Cuirass requires TLS certificates

> the cuirass service requires TLS certificates to do continuous integration

> of guix (or more generally, git repositories served over https). This works

> when nss-certs is installed as a global package in the system.

>

> Should the service depend on the nss-certs package? Or maybe take as an

> optional configuration parameter a certificate package?

> Andreas Enge <andreas@enge.fr> skribis:

>

>> the cuirass service requires TLS certificates to do continuous integration

>> of guix (or more generally, git repositories served over https). This works

>> when nss-certs is installed as a global package in the system.

>>

>> Should the service depend on the nss-certs package? Or maybe take as an

>> optional configuration parameter a certificate package?

>

> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass

> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").

> That would make it self-contained.

>

> That’s currently not possible though because this certificate bundle is

> built as a profile hook. We would first need to export the procedure

> that creates bundles, possibly by moving it to a new (guix

> x509-certificates) module.

> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

>> Andreas Enge <andreas@enge.fr> skribis:

>>

>>> the cuirass service requires TLS certificates to do continuous integration

>>> of guix (or more generally, git repositories served over https). This works

>>> when nss-certs is installed as a global package in the system.

>>>

>>> Should the service depend on the nss-certs package? Or maybe take as an

>>> optional configuration parameter a certificate package?

>>

>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass

>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").

>> That would make it self-contained.

>>

>> That’s currently not possible though because this certificate bundle is

>> built as a profile hook. We would first need to export the procedure

>> that creates bundles, possibly by moving it to a new (guix

>> x509-certificates) module.

>

> What is the status of this old bug [1]? Well, if it is not fixed yet,

> it seems a forgotten bug. :-)

>

> 1: <http://issues.guix.gnu.org/issue/30619>

> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:

>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

>>> Andreas Enge <andreas@enge.fr> skribis:

>>>

>>>> the cuirass service requires TLS certificates to do continuous integration

>>>> of guix (or more generally, git repositories served over https). This works

>>>> when nss-certs is installed as a global package in the system.

>>>>

>>>> Should the service depend on the nss-certs package? Or maybe take as an

>>>> optional configuration parameter a certificate package?

>>>

>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass

>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").

>>> That would make it self-contained.

>>>

>>> That’s currently not possible though because this certificate bundle is

>>> built as a profile hook. We would first need to export the procedure

>>> that creates bundles, possibly by moving it to a new (guix

>>> x509-certificates) module.

>>

>> What is the status of this old bug [1]? Well, if it is not fixed yet,

>> it seems a forgotten bug. :-)

>>

>> 1: <http://issues.guix.gnu.org/issue/30619>

>

> From my understanding, this old bug could be closed. But I am not sure

> to get it right about this TLS story. So closing?

> zimoun <zimon.toutoune@gmail.com> skribis:

>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:

>>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:

> The Cuirass Shepherd service still does:

>

> #:environment-variables

> (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)

>

> which means that users still need to install certificates globally.

>

> Now, whether it’s an issue, I don’t know.

>

> Maybe we can close?

> Hi,

>

> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:

> > zimoun <zimon.toutoune@gmail.com> skribis:

> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>

> > > wrote:

> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)

> > > > wrote:

>

> > The Cuirass Shepherd service still does:

> >

> >               #:environment-variables

> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-

> > certificates.crt" …)

> >

> > which means that users still need to install certificates globally.

> >

> > Now, whether it’s an issue, I don’t know.

> >

> > Maybe we can close?

>

> I propose to close since I do not see what could the next action.

>

> 1: <http://issues.guix.gnu.org/issue/30619>

> [...]

> This could be useful if the server the channel repositories are on

> use

> self-signed certificates (are git repositories of channels over https

> the reason cuirass requires TLS certificates).

> This could be useful if the server the channel repositories are on

> use

> self-signed certificates (are git repositories of channels over https

> the reason cuirass requires TLS certificates).

> zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:

>> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:

>> > zimoun <zimon.toutoune@gmail.com> skribis:

>> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>

>> > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)

>>

>> > The Cuirass Shepherd service still does:

>> >

>> >               #:environment-variables

>> >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-

>> > certificates.crt" …)

>> >

>> > which means that users still need to install certificates globally.

>> >

>> > Now, whether it’s an issue, I don’t know.

>> >

>> > Maybe we can close?

>>

>> I propose to close since I do not see what could the next action.

>>

>> 1: <http://issues.guix.gnu.org/issue/30619>

>

> The next action would be splitting of the bundle generation from the

> profile code, and adding a ‘certificates’ field defaulting to nss-

> certs, as Ludo seemed to suggest.

> Hi Maxime.

>

> On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos@telenet.be> wrote:

> > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:

> > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo@gnu.org> wrote:

> > > > zimoun <zimon.toutoune@gmail.com> skribis:

> > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com>

> > > > > > On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès)

> > >

> > > > The Cuirass Shepherd service still does:

> > > >

> > > >               #:environment-variables

> > > >               (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-

> > > > certificates.crt" …)

> > > >

> > > > which means that users still need to install certificates globally.

> > > >

> > > > Now, whether it’s an issue, I don’t know.

> > > >

> > > > Maybe we can close?

> > >

> > > I propose to close since I do not see what could the next action.

> > >

> > > 1: <http://issues.guix.gnu.org/issue/30619>

> >

> > The next action would be splitting of the bundle generation from the

> > profile code, and adding a ‘certificates’ field defaulting to nss-

> > certs, as Ludo seemed to suggest.

>

> Do you have an idea how to implement this suggestion? Otherwise, I

> think closing is reasonable. :-)

> [various discussion]