GNU bug report logs - #49508
Implement --allow-insecure-transport for `guix pull`

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 10 Jul 2021 17:29:02 UTC

Severity: important

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 49508 <at> debbugs.gnu.org
Subject: bug#49508: Implement --allow-insecure-transport for `guix pull`
Date: Tue, 08 Feb 2022 11:18:08 +0100

Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> As discussed in #46829, `guix pull` needs an option like
> --allow-insecure-transport so that users can continue to pull from the
> same channel even when their local certificate store has expired or is
> otherwise invalid.

Agreed.

Unfortunately it seems that libgit2 doesn’t let us turn off certificate
verification:

  https://libgit2.org/libgit2/#HEAD/group/libgit2

‘verify_server_cert’ in src/streams/openssl.c is called
unconditionally.  So it seems that the first thing to do would be to
submit a patch upstream that would allow users to disable certificate
checks via ‘git_libgit2_opts’.

Now, by default, ‘guix pull’ honors /etc/ssl/certs.  Assuming those are
up-to-date, it should be fine, right?

Thanks,
Ludo’.
This bug report was last modified 2 years and 224 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.