[debbugs-tracker] bug#25975: closed (Use HTTPS in `guix pull`)

[GNU bug Tracking System]

Your message dated Sun, 12 Mar 2017 19:48:42 +0100
with message-id <address@hidden>
and subject line Re: bug#25975: Use HTTPS in `guix pull`
has caused the debbugs.gnu.org bug report #25975,
regarding Use HTTPS in `guix pull`
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
25975: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=25975
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: Use HTTPS in `guix pull` Date: Sun, 05 Mar 2017 15:59:16 +0100 User-agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu)

I've tried a number of times to send this through `git send-email`, but
it seems to get caught in a spam filter or similar.

Trying as attachment now.

Note that this uses 'nss-certs' for easy testing, but is intended to use
'le-certs' from this thread:

https://lists.gnu.org/archive/html/guix-devel/2017-02/msg01146.html

From 6667ea5a2ec3a26dd5c4fb5f792485eeb941a969 Mon Sep 17 00:00:00 2001
From: Marius Bakke <address@hidden>
Date: Wed, 1 Mar 2017 22:11:02 +0100
Subject: [PATCH] pull: Default to HTTPS.

* guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
(guix-pull): Add GNUTLS and NSS-CERTS to inputs when appropriate.
---
 guix/scripts/pull.scm | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index a4824e4fd..4031f1d32 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -29,12 +29,16 @@
   #:use-module (guix monads)
   #:use-module ((guix build utils)
                 #:select (with-directory-excursion delete-file-recursively))
+  #:use-module ((guix build download)
+                #:select (%x509-certificate-directory))
   #:use-module (gnu packages base)
   #:use-module (gnu packages guile)
   #:use-module ((gnu packages bootstrap)
                 #:select (%bootstrap-guile))
+  #:use-module ((gnu packages certs) #:select (nss-certs))
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module ((gnu packages tls) #:select (gnutls))
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
@@ -45,7 +49,7 @@
 
 (define %snapshot-url
   ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download";
-  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
+  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
   )
 
 (define-syntax-rule (with-environment-variable variable value body ...)
@@ -221,11 +225,35 @@ contained therein."
                   (leave (_ "~A: unexpected argument~%") arg))
                 %default-options))
 
+  (define (use-gnutls? url)
+    (string-prefix? "https://"; url))
+
+  (define (use-le-certs? url)
+    (string-prefix? "https://git.savannah.gnu.org"; url))
+
+  (define (fetch-tarball store url)
+    (download-to-store store url "guix-latest.tar.gz"))
+
   (with-error-handling
     (let* ((opts  (parse-options))
            (store (open-connection))
            (url   (assoc-ref opts 'tarball-url)))
-      (let ((tarball (download-to-store store url "guix-latest.tar.gz")))
+      (let ((tarball
+             (if (use-gnutls? url)
+                 (begin
+                   ;; Add GnuTLS to inputs and load path.
+                   (set! %load-path
+                     (cons (string-append (package-output store gnutls)
+                                          "/share/guile/site/"
+                                          (effective-version))
+                           %load-path))
+                   (if (use-le-certs? url)
+                       (parameterize ((%x509-certificate-directory
+                                       (string-append (package-output store 
nss-certs)
+                                                      "/etc/ssl/certs")))
+                         (fetch-tarball store url))
+                       (fetch-tarball store url)))
+                 (fetch-tarball store url))))
         (unless tarball
           (leave (_ "failed to download up-to-date source, exiting\n")))
         (parameterize ((%guile-for-build
-- 
2.12.0

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: bug#25975: Use HTTPS in `guix pull` Date: Sun, 12 Mar 2017 19:48:42 +0100 User-agent: Notmuch/0.23.7 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Ludovic Courtès <address@hidden> writes:

> Marius Bakke <address@hidden> skribis:
>
>> From 61bf52ff461e8a53175546928bd4ee41645bb5ca Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <address@hidden>
>> Date: Wed, 1 Mar 2017 22:11:02 +0100
>> Subject: [PATCH] pull: Default to HTTPS.
>>
>> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS.
>> (guix-pull): Authenticate against LE-CERTS when URL is from Savannah.
>
> LGTM!
>
> I changed the configury and doc in
> 1dbe3a8db0a3e5a8e5f9b30e6f6a6bbfb699275b so that GnuTLS is a hard
> dependency.

Ok, thanks!

I've pushed this patch. Let the bug reports roll in! :-)

signature.asc
Description: PGP signature

--- End Message ---