GNU bug report logs - #46829
Let's Encrypt certificate store (le-certs) expired

Previous Next

Package: guix;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Sun, 28 Feb 2021 10:28:02 UTC

Severity: important

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #120 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari
 <leo <at> famulari.name>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Wed, 14 Apr 2021 21:57:03 +0200

[Message part 1 (text/plain, inline)]
On Wed, 2021-04-14 at 12:50 +0200, Ludovic Courtès wrote:
> [...]
> > > We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
> > 
> > I think we should avoid adding "use insecure connection" options. Even
> > if the code itself is signed.
> 
> “Insecure” is a strong word: it still prevents eavesdropping, which is
> the only property that matters in the presence of authenticated
> channels.

Maybe call the option '--tolerate-eavesdropping' then?  That name:

* is technically correct
* doesn't suggest the option is "Insecure"
* but still sounds like something you don't want
* should be clear to people not knowing about TLS' PKI infrastructure,
  ‘will eventually’™ be replaced with GNS + <insert GNUnet protocol here> or
  something like that, which wouldn't use such a centralised structure.

Thoughts?
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 359 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.