoc-ref %build-inputs "letsencryptauthorityx4.= pem")) > + (out (string-append (assoc-ref %outputs "out") "/etc/ssl/= certs"))) > + (mkdir-p out) > + (map (lambda (cert) > + (copy-file cert (string-append out "/" > + (strip-store-file-name = cert)))) > + (list root intermediate backup)))))) =E2=80=98for-each=E2=80=99 instead of =E2=80=98map=E2=80=99, to make it cle= ar that it=E2=80=99s for side effects. > + (license license:public-domain))) ; XXX what license? It=E2=80=99s not copyrightable so yeah, this is a good approximation. Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 11:57:51 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 16:57:51 +0000 Received: from localhost ([127.0.0.1]:51644 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmkKw-0003Ia-TO for submit@debbugs.gnu.org; Sat, 11 Mar 2017 11:57:51 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36645) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmkKq-0003IK-9F for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 11:57:44 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B7D9C20692; Sat, 11 Mar 2017 11:57:39 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 11 Mar 2017 11:57:39 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=ENpitHdhpfZkJGCJR6JiKZDO3NU=; b=OrHsi4 I6STEHlRJAJ6cOyC1eVdIwJP4CaT3YFxi+3FiWrOtocsUC6izAHBfwpwveeOspym SHNdk96BFkhDI2kr/V9T+vyDCDgpPveiL36Xm9HWXFwL9bkNFiderhX/kAwcrAg0 9b19Du7X4xsHQvtaqhzp9+CJ277/L9hImdqUI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ENpitHdhpfZkJG CJR6JiKZDO3NU=; b=Ny3/iAlS0uJYW75aROMfxGVAqGmaCpcMb8Yup5Jnm6jLQt rPQa+xYErw/+N131C8ro3Y6iUXaEwlu06OEHhNz9eTy6MQJCbeXqFs64rTafpDl3 Z4HSsuBqeh6RwxO7O5+kUtLnjiXB6JXd4F+9rsaQiy84+KLCxtBs8v/CApk9k= X-ME-Sender: X-Sasl-enc: krGmfkh4m4Pz4IH8Vd6gZXZNZIfxSK/l4wuwRagJYXU5 1489251459 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 7871D7E41F; Sat, 11 Mar 2017 11:57:39 -0500 (EST) Date: Sat, 11 Mar 2017 11:57:37 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170311165737.GA30068@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QKdGvSO+nmPlgiQ/" Content-Disposition: inline In-Reply-To: <87bmt8az3v.fsf@gnu.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --QKdGvSO+nmPlgiQ/ Content-Type: multipart/mixed; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 11, 2017 at 11:26:12AM +0100, Ludovic Court=C3=A8s wrote: > > + (map (lambda (cert) > > + (copy-file cert (string-append out "/" > > + (strip-store-file-nam= e cert)))) > > + (list root intermediate backup)))))) >=20 > =E2=80=98for-each=E2=80=99 instead of =E2=80=98map=E2=80=99, to make it c= lear that it=E2=80=99s for side > effects. Done! > > + (license license:public-domain))) ; XXX what license? >=20 > It=E2=80=99s not copyrightable so yeah, this is a good approximation. Okay! I also changed the home-page to . Updated patch attached. --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-Add-le-certs.patch" Content-Transfer-Encoding: quoted-printable =46rom a02327a3d8f3ccc0c87920870671f0500b13d430 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 28 Feb 2017 20:21:10 -0500 Subject: [PATCH] gnu: Add le-certs. * gnu/packages/certs.scm (le-certs): New variable. --- gnu/packages/certs.scm | 58 ++++++++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 58 insertions(+) diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index 246e5ca14..e35e9aaba 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -2,6 +2,7 @@ ;;; Copyright =C2=A9 2015 Andreas Enge ;;; Copyright =C2=A9 2015 Mark H Weaver ;;; Copyright =C2=A9 2016 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -139,3 +140,60 @@ taken from the NSS package and thus ultimately from the Mozilla project.") (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/= NSS") (license license:mpl2.0))) + +(define-public le-certs + (package + (name "le-certs") + (version "0") + (source #f) + (build-system trivial-build-system) + (arguments + '(#:modules ((guix build utils)) + #:builder + (begin + (use-modules (guix build utils)) + (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) + (intermediate (assoc-ref %build-inputs "letsencryptauthorit= yx3.pem")) + (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pe= m")) + (out (string-append (assoc-ref %outputs "out") "/etc/ssl/ce= rts"))) + (mkdir-p out) + (for-each + (lambda (cert) + (copy-file cert (string-append out "/" + (strip-store-file-name cert)= ))) + (list root intermediate backup)))))) + (inputs + `(; The Let's Encrypt root certificate, "ISRG Root X1". + ("isrgrootx1.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/isrgrootx1.pem") + (sha256 + (base32 + "0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y")))) + ;; "Let=E2=80=99s Encrypt Authority X3", the active Let's Encrypt i= ntermediate + ;; certificate. + ("letsencryptauthorityx3.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem") + (sha256 + (base32 + "0zbamj6c7zqw1j9mbqygc8k1ykgj6xiisp9svmlif5lkbnyjhnkk")))) + ;; "Let=E2=80=99s Encrypt Authority X4", the backup Let's Encrypt i= ntermediate + ;; certificate. This will be used for disaster recovery and will o= nly be + ;; used should Let's Encrypt lose the ability to issue with "Let=E2= =80=99s + ;; Encrypt Authority X3". + ("letsencryptauthorityx4.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem") + (sha256 + (base32 + "003dc94c8qwj634h0dq743x7hqv9rdcfaisdksprkmi2jd107xq4")))))) + (home-page "https://letsencrypt.org/certificates/") + (synopsis "Let's Encrypt root and intermediate certificates") + (description "This package provides a certificate store containing onl= y the +Let's Encrypt root and intermediate certificates. It is intended to be us= ed +within Guix.") + (license license:public-domain))) --=20 2.12.0 --7JfCtLOvnd9MIVvH-- --QKdGvSO+nmPlgiQ/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljELIEACgkQJkb6MLrK fwizERAAruGb8HtUH2KQ/5FeB+OEakz6ewVRTW/YZ3fw5DmeZmhuzxJ9+1YKgIeY k6Qq9BGQrDDCZQ/ZxL4146UK2Le8NfDNGNiy9HqSJSAUMsN0/iiASnxI4r0K/e0c nCUPmW42yWlqtjx/WYpMkAzOWAp55DysNAhH+l+QNkBbzHllbLxeRMqoDoZfNS8e Z7i2F9yhPQnQzIafPqDudHKSEMph3bDbc0LE2TWvSqABWtrr8c6xLBqeuFOnMzzp WGMWPFc+yFyfrTV+dL1VyIVPop9NqLD7+epFDAyVt9l4q+GakCnqoTOuquuLFnBY b9/XwR+0JCN+ZIAYmIONogLE1rZr44azX9wz9PWqQ7Wcikjl22wRxBa+LhHlUNm6 yZbnENVmr5OX620mAIZkqbKJbvGxNdmvjLHB9tCk/wQ4WSqoMdfrsv965RcXDtuX cFWqBTZRxVcoQ7Vmlp7Yog5EhrLltgFPsNC07OPcu2L9aSGF/NY1CgElqewTkSut NlRc6QM0UEHbw4WnykyUWpSNa9u1oNQkt0LQ+0UBOKaFzJNGRimJa03fR74IZPFY q0k1TGgevYkJTNTANkuBTKZemjB3taxc38O4WRLsTYqH5jKgbRsTEYFkj/Ptmnyf 7OPxm5bx7kX2XrMdFVjAp+4G/B7wKF3siz7AKkXg0MvRGrh/0zY= =f1II -----END PGP SIGNATURE----- --QKdGvSO+nmPlgiQ/-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 13:40:44 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 18:40:44 +0000 Received: from localhost ([127.0.0.1]:51724 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmlwa-0000z0-5m for submit@debbugs.gnu.org; Sat, 11 Mar 2017 13:40:44 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60958) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmlwX-0000yq-2A for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 13:40:42 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 54E14208CE; Sat, 11 Mar 2017 13:40:40 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sat, 11 Mar 2017 13:40:40 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=GUA+1+0ZbJ2yC6oqiPvdiCAXu0c=; b=jGTGKP k6Wk5p1ZlstWwDgd0YNG/sm3SKSnW5YQydu/moBT/NTNyIsHa5kihI5+ROS0issR kq2kk1CCy8VMR8n2N08c1tU+Y0VPLDBguyDLhrdOgmiTIb3msEqYp7M9ShGQsCsQ tcA1N50gc1AMrkS7DLtrMlIu8evmqwM1QrYDg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=GUA+1+0ZbJ2yC6 oqiPvdiCAXu0c=; b=VrBXbpAnmkbzycPSYQxtaYVW+J9inVQ9ZPuQwiTgcCw7Wh fTRmpaD/Iy0skOq/s0HgRCuyYZm0hvDrXBBfug5fzNDejwn0FPcBMsuzIAm4Z9bv wkqCFcbURbGi1JkaeA05NTobSjviFm8PzSuDpVPxysI+YblX1s4K4db73fmjM= X-ME-Sender: X-Sasl-enc: YCkRvq63ABUESR8vB4ndRwdFhKLBAJ3oq8lC0RzsIxru 1489257640 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id F3B847E325; Sat, 11 Mar 2017 13:40:39 -0500 (EST) From: Marius Bakke To: Leo Famulari , Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` In-Reply-To: <20170311165737.GA30068@jasmine> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) Date: Sat, 11 Mar 2017 19:40:38 +0100 Message-ID: <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Mar 11, 2017 at 11:26:12AM +0100, Ludovic Court=C3=A8s wrote: >> > + (map (lambda (cert) >> > + (copy-file cert (string-append out "/" >> > + (strip-store-file-na= me cert)))) >> > + (list root intermediate backup)))))) >>=20 >> =E2=80=98for-each=E2=80=99 instead of =E2=80=98map=E2=80=99, to make it = clear that it=E2=80=99s for side >> effects. > > Done! > >> > + (license license:public-domain))) ; XXX what license? >>=20 >> It=E2=80=99s not copyrightable so yeah, this is a good approximation. > > Okay! > > I also changed the home-page to . > > Updated patch attached. Great! Here's a revision of `guix pull` that uses this "le-certs" package, and assumes GnuTLS is available. One caveat with this approach is that users will need to install GnuTLS in their profile and set up GUILE_LOAD_PATH before `guix pull` works. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-pull-Default-to-HTTPS.patch Content-Transfer-Encoding: quoted-printable From=2061bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 1 Mar 2017 22:11:02 +0100 Subject: [PATCH] pull: Default to HTTPS. * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. (guix-pull): Authenticate against LE-CERTS when URL is from Savannah. =2D-- guix/scripts/pull.scm | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index a4824e4fd..8e31ad620 100644 =2D-- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013, 2014, 2015 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,10 +30,13 @@ #:use-module (guix monads) #:use-module ((guix build utils) #:select (with-directory-excursion delete-file-recursively= )) + #:use-module ((guix build download) + #:select (%x509-certificate-directory)) #:use-module (gnu packages base) #:use-module (gnu packages guile) #:use-module ((gnu packages bootstrap) #:select (%bootstrap-guile)) + #:use-module ((gnu packages certs) #:select (le-certs)) #:use-module (gnu packages compression) #:use-module (gnu packages gnupg) #:use-module (srfi srfi-1) @@ -45,7 +49,7 @@ =20 (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" =2D "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) =20 (define-syntax-rule (with-environment-variable variable value body ...) @@ -221,11 +225,25 @@ contained therein." (leave (_ "~A: unexpected argument~%") arg)) %default-options)) =20 + (define (use-le-certs? url) + (string-prefix? "https://git.savannah.gnu.org/" url)) + + (define (fetch-tarball store url) + (download-to-store store url "guix-latest.tar.gz")) + (with-error-handling (let* ((opts (parse-options)) (store (open-connection)) (url (assoc-ref opts 'tarball-url))) =2D (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) + (let ((tarball + (if (use-le-certs? url) + (let* ((drv (package-derivation store le-certs)) + (certs (string-append (derivation->output-path drv) + "/etc/ssl/certs"))) + (build-derivations store (list drv)) + (parameterize ((%x509-certificate-directory certs)) + (fetch-tarball store url))) + (fetch-tarball store url)))) (unless tarball (leave (_ "failed to download up-to-date source, exiting\n"))) (parameterize ((%guile-for-build =2D-=20 2.12.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAljERKYACgkQoqBt8qM6 VPovjAf/XlX+FkoZ/p06S9JJT73pONmNvvH+TCnGVVN2KZYuZhWFZWvHDQ8k8UTj vU6h8FZw7fLguux6clQ87RSRDFTgVKtfGwuEwCWHnfYN0LDh8E3xyfH1WCbWf6sH D1LC/eFbPbtFwvlWgH0lJyw5n9OZ62xjCl9F74lJDUACGmiMKuC8rGQrNxOkKFnJ RFcuBrdvh8i+ex55OCaMausv9UwQZhIOCYPnWZMkKipDqwA/aD5v9h66+jtsW2HP WLIg4AixbOB98qXVd2Boh8LoE77cB3csvHSPc/n5DUpuYq/2pvaWWHDcHrPD6GD/ R30pHEVkKbVGYxz/p2/CaYOjYKCCvA== =kURf -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 18:29:44 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 23:29:44 +0000 Received: from localhost ([127.0.0.1]:51822 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmqSG-0002vT-4w for submit@debbugs.gnu.org; Sat, 11 Mar 2017 18:29:44 -0500 Received: from eggs.gnu.org ([208.118.235.92]:42652) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmqSF-0002vH-Ad for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 18:29:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cmqS6-0004kk-SB for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 18:29:37 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:51904) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cmqS6-0004kf-Pg; Sat, 11 Mar 2017 18:29:34 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:39534 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cmqS6-0002pe-0c; Sat, 11 Mar 2017 18:29:34 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sun, 12 Mar 2017 00:29:31 +0100 In-Reply-To: <20170311165737.GA30068@jasmine> (Leo Famulari's message of "Sat, 11 Mar 2017 11:57:37 -0500") Message-ID: <87wpbv4ckk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: Marius Bakke , 25975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > From a02327a3d8f3ccc0c87920870671f0500b13d430 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Tue, 28 Feb 2017 20:21:10 -0500 > Subject: [PATCH] gnu: Add le-certs. > > * gnu/packages/certs.scm (le-certs): New variable. Perfect, thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 18:41:48 2017 Received: (at 25975) by debbugs.gnu.org; 11 Mar 2017 23:41:48 +0000 Received: from localhost ([127.0.0.1]:51837 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmqdw-0003DY-7I for submit@debbugs.gnu.org; Sat, 11 Mar 2017 18:41:48 -0500 Received: from eggs.gnu.org ([208.118.235.92]:44408) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmqdv-0003DL-68 for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 18:41:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cmqdm-0002LI-W3 for 25975@debbugs.gnu.org; Sat, 11 Mar 2017 18:41:42 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52107) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cmqdm-0002LD-T6; Sat, 11 Mar 2017 18:41:38 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:39540 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cmqdm-0007Jd-0Z; Sat, 11 Mar 2017 18:41:38 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sun, 12 Mar 2017 00:41:35 +0100 In-Reply-To: <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Sat, 11 Mar 2017 19:40:38 +0100") Message-ID: <87shmj4c0g.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 25975 Cc: 25975@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Marius Bakke skribis: > From 61bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Wed, 1 Mar 2017 22:11:02 +0100 > Subject: [PATCH] pull: Default to HTTPS. > > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Authenticate against LE-CERTS when URL is from Savannah. LGTM! I changed the configury and doc in 1dbe3a8db0a3e5a8e5f9b30e6f6a6bbfb699275b so that GnuTLS is a hard dependency. Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 12 14:48:49 2017 Received: (at 25975-done) by debbugs.gnu.org; 12 Mar 2017 18:48:49 +0000 Received: from localhost ([127.0.0.1]:52899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cn8Xw-0002Xe-V6 for submit@debbugs.gnu.org; Sun, 12 Mar 2017 14:48:49 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:52907) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cn8Xu-0002XW-RF for 25975-done@debbugs.gnu.org; Sun, 12 Mar 2017 14:48:47 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 0760220774; Sun, 12 Mar 2017 14:48:45 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sun, 12 Mar 2017 14:48:45 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=TbPmQABzB2fT6RCFZ5hLmTjcUAs=; b=eL3XCj 1fzNHMpIU2bxd7ck99X1hvih6Ff6nsnXG/wJi8EhHZyBSRI/y+sqp2rE3B2AMyF3 zw3vUPfVjlAybYi5PXax1lYFCloe4GVfLCH5S6yoVMnsOoHcvslId3ckljS3mjBS nAT4KD1wf5sUaeFyRZ8hCGmfynEHiy9ptEUcU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=TbPmQABzB2fT6R CFZ5hLmTjcUAs=; b=H5bU5A5Ij7cx3KE1PCaGGrwCdl1KMYON5Ijy1YtybjG35D mOIe/p7oTvdHyK2kendVcM1Ydt4eMpzovhCDzVc719iVTgEIuVDWBVB9XaiGe23m KKx7/MIYLorKzjzrFwFO1/gCTRDN2DbgOQfjD64udrDeag4QqaWAbpgQ24JnE= X-ME-Sender: X-Sasl-enc: mw7JlI8SbnjhfmYLX7ivYopXu4par5Dp5ExGDAwiNUI9 1489344524 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 8D8AC7E30E; Sun, 12 Mar 2017 14:48:44 -0400 (EDT) From: Marius Bakke To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25975: Use HTTPS in `guix pull` In-Reply-To: <87shmj4c0g.fsf@gnu.org> References: <87shmr6a7v.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87varjjxuu.fsf@gnu.org> <87innj2xkd.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8737emenf4.fsf@gnu.org> <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87shmj4c0g.fsf@gnu.org> User-Agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) Date: Sun, 12 Mar 2017 19:48:42 +0100 Message-ID: <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975-done Cc: 25975-done@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Marius Bakke skribis: > >> From 61bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Wed, 1 Mar 2017 22:11:02 +0100 >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Authenticate against LE-CERTS when URL is from Savannah. > > LGTM! > > I changed the configury and doc in > 1dbe3a8db0a3e5a8e5f9b30e6f6a6bbfb699275b so that GnuTLS is a hard > dependency. Ok, thanks! I've pushed this patch. Let the bug reports roll in! :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAljFmAsACgkQoqBt8qM6 VPpJBwf+Ih45va6piUbazVS1p+Kyyajs+70xcxssrBBjhRoTb0akcmINmImQt648 9JZVBCBfePUCaJU31r3IfpUMT/w2upikO+hW0bs4Ykxr6WELf+mldpISF9FRKse1 cMfq4PIbwUjl+OKx5uCtMjK+sKkeMXwbDEq/cATetoDuWCsDL/7taltCogEIuWZs jXDpZXRodh79+QYXrfVPsdgiaeh8QuNBlbG6fu6f/gyXu4PEoHdtIPZs7N86oWj8 PsrK6Y1ZnZN/DOPfFwlaa5i4Mp1Aod2Yw9uodwPLBvHzBj6KpdEpqdAKYczcddxA Olz0be8lPpfBR/DTBmLKUbHO6AkCmQ== =nqz7 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 12 22:35:12 2017 Received: (at 25975-done) by debbugs.gnu.org; 13 Mar 2017 02:35:12 +0000 Received: from localhost ([127.0.0.1]:53075 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnFpI-0006zJ-Ie for submit@debbugs.gnu.org; Sun, 12 Mar 2017 22:35:12 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:53293) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnFpF-0006z9-0s for 25975-done@debbugs.gnu.org; Sun, 12 Mar 2017 22:35:10 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id DC2DB207E5; Sun, 12 Mar 2017 22:35:06 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sun, 12 Mar 2017 22:35:06 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=5QJmqbOpYgbf6uzHFJczQ7x40dU=; b=hgTfzF mI7xZwirJM3EUC+UqYbJTLOJBeoSo7rFmuaIfnsoO76n08L0/Y5ThFkOqrwJ8CSc Wed5tJpD7tmcC1LJIThQRUaSUyR68UMbbTjnVhyqGh2ZtLK7leqSV6Fn33Frz4L1 Fw3Gx2OAj2Rbm8jWJg79kiV9aExAmHGwhqt6s= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=5QJmqbOpYgbf6u zHFJczQ7x40dU=; b=ZekW2IqY/Qc9YksAzAnuohg2O1kolXukGX+fNvYfqmQS5t 2yv7YaZ0VXslWMepzs6FmosERonQTM/0j4+7scrpyAa5giMMGQXRreeqsZJdGUyb Oj0LAobe3nvVZq1mGDHsuiVktNPXXF320SrNNI5gOOPtrHZgDdXURpHgvjIIM= X-ME-Sender: X-Sasl-enc: RmY1P7idnSTXOUuVsf/WJbmqRQIPzsm3qVA5NOdBu0Sl 1489372506 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 958BC7E67D; Sun, 12 Mar 2017 22:35:06 -0400 (EDT) Date: Sun, 12 Mar 2017 22:35:05 -0400 From: Leo Famulari To: Marius Bakke Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170313023505.GC19190@jasmine> References: <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87shmj4c0g.fsf@gnu.org> <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Content-Disposition: inline In-Reply-To: <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25975-done Cc: 25975-done@debbugs.gnu.org, Ludovic =?iso-8859-1?Q?Court=E8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Mar 12, 2017 at 07:48:42PM +0100, Marius Bakke wrote: > I've pushed this patch. Let the bug reports roll in! :-) Woo-hoo! It "just worked" for me on GuixSD and my foreign distros :) --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljGBVkACgkQJkb6MLrK fwitfw/9FRhlkQA7PL+36doFAs2OSEJkeLBPLV2QNhhWmvRMfDEF/snbLCWWe0pp EYvOO7Rp+kWBF6Uut7XvFrA+USZk0QEcImqkTYtafAF/QKkAZxFi+PAeCSVwSIx+ HJpTtYGGNvQoYAakb45ZdMy10zbozVx2/DXq/i0XUniBGoPnexrQz0yQ1VWrKfju nRAv78EBnDLOgmViYVW3X8bIUknf9T8EVWiXUO03fNWZDLbCt8C15iDeJ9/05+1s KUZm4nm3kpPpoLmUE7iuyOS+yte6tiEc0xRUDQfWwkGBiuVbrWX9II+CqzCTxknV zeOD6Q9TMwlarwZ7AeZRvT1tmWZJIuhjiPr2dFgNt/FUQHCe/h/0BQGmio3PkaR8 GQKo+ezxH660YUOwYLi42H38FFWYdh9lq0KuMo12lAOzO9u4Hx+ZHd73mx6NoFdi hDDVIdhtdyWR+waz4WIQ5Rn6ms4iC9wVEjj0X69t+lq1XKgZAEw8G0N1ctpzlw54 xUo6pDIV5C9hgzhdLZKE+1+4SrSCmaEz8FQDLceJzkbDYK/XJcvJAc0yMcIv85xt Mo9ggzlxv+U5bcyfwNmEYyvTFKcmy4jx+QJFKt1fRRBpsJMVNoN7n6VaNWe3RqQg s9XdgEbbkcwc0u2BBQIjzZH1XOOSg4k0mIy2XeGbHqfNNOu4HcQ= =ibHt -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 13 05:23:59 2017 Received: (at 25975-done) by debbugs.gnu.org; 13 Mar 2017 09:23:59 +0000 Received: from localhost ([127.0.0.1]:53209 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnMCs-0001mC-V1 for submit@debbugs.gnu.org; Mon, 13 Mar 2017 05:23:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnMCr-0001lz-2K for 25975-done@debbugs.gnu.org; Mon, 13 Mar 2017 05:23:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnMCi-0007t0-Je for 25975-done@debbugs.gnu.org; Mon, 13 Mar 2017 05:23:51 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43589) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnMCi-0007sv-GM; Mon, 13 Mar 2017 05:23:48 -0400 Received: from [193.50.110.173] (port=50018 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cnMCh-00078c-Rp; Mon, 13 Mar 2017 05:23:48 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#25975: Use HTTPS in `guix pull` References: <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87shmj4c0g.fsf@gnu.org> <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170313023505.GC19190@jasmine> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 23 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Mon, 13 Mar 2017 10:23:45 +0100 In-Reply-To: <20170313023505.GC19190@jasmine> (Leo Famulari's message of "Sun, 12 Mar 2017 22:35:05 -0400") Message-ID: <87fuiha5su.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.4 (-----) X-Debbugs-Envelope-To: 25975-done Cc: 25975-done@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.4 (-----) Leo Famulari skribis: > On Sun, Mar 12, 2017 at 07:48:42PM +0100, Marius Bakke wrote: >> I've pushed this patch. Let the bug reports roll in! :-) > > Woo-hoo! > > It "just worked" for me on GuixSD and my foreign distros :) Works for me too! Thanks to both of you for carrying it out! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 13 05:58:32 2017 Received: (at 25975) by debbugs.gnu.org; 13 Mar 2017 09:58:33 +0000 Received: from localhost ([127.0.0.1]:53236 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnMkK-0002Yg-Ol for submit@debbugs.gnu.org; Mon, 13 Mar 2017 05:58:32 -0400 Received: from fragranza.investici.org ([178.175.144.26]:33470) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cnMkJ-0002YR-0V for 25975@debbugs.gnu.org; Mon, 13 Mar 2017 05:58:31 -0400 Received: from [178.175.144.26] (fragranza [178.175.144.26]) (Authenticated sender: niasterisk@grrlz.net) by localhost (Postfix) with ESMTPSA id C4A202C02B7; Mon, 13 Mar 2017 09:58:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptolab.net; s=stigmate; t=1489399109; bh=t0pbRnzNG/bRY5EM1vNiROr8q/yv7DrCCRPjbogaVsI=; h=Date:From:To:Subject:References:In-Reply-To; b=PFWZMKpEjrmVGiPWXOZnPdP7eYCrbg9OOCWTMWinvK9xLxiOQTPUAsNflyvn/Er+Y Q00OGVznZvxyzlcaXwPRsYAD37RCOeYXT6z4eiZ9PNGNvtWec1breLwpK9iaG/KrM0 8QjFPFiNUkGE3x8L3pxKE4ioUn3xmGYIJLMmTK3g= Date: Mon, 13 Mar 2017 11:07:10 +0000 From: ng0 To: 25975@debbugs.gnu.org, mbakke@fastmail.com Subject: Re: bug#25975: Use HTTPS in `guix pull` Message-ID: <20170313110710.om2azaz4aleykwbh@abyayala> Mail-Followup-To: 25975@debbugs.gnu.org, mbakke@fastmail.com References: <877f3y311r.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87tw7277lr.fsf@gnu.org> <20170309181321.GA8081@jasmine> <87y3wda0ai.fsf@gnu.org> <20170311064248.GA11697@jasmine> <87bmt8az3v.fsf@gnu.org> <20170311165737.GA30068@jasmine> <87k27vk66x.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87shmj4c0g.fsf@gnu.org> <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87y3waib5h.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25975 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Marius Bakke transcribed 1.3K bytes: > Ludovic Courtès writes: > > > Marius Bakke skribis: > > > >> From 61bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001 > >> From: Marius Bakke > >> Date: Wed, 1 Mar 2017 22:11:02 +0100 > >> Subject: [PATCH] pull: Default to HTTPS. > >> > >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > >> (guix-pull): Authenticate against LE-CERTS when URL is from Savannah. > > > > LGTM! > > > > I changed the configury and doc in > > 1dbe3a8db0a3e5a8e5f9b30e6f6a6bbfb699275b so that GnuTLS is a hard > > dependency. > > Ok, thanks! > > I've pushed this patch. Let the bug reports roll in! :-) Ok, native GuixSD worked just fine. From unknown Tue Aug 19 10:03:31 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 10 Apr 2017 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator