GNU bug report logs -
#70451
[PATCH] gnu: system: Add nss-certs to %base-packages.
Previous Next
Reported by: Fabio Natali <me <at> fabionatali.com>
Date: Thu, 18 Apr 2024 10:17:12 UTC
Severity: normal
Tags: patch
Done: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 70451 in the body.
You can then email your comments to 70451 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
dev <at> jpoiret.xyz, ludo <at> gnu.org, othacehe <at> gnu.org, guix-patches <at> gnu.org:
bug#70451; Package
guix-patches.
(Thu, 18 Apr 2024 10:17:15 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Fabio Natali <me <at> fabionatali.com>:
New bug report received and forwarded. Copy sent to
dev <at> jpoiret.xyz, ludo <at> gnu.org, othacehe <at> gnu.org, guix-patches <at> gnu.org.
(Thu, 18 Apr 2024 10:17:15 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/system.scm (%base-packages-networking): Add 'nss-certs'.
* gnu/installer/services.scm (%system-services): Remove the 'nss-certs'
system service.
* doc/guix.texi (Using the Configuration System): Remove various 'nss-certs'
occurrences as the package is now part of '%default-packages' already.
* doc/guix.texi (Web Services): Update to reflect that 'nss-certs' is part of
'%default-packages'.
* doc/guix.texi (Certificates): Update to reflect that 'nss-certs' is part of
'%default-packages'.
* gnu/system/examples/bare-bones.tmpl: Update to reflect that 'nss-certs' is
part of '%default-packages'.
* gnu/system/examples/lightweight-desktop.tmpl: Remove 'nss-certs' as it is part
of '%default-packages' already.
* gnu/system/examples/raspberry-pi-64-nfs-root.tmpl: Remove 'nss-certs' as it is
part of '%default-packages' already.
* gnu/system/images/orangepi-r1-plus-lts-rk3328.scm: Remove 'nss-certs' as it is
part of '%default-packages' already.
* gnu/system/images/pine64.scm: Remove 'nss-certs' as it is part of
'%default-packages' already.
* gnu/system/install.scm: Remove 'nss-certs' as it is part of
'%default-packages' already.
Change-Id: Icad8f5461e03c32c21c7ef715af6bd3a96eac5a9
---
Hi,
This is a little patch to add the 'nss-certs' certificates package to the list
of '%default-packages'. This has been discussed in this email thread:
https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html
Thanks, best wishes, Fabio.
doc/guix.texi | 21 ++++++++++---------
gnu/installer/services.scm | 5 -----
gnu/system.scm | 2 ++
gnu/system/examples/bare-bones.tmpl | 5 -----
gnu/system/examples/lightweight-desktop.tmpl | 4 +---
.../examples/raspberry-pi-64-nfs-root.tmpl | 3 +--
.../images/orangepi-r1-plus-lts-rk3328.scm | 3 +--
gnu/system/images/pine64.scm | 3 +--
gnu/system/install.scm | 3 +--
9 files changed, 18 insertions(+), 31 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index f4f21c4744..dc46ccf962 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17152,7 +17152,7 @@ Using the Configuration System
(operating-system
;; ...
(packages (append (map specification->package+output
- '("nss-certs" "git" "git:send-email"))
+ '("git" "git:send-email"))
%base-packages)))
@end lisp
@@ -17240,8 +17240,7 @@ Using the Configuration System
as returned by the @command{blkid} command.
@xref{Desktop Services}, for the exact list of services provided by
-@code{%desktop-services}. @xref{X.509 Certificates}, for background
-information about the @code{nss-certs} package that is used here.
+@code{%desktop-services}.
Again, @code{%desktop-services} is just a list of service objects. If
you want to remove services from there, you can do so using the
@@ -32457,9 +32456,11 @@ Web Services
so that it can authenticate Git servers when communicating over HTTPS, and it
assumes that @file{/etc/ssl/certs} contains those certificates.
-Thus, make sure to add @code{nss-certs} or another certificate package to the
-@code{packages} field of your configuration. @ref{X.509 Certificates}, for
-more information on X.509 certificates.
+The @code{nss-certs} certificate package is provided by default as part
+@code{%base-packages}. Should you not be using @code{%base-packages},
+make sure that @code{nss-certs} (or a similar certificate package) is
+added to the @code{packages} field of your configuration. @ref{X.509
+Certificates}, for more information on X.509 certificates.
@end quotation
@subsubheading gmnisrv
@@ -41006,10 +41007,10 @@ X.509 Certificates
is a set of CA certificates provided as part of Mozilla's Network
Security Services.
-Note that it is @emph{not} part of @code{%base-packages}, so you need to
-explicitly add it. The @file{/etc/ssl/certs} directory, which is where
-most applications and libraries look for certificates by default, points
-to the certificates installed globally.
+This package is part of @code{%base-packages}, so there's usually no
+need to explicitly add it. The @file{/etc/ssl/certs} directory, which
+is where most applications and libraries look for certificates by
+default, points to the certificates installed globally.
Unprivileged users, including users of Guix on a foreign distro,
can also install their own certificate package in
diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm
index 4dfed78785..1cb9dc579c 100644
--- a/gnu/installer/services.scm
+++ b/gnu/installer/services.scm
@@ -110,11 +110,6 @@ (define %system-services
(name (G_ "Tor anonymous network router"))
(type 'networking)
(snippet '((service tor-service-type))))
- (system-service
- (name (G_ "Mozilla NSS certificates, for HTTPS access"))
- (type 'networking)
- (packages '((specification->package "nss-certs")))
- (recommended? #t))
;; Miscellaneous system administration services.
(system-service
diff --git a/gnu/system.scm b/gnu/system.scm
index 9b5c96d0ad..91bce727a8 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -50,6 +50,7 @@ (define-module (gnu system)
#:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages firmware)
@@ -925,6 +926,7 @@ (define %base-packages-networking
;; Default set of networking packages.
(list inetutils isc-dhcp
iproute
+ nss-certs
wget
;; wireless-tools is deprecated in favor of iw, but it's still what
;; many people are familiar with, so keep it around.
diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl
index dc6aff5273..7b6a4b09b0 100644
--- a/gnu/system/examples/bare-bones.tmpl
+++ b/gnu/system/examples/bare-bones.tmpl
@@ -4,9 +4,6 @@
(use-modules (gnu))
(use-service-modules networking ssh)
-;; If you want to use HTTPS, you most likely want to include
-;; "certs" in the line below. Also read the comment about
-;; "nss-certs" later in this file.
(use-package-modules screen ssh)
(operating-system
@@ -46,8 +43,6 @@
%base-user-accounts))
;; Globally-installed packages.
- ;; Add "nss-certs" for Mozilla's approved CA certs. You would
- ;; have to have included "certs" in use-package-modules above.
(packages (cons screen %base-packages))
;; Add services to the baseline: a DHCP client and an SSH
diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/examples/lightweight-desktop.tmpl
index 4cb3c38311..f581a669c2 100644
--- a/gnu/system/examples/lightweight-desktop.tmpl
+++ b/gnu/system/examples/lightweight-desktop.tmpl
@@ -47,9 +47,7 @@
ratpoison i3-wm i3status dmenu
emacs emacs-exwm emacs-desktop-environment
;; terminal emulator
- xterm
- ;; for HTTPS access
- nss-certs)
+ xterm)
%base-packages))
;; Use the "desktop" services, which include the X11
diff --git a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
index 2203375270..7d1a9bf66e 100644
--- a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
+++ b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
@@ -56,8 +56,7 @@
(supplementary-groups '("wheel" "netdev" "audio" "video"))
(home-directory "/home/pi"))
%base-user-accounts))
- (packages (cons* nss-certs
- openssh
+ (packages (cons* openssh
%base-packages))
(services (cons* (service avahi-service-type)
(service dhcp-client-service-type)
diff --git a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
index eaaa12ba78..f871c63078 100644
--- a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
+++ b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
@@ -55,8 +55,7 @@ (define orangepi-r1-plus-lts-rk3328-barebones-os
(term "vt100")
(tty "ttyS2")))
(service dhcp-client-service-type)
- (service ntp-service-type) %base-services))
- (packages (cons nss-certs %base-packages))))
+ (service ntp-service-type) %base-services))))
(define orangepi-r1-plus-lts-rk3328-image-type
(image-type (name 'orangepi-r1-plus-lts-rk3328-raw)
diff --git a/gnu/system/images/pine64.scm b/gnu/system/images/pine64.scm
index 3feb69764d..457ff4345f 100644
--- a/gnu/system/images/pine64.scm
+++ b/gnu/system/images/pine64.scm
@@ -59,8 +59,7 @@ (define pine64-barebones-os
(tty "ttyS0")))
(service dhcp-client-service-type)
(service ntp-service-type)
- %base-services))
- (packages (cons nss-certs %base-packages))))
+ %base-services))))
(define pine64-image-type
(image-type
diff --git a/gnu/system/install.scm b/gnu/system/install.scm
index 371bfc2a63..0c9556e087 100644
--- a/gnu/system/install.scm
+++ b/gnu/system/install.scm
@@ -551,8 +551,7 @@ (define installation-os
(list glibc ; for 'tzselect' & co.
fontconfig
font-dejavu font-gnu-unifont
- grub ; mostly so xrefs to its manual work
- nss-certs) ; To access HTTPS, use git, etc.
+ grub) ; mostly so xrefs to its manual work
%installer-disk-utilities
%base-packages))))
base-commit: 2126dab4cd81db4cbde4566d8c638e45a4c0077c
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70451; Package
guix-patches.
(Fri, 19 Apr 2024 07:07:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 70451 <at> debbugs.gnu.org (full text, mbox):
Hi,
This can be closed as a similar change has already been applied in
65e8472a4b6fc6f66871ba0dad518b7d4c63595e.
Thanks, best wishes, Fabio.
--
Fabio Natali
https://fabionatali.com
bug closed, send any further explanations to
70451 <at> debbugs.gnu.org and Fabio Natali <me <at> fabionatali.com>
Request was from
Fabio Natali <me <at> fabionatali.com>
to
control <at> debbugs.gnu.org.
(Fri, 19 Apr 2024 07:11:02 GMT)
Full text and
rfc822 format available.
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 21 Apr 2024 19:16:11 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70451; Package
guix-patches.
(Sun, 21 Apr 2024 19:25:12 GMT)
Full text and
rfc822 format available.
Message #15 received at 70451 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Using the Configuration System): Fix mention of 'nss-certs'
after the package has been added to '%default-packages' (see
'65e8472a4b6fc6f66871ba0dad518b7d4c63595e').
* doc/guix.texi (Web Services): Fix mention of 'nss-certs' after the package has
been added to '%default-packages' (see
'65e8472a4b6fc6f66871ba0dad518b7d4c63595e').
Change-Id: Iecdecb8deb440cdea224f3e9e7ce54e89dd575a2
---
Hi,
Just a couple of microscopic updates to reflect the fact that 'nss-certs' is now
included in '%default-packages' (see
'65e8472a4b6fc6f66871ba0dad518b7d4c63595e').
Thanks, cheers, Fabio.
doc/guix.texi | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 65af136e61..cc9867c8b3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17246,8 +17246,7 @@ Using the Configuration System
as returned by the @command{blkid} command.
@xref{Desktop Services}, for the exact list of services provided by
-@code{%desktop-services}. @xref{X.509 Certificates}, for background
-information about the @code{nss-certs} package that is used here.
+@code{%desktop-services}.
Again, @code{%desktop-services} is just a list of service objects. If
you want to remove services from there, you can do so using the
@@ -32495,9 +32494,9 @@ Web Services
so that it can authenticate Git servers when communicating over HTTPS, and it
assumes that @file{/etc/ssl/certs} contains those certificates.
-Thus, make sure to add @code{nss-certs} or another certificate package to the
-@code{packages} field of your configuration. @ref{X.509 Certificates}, for
-more information on X.509 certificates.
+A certificate package, @code{nss-certs}, is provided by default as
+part @code{%base-packages}. @ref{X.509 Certificates}, for more
+information on X.509 certificates.
@end quotation
@subsubheading gmnisrv
base-commit: a1d711c92e119f6b5b8e99a620cdba92a4ca3bfb
--
2.41.0
Reply sent
to
"pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>:
You have taken responsibility.
(Tue, 23 Apr 2024 06:12:14 GMT)
Full text and
rfc822 format available.
Notification sent
to
Fabio Natali <me <at> fabionatali.com>:
bug acknowledged by developer.
(Tue, 23 Apr 2024 06:12:16 GMT)
Full text and
rfc822 format available.
Message #20 received at 70451-done <at> debbugs.gnu.org (full text, mbox):
Fabio Natali <me <at> fabionatali.com> writes:
> For what it's worth, I put together a micro-patch and sent it over as a
> follow-up to #70451.
Pushed as 67a3a83170c038d2eb084d3f53a7ea7b033aea74.
Thank you!
Regards,
Florian
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 21 May 2024 11:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 29 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.