GNU bug report logs - #25975
Use HTTPS in `guix pull`

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#25975: closed (Use HTTPS in `guix pull`)
Date: Sun, 12 Mar 2017 18:49:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sun, 12 Mar 2017 19:48:42 +0100
with message-id <87y3waib5h.fsf <at> kirby.i-did-not-set--mail-host-address--so-tickle-me>
and subject line Re: bug#25975: Use HTTPS in `guix pull`
has caused the debbugs.gnu.org bug report #25975,
regarding Use HTTPS in `guix pull`
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
25975: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=25975
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Subject: Use HTTPS in `guix pull`
Date: Sun, 05 Mar 2017 15:59:16 +0100

[Message part 3 (text/plain, inline)]

I've tried a number of times to send this through `git send-email`, but
it seems to get caught in a spam filter or similar.

Trying as attachment now.

Note that this uses 'nss-certs' for easy testing, but is intended to use
'le-certs' from this thread:

https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html

[0001-pull-Default-to-HTTPS.patch (text/x-patch, inline)]

From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Wed, 1 Mar 2017 22:11:02 +0100
Subject: [PATCH] pull: Default to HTTPS.

* guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
(guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate.
---
 guix/scripts/pull.scm | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index a4824e4fd..4031f1d32 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -29,12 +29,16 @@
   #:use-module (guix monads)
   #:use-module ((guix build utils)
                 #:select (with-directory-excursion delete-file-recursively))
+  #:use-module ((guix build download)
+                #:select (%x509-certificate-directory))
   #:use-module (gnu packages base)
   #:use-module (gnu packages guile)
   #:use-module ((gnu packages bootstrap)
                 #:select (%bootstrap-guile))
+  #:use-module ((gnu packages certs) #:select (nss-certs))
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module ((gnu packages tls) #:select (gnutls))
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
@@ -45,7 +49,7 @@
 
 (define %snapshot-url
   ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
-  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
+  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
   )
 
 (define-syntax-rule (with-environment-variable variable value body ...)
@@ -221,11 +225,35 @@ contained therein."
                   (leave (_ "~A: unexpected argument~%") arg))
                 %default-options))
 
+  (define (use-gnutls? url)
+    (string-prefix? "https://" url))
+
+  (define (use-le-certs? url)
+    (string-prefix? "https://git.savannah.gnu.org" url))
+
+  (define (fetch-tarball store url)
+    (download-to-store store url "guix-latest.tar.gz"))
+
   (with-error-handling
     (let* ((opts  (parse-options))
            (store (open-connection))
            (url   (assoc-ref opts 'tarball-url)))
-      (let ((tarball (download-to-store store url "guix-latest.tar.gz")))
+      (let ((tarball
+             (if (use-gnutls? url)
+                 (begin
+                   ;; Add GnuTLS to inputs and load path.
+                   (set! %load-path
+                     (cons (string-append (package-output store gnutls)
+                                          "/share/guile/site/"
+                                          (effective-version))
+                           %load-path))
+                   (if (use-le-certs? url)
+                       (parameterize ((%x509-certificate-directory
+                                       (string-append (package-output store nss-certs)
+                                                      "/etc/ssl/certs")))
+                         (fetch-tarball store url))
+                       (fetch-tarball store url)))
+                 (fetch-tarball store url))))
         (unless tarball
           (leave (_ "failed to download up-to-date source, exiting\n")))
         (parameterize ((%guile-for-build
-- 
2.12.0

[signature.asc (application/pgp-signature, inline)]

[Message part 6 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 25975-done <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#25975: Use HTTPS in `guix pull`
Date: Sun, 12 Mar 2017 19:48:42 +0100

[Message part 7 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> From 61bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Wed, 1 Mar 2017 22:11:02 +0100
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
>> (guix-pull): Authenticate against LE-CERTS when URL is from Savannah.
>
> LGTM!
>
> I changed the configury and doc in
> 1dbe3a8db0a3e5a8e5f9b30e6f6a6bbfb699275b so that GnuTLS is a hard
> dependency.

Ok, thanks!

I've pushed this patch. Let the bug reports roll in! :-)

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.