GNU bug report logs - #76296
[PATCH maintenance] hydra: bayfront: Set up ‘git.guix.gnu.org’ as a redirect to Savannah.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 14 Feb 2025 23:16:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 76296 <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Ludovic Courtès <ludo <at> gnu.org>,
 Ricardo Wurmus <rekado <at> elephly.net>
Cc: 76296 <at> debbugs.gnu.org, guix-sysadmin <at> gnu.org
Subject: Re: bug#76296: [PATCH maintenance] hydra: bayfront: Set up
 ‘git.guix.gnu.org’ as a redirect to
 Savannah.
Date: Thu, 15 May 2025 13:04:31 +0200

[Message part 1 (text/plain, inline)]
Hello,

On mer, mag 14 2025, Ludovic Courtès wrote:

> Ricardo Wurmus <rekado <at> elephly.net> writes:
>
>> Noé Lopez <noelopez <at> free.fr> writes:
>>
>>> I guess its for style points, which I’m all for. I do think it would
>>> be
>>> better to set the URL to git.guix.gnu.org/guix/guix.git and just a
>>> DNS
>>> redirect to codeberg to avoid the extra connection.
>>
>> I second this.
>>
>> I think a DNS level redirect would be sufficient.  I'd prefer not to
>> loop in bayfront for every git connection.
>
> As I suggested in <https://issues.guix.gnu.org/76296>, I don’t think
> that’s possible: the X.509 certificate that codeberg.org serves is for
> codeberg.org, not for git.guix.gnu.org, so TLS libraries would report a
> host name mismatch.

I can confirm it's not possible to use a host name that is not part of
the list of hosts in the X.509 certificate, that in this case is the one
provided by the codeberg.org web server [1].

The only way to use git.guix.gnu.org is to set up a proxy server with
proper TLS termination... and yes: it means that the proxy server is
/always/ in the loop.

Currently I use haproxy (on Nix, not on Guix) to achieve this kind of
configuration but I know it's also possible with nginx (but never done
it myself).

IMHO setting up a proxy is worth the effort (correct english?), since I
see a strategic advantage in having git.guix.gnu.org as an official
remote name and the traffic seen by a server under Guix Team control,
also for eventual and future load balancing, if needed.

I can help if needed, but please keep me in Cc since in this (long)
period I seldom follow the mailing lists, sorry.

Just my 2 cents :-)

Thank you for your work! Gio'


[1] unless codeberg.org provides a way to add an alias to a remote _and_
adds that alias to the list of hosts for the certificate... but I doubt
since it could quickly become technically hard to manage (is there a
limit to the number of extra host names for a certificate?).

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified today.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.