GNU bug report logs - #70314
[PATCH] guix: scripts: environment: add tls certs to networked containers

Previous Next

Package: guix-patches;

Reported by: Richard Sent <richard <at> freakingpenguin.com>

Date: Tue, 9 Apr 2024 19:15:01 UTC

Severity: normal

Tags: patch

Merged with 75917

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Richard Sent <richard <at> freakingpenguin.com>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>, Tobias Geerinckx-Rice <me <at> tobias.gr>, Ricardo Wurmus <rekado <at> elephly.net>, guix-devel <guix-devel <at> gnu.org>, Christopher Baines <guix <at> cbaines.net>, 70314 <at> debbugs.gnu.org
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Date: Sun, 15 Sep 2024 23:39:39 +0200

Hi Richard,

Cc: guix-devel to get more feedback: this is about adding ‘nss-certs’ by
default in ‘guix shell -CN’ containers, along with a ‘--no-tls’ option
to opt out:

  https://issues.guix.gnu.org/70314

Richard Sent <richard <at> freakingpenguin.com> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Instead of adding the ‘nss-certs’ package, I would rather expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it’s less expensive than having to
>> compute the derivation of ‘nss-certs’.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.

Oh, indeed.

[...]

>> Users who definitely want Guix’s ‘nss-certs’ can always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).

Right.

[...]

> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.

You’ve convinced me.

That it’s opt-out sounds reasonable to me.  ‘--no-tls’ sounds reasonable
too as a name (I thought about ‘--no-x509-certificates’ but that’s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).

I have some comments about the patch and I’d like others to weigh in too
before we commit this change.

Thank you!

Ludo’.
This bug report was last modified 80 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.