[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

`guix pull` over HTTPS

From: Leo Famulari
Subject: `guix pull` over HTTPS
Date: Thu, 9 Feb 2017 16:55:12 +0100
User-agent: Mutt/1.7.2 (2016-11-26)

Currently, the default source for `guix pull` is

It's suboptimal to download the Guix source code over HTTP, since the
data can be mutated and recorded in transit. [0]

The Savannah admins have been working tirelessly to improve the Savannah
infrastructure, and they will soon announce the public availability of
Git served over HTTPS. [1]

HTTPS is not a security panacea but, in my opinion, we should use it if
it's available, at least until `guix pull` can verify commit signatures.

However, it's a little harder to get right than HTTP. For example, `guix
pull` could fail if there is a problem with the user's certificate
store, or if their clock is wrong.

Does anyone have any specific concerns or advice about changing the
value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
Should the change be that simple, or should we do more?

The attached patch works for me on a foreign distro when SSL_CERT_DIR
and SSL_CERT_FILE are set as described in the manual (section 7.2.9
X.509 Certificates) and GnuTLS-Guile is available in my environment.

[0] Discussion of the general problems with `guix pull`:


Attachment: 0001-pull-Download-GNU-Guix-with-HTTPS.patch
Description: Text document

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]