Package: guix-patches;
Reported by: Fabio Natali <me <at> fabionatali.com>
Date: Thu, 18 Apr 2024 10:17:12 UTC
Severity: normal
Tags: patch
Done: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Fabio Natali <me <at> fabionatali.com> To: 70451 <at> debbugs.gnu.org Cc: Fabio Natali <me <at> fabionatali.com>, Josselin Poiret <dev <at> jpoiret.xyz>, Ludovic Courtès <ludo <at> gnu.org>, Mathieu Othacehe <othacehe <at> gnu.org> Subject: [bug#70451] [PATCH] gnu: system: Add nss-certs to %base-packages. Date: Thu, 18 Apr 2024 11:07:06 +0100
* gnu/system.scm (%base-packages-networking): Add 'nss-certs'.
* gnu/installer/services.scm (%system-services): Remove the 'nss-certs'
system service.
* doc/guix.texi (Using the Configuration System): Remove various 'nss-certs'
occurrences as the package is now part of '%default-packages' already.
* doc/guix.texi (Web Services): Update to reflect that 'nss-certs' is part of
'%default-packages'.
* doc/guix.texi (Certificates): Update to reflect that 'nss-certs' is part of
'%default-packages'.
* gnu/system/examples/bare-bones.tmpl: Update to reflect that 'nss-certs' is
part of '%default-packages'.
* gnu/system/examples/lightweight-desktop.tmpl: Remove 'nss-certs' as it is part
of '%default-packages' already.
* gnu/system/examples/raspberry-pi-64-nfs-root.tmpl: Remove 'nss-certs' as it is
part of '%default-packages' already.
* gnu/system/images/orangepi-r1-plus-lts-rk3328.scm: Remove 'nss-certs' as it is
part of '%default-packages' already.
* gnu/system/images/pine64.scm: Remove 'nss-certs' as it is part of
'%default-packages' already.
* gnu/system/install.scm: Remove 'nss-certs' as it is part of
'%default-packages' already.
Change-Id: Icad8f5461e03c32c21c7ef715af6bd3a96eac5a9
---
Hi,
This is a little patch to add the 'nss-certs' certificates package to the list
of '%default-packages'. This has been discussed in this email thread:
https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html
Thanks, best wishes, Fabio.
doc/guix.texi | 21 ++++++++++---------
gnu/installer/services.scm | 5 -----
gnu/system.scm | 2 ++
gnu/system/examples/bare-bones.tmpl | 5 -----
gnu/system/examples/lightweight-desktop.tmpl | 4 +---
.../examples/raspberry-pi-64-nfs-root.tmpl | 3 +--
.../images/orangepi-r1-plus-lts-rk3328.scm | 3 +--
gnu/system/images/pine64.scm | 3 +--
gnu/system/install.scm | 3 +--
9 files changed, 18 insertions(+), 31 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index f4f21c4744..dc46ccf962 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17152,7 +17152,7 @@ Using the Configuration System
(operating-system
;; ...
(packages (append (map specification->package+output
- '("nss-certs" "git" "git:send-email"))
+ '("git" "git:send-email"))
%base-packages)))
@end lisp
@@ -17240,8 +17240,7 @@ Using the Configuration System
as returned by the @command{blkid} command.
@xref{Desktop Services}, for the exact list of services provided by
-@code{%desktop-services}. @xref{X.509 Certificates}, for background
-information about the @code{nss-certs} package that is used here.
+@code{%desktop-services}.
Again, @code{%desktop-services} is just a list of service objects. If
you want to remove services from there, you can do so using the
@@ -32457,9 +32456,11 @@ Web Services
so that it can authenticate Git servers when communicating over HTTPS, and it
assumes that @file{/etc/ssl/certs} contains those certificates.
-Thus, make sure to add @code{nss-certs} or another certificate package to the
-@code{packages} field of your configuration. @ref{X.509 Certificates}, for
-more information on X.509 certificates.
+The @code{nss-certs} certificate package is provided by default as part
+@code{%base-packages}. Should you not be using @code{%base-packages},
+make sure that @code{nss-certs} (or a similar certificate package) is
+added to the @code{packages} field of your configuration. @ref{X.509
+Certificates}, for more information on X.509 certificates.
@end quotation
@subsubheading gmnisrv
@@ -41006,10 +41007,10 @@ X.509 Certificates
is a set of CA certificates provided as part of Mozilla's Network
Security Services.
-Note that it is @emph{not} part of @code{%base-packages}, so you need to
-explicitly add it. The @file{/etc/ssl/certs} directory, which is where
-most applications and libraries look for certificates by default, points
-to the certificates installed globally.
+This package is part of @code{%base-packages}, so there's usually no
+need to explicitly add it. The @file{/etc/ssl/certs} directory, which
+is where most applications and libraries look for certificates by
+default, points to the certificates installed globally.
Unprivileged users, including users of Guix on a foreign distro,
can also install their own certificate package in
diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm
index 4dfed78785..1cb9dc579c 100644
--- a/gnu/installer/services.scm
+++ b/gnu/installer/services.scm
@@ -110,11 +110,6 @@ (define %system-services
(name (G_ "Tor anonymous network router"))
(type 'networking)
(snippet '((service tor-service-type))))
- (system-service
- (name (G_ "Mozilla NSS certificates, for HTTPS access"))
- (type 'networking)
- (packages '((specification->package "nss-certs")))
- (recommended? #t))
;; Miscellaneous system administration services.
(system-service
diff --git a/gnu/system.scm b/gnu/system.scm
index 9b5c96d0ad..91bce727a8 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -50,6 +50,7 @@ (define-module (gnu system)
#:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages firmware)
@@ -925,6 +926,7 @@ (define %base-packages-networking
;; Default set of networking packages.
(list inetutils isc-dhcp
iproute
+ nss-certs
wget
;; wireless-tools is deprecated in favor of iw, but it's still what
;; many people are familiar with, so keep it around.
diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl
index dc6aff5273..7b6a4b09b0 100644
--- a/gnu/system/examples/bare-bones.tmpl
+++ b/gnu/system/examples/bare-bones.tmpl
@@ -4,9 +4,6 @@
(use-modules (gnu))
(use-service-modules networking ssh)
-;; If you want to use HTTPS, you most likely want to include
-;; "certs" in the line below. Also read the comment about
-;; "nss-certs" later in this file.
(use-package-modules screen ssh)
(operating-system
@@ -46,8 +43,6 @@
%base-user-accounts))
;; Globally-installed packages.
- ;; Add "nss-certs" for Mozilla's approved CA certs. You would
- ;; have to have included "certs" in use-package-modules above.
(packages (cons screen %base-packages))
;; Add services to the baseline: a DHCP client and an SSH
diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/examples/lightweight-desktop.tmpl
index 4cb3c38311..f581a669c2 100644
--- a/gnu/system/examples/lightweight-desktop.tmpl
+++ b/gnu/system/examples/lightweight-desktop.tmpl
@@ -47,9 +47,7 @@
ratpoison i3-wm i3status dmenu
emacs emacs-exwm emacs-desktop-environment
;; terminal emulator
- xterm
- ;; for HTTPS access
- nss-certs)
+ xterm)
%base-packages))
;; Use the "desktop" services, which include the X11
diff --git a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
index 2203375270..7d1a9bf66e 100644
--- a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
+++ b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
@@ -56,8 +56,7 @@
(supplementary-groups '("wheel" "netdev" "audio" "video"))
(home-directory "/home/pi"))
%base-user-accounts))
- (packages (cons* nss-certs
- openssh
+ (packages (cons* openssh
%base-packages))
(services (cons* (service avahi-service-type)
(service dhcp-client-service-type)
diff --git a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
index eaaa12ba78..f871c63078 100644
--- a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
+++ b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm
@@ -55,8 +55,7 @@ (define orangepi-r1-plus-lts-rk3328-barebones-os
(term "vt100")
(tty "ttyS2")))
(service dhcp-client-service-type)
- (service ntp-service-type) %base-services))
- (packages (cons nss-certs %base-packages))))
+ (service ntp-service-type) %base-services))))
(define orangepi-r1-plus-lts-rk3328-image-type
(image-type (name 'orangepi-r1-plus-lts-rk3328-raw)
diff --git a/gnu/system/images/pine64.scm b/gnu/system/images/pine64.scm
index 3feb69764d..457ff4345f 100644
--- a/gnu/system/images/pine64.scm
+++ b/gnu/system/images/pine64.scm
@@ -59,8 +59,7 @@ (define pine64-barebones-os
(tty "ttyS0")))
(service dhcp-client-service-type)
(service ntp-service-type)
- %base-services))
- (packages (cons nss-certs %base-packages))))
+ %base-services))))
(define pine64-image-type
(image-type
diff --git a/gnu/system/install.scm b/gnu/system/install.scm
index 371bfc2a63..0c9556e087 100644
--- a/gnu/system/install.scm
+++ b/gnu/system/install.scm
@@ -551,8 +551,7 @@ (define installation-os
(list glibc ; for 'tzselect' & co.
fontconfig
font-dejavu font-gnu-unifont
- grub ; mostly so xrefs to its manual work
- nss-certs) ; To access HTTPS, use git, etc.
+ grub) ; mostly so xrefs to its manual work
%installer-disk-utilities
%base-packages))))
base-commit: 2126dab4cd81db4cbde4566d8c638e45a4c0077c
--
2.41.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.