GNU bug report logs -
#30619
Cuirass requires TLS certificates
Previous Next
Reported by: Andreas Enge <andreas <at> enge.fr>
Date: Mon, 26 Feb 2018 20:53:01 UTC
Severity: normal
Done: Maxime Devos <maximedevos <at> telenet.be>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30619 in the body.
You can then email your comments to 30619 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Mon, 26 Feb 2018 20:53:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Andreas Enge <andreas <at> enge.fr>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 26 Feb 2018 20:53:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
the cuirass service requires TLS certificates to do continuous integration
of guix (or more generally, git repositories served over https). This works
when nss-certs is installed as a global package in the system.
Should the service depend on the nss-certs package? Or maybe take as an
optional configuration parameter a certificate package?
Andreas
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Tue, 27 Feb 2018 16:01:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Andreas Enge <andreas <at> enge.fr> skribis:
> the cuirass service requires TLS certificates to do continuous integration
> of guix (or more generally, git repositories served over https). This works
> when nss-certs is installed as a global package in the system.
>
> Should the service depend on the nss-certs package? Or maybe take as an
> optional configuration parameter a certificate package?
I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
That would make it self-contained.
That’s currently not possible though because this certificate bundle is
built as a profile hook. We would first need to export the procedure
that creates bundles, possibly by moving it to a new (guix
x509-certificates) module.
Thoughts?
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Thu, 16 Sep 2021 07:46:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès) wrote:
> Andreas Enge <andreas <at> enge.fr> skribis:
>
>> the cuirass service requires TLS certificates to do continuous integration
>> of guix (or more generally, git repositories served over https). This works
>> when nss-certs is installed as a global package in the system.
>>
>> Should the service depend on the nss-certs package? Or maybe take as an
>> optional configuration parameter a certificate package?
>
> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
> That would make it self-contained.
>
> That’s currently not possible though because this certificate bundle is
> built as a profile hook. We would first need to export the procedure
> that creates bundles, possibly by moving it to a new (guix
> x509-certificates) module.
What is the status of this old bug [1]? Well, if it is not fixed yet,
it seems a forgotten bug. :-)
1: <http://issues.guix.gnu.org/issue/30619>
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Tue, 12 Oct 2021 22:05:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com> wrote:
> On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès) wrote:
>> Andreas Enge <andreas <at> enge.fr> skribis:
>>
>>> the cuirass service requires TLS certificates to do continuous integration
>>> of guix (or more generally, git repositories served over https). This works
>>> when nss-certs is installed as a global package in the system.
>>>
>>> Should the service depend on the nss-certs package? Or maybe take as an
>>> optional configuration parameter a certificate package?
>>
>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>> That would make it self-contained.
>>
>> That’s currently not possible though because this certificate bundle is
>> built as a profile hook. We would first need to export the procedure
>> that creates bundles, possibly by moving it to a new (guix
>> x509-certificates) module.
>
> What is the status of this old bug [1]? Well, if it is not fixed yet,
> it seems a forgotten bug. :-)
>
> 1: <http://issues.guix.gnu.org/issue/30619>
From my understanding, this old bug could be closed. But I am not sure
to get it right about this TLS story. So closing?
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Fri, 15 Oct 2021 15:22:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Hi,
zimoun <zimon.toutoune <at> gmail.com> skribis:
> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas <at> enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook. We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]? Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed. But I am not sure
> to get it right about this TLS story. So closing?
The Cuirass Shepherd service still does:
#:environment-variables
(list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
which means that users still need to install certificates globally.
Now, whether it’s an issue, I don’t know.
Maybe we can close?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Fri, 26 Nov 2021 01:44:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo <at> gnu.org> wrote:
> zimoun <zimon.toutoune <at> gmail.com> skribis:
>> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com> wrote:
>>> On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès) wrote:
> The Cuirass Shepherd service still does:
>
> #:environment-variables
> (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
>
> which means that users still need to install certificates globally.
>
> Now, whether it’s an issue, I don’t know.
>
> Maybe we can close?
I propose to close since I do not see what could the next action.
1: <http://issues.guix.gnu.org/issue/30619>
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Fri, 26 Nov 2021 06:29:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 30619 <at> debbugs.gnu.org (full text, mbox):
zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> Hi,
>
> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo <at> gnu.org> wrote:
> > zimoun <zimon.toutoune <at> gmail.com> skribis:
> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com>
> > > wrote:
> > > > On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès)
> > > > wrote:
>
> > The Cuirass Shepherd service still does:
> >
> > #:environment-variables
> > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > certificates.crt" …)
> >
> > which means that users still need to install certificates globally.
> >
> > Now, whether it’s an issue, I don’t know.
> >
> > Maybe we can close?
>
> I propose to close since I do not see what could the next action.
>
> 1: <http://issues.guix.gnu.org/issue/30619>
The next action would be splitting of the bundle generation from the
profile code, and adding a ‘certificates’ field defaulting to nss-
certs, as Ludo seemed to suggest.
This could be useful if the server the channel repositories are on use
self-signed certificates (are git repositories of channels over https
the reason cuirass requires TLS certificates).
Greetings,
Maxime
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Fri, 26 Nov 2021 06:32:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> [...]
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).
This was meant to be:
‘This could be useful if the server the channel repositories are on
use self-signed certificates (are git repositories of channels over
https the reason cuirass requires TLS certificates?).’
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Fri, 26 Nov 2021 06:33:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Maxime Devos schreef op vr 26-11-2021 om 06:28 [+0000]:
> This could be useful if the server the channel repositories are on
> use
> self-signed certificates (are git repositories of channels over https
> the reason cuirass requires TLS certificates).
Oops, this argument doesn't have much value, because those certificates
might as well be added to the system profile.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Tue, 04 Jan 2022 23:20:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 30619 <at> debbugs.gnu.org (full text, mbox):
Hi Maxime.
On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos <at> telenet.be> wrote:
> zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
>> On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo <at> gnu.org> wrote:
>> > zimoun <zimon.toutoune <at> gmail.com> skribis:
>> > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com>
>> > > > On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès)
>>
>> > The Cuirass Shepherd service still does:
>> >
>> > #:environment-variables
>> > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
>> > certificates.crt" …)
>> >
>> > which means that users still need to install certificates globally.
>> >
>> > Now, whether it’s an issue, I don’t know.
>> >
>> > Maybe we can close?
>>
>> I propose to close since I do not see what could the next action.
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> The next action would be splitting of the bundle generation from the
> profile code, and adding a ‘certificates’ field defaulting to nss-
> certs, as Ludo seemed to suggest.
Do you have an idea how to implement this suggestion? Otherwise, I
think closing is reasonable. :-)
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#30619; Package
guix.
(Wed, 05 Jan 2022 09:54:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 30619 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
zimoun schreef op wo 05-01-2022 om 00:09 [+0100]:
> Hi Maxime.
>
> On Fri, 26 Nov 2021 at 06:28, Maxime Devos <maximedevos <at> telenet.be> wrote:
> > zimoun schreef op vr 26-11-2021 om 02:38 [+0100]:
> > > On Fri, 15 Oct 2021 at 17:20, Ludovic Courtès <ludo <at> gnu.org> wrote:
> > > > zimoun <zimon.toutoune <at> gmail.com> skribis:
> > > > > On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune <at> gmail.com>
> > > > > > On Tue, 27 Feb 2018 at 17:00, ludo <at> gnu.org (Ludovic Courtès)
> > >
> > > > The Cuirass Shepherd service still does:
> > > >
> > > > #:environment-variables
> > > > (list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-
> > > > certificates.crt" …)
> > > >
> > > > which means that users still need to install certificates globally.
> > > >
> > > > Now, whether it’s an issue, I don’t know.
> > > >
> > > > Maybe we can close?
> > >
> > > I propose to close since I do not see what could the next action.
> > >
> > > 1: <http://issues.guix.gnu.org/issue/30619>
> >
> > The next action would be splitting of the bundle generation from the
> > profile code, and adding a ‘certificates’ field defaulting to nss-
> > certs, as Ludo seemed to suggest.
>
> Do you have an idea how to implement this suggestion? Otherwise, I
> think closing is reasonable. :-)
That suggestion (+ Ludovic's suggestion of a
(guix x509-certificates) module) was my suggested implementation, it
just needs to be translated from a description in English to an actual
patch .
Anyway, I don't think closing is reasonable, because the bug
(certificates need to be installed globally) still exist, and it
is actionable (there's even a suggested implementation,
so a sufficiently motivated party (not me currently) could address the
issue.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Maxime Devos <maximedevos <at> telenet.be>:
You have taken responsibility.
(Fri, 21 Jan 2022 10:45:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Andreas Enge <andreas <at> enge.fr>:
bug acknowledged by developer.
(Fri, 21 Jan 2022 10:45:03 GMT)
Full text and
rfc822 format available.
Message #40 received at 30619-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
bugs 30619 + donewontfix
thanks
> [various discussion]
While I believe a 'certificates' field or the like would be nice,
there does not appear to be a need or interest, hence closing.
If someone would like to implement some solution or has a need,
they can reopen the bug (see
<https://debbugs.gnu.org/server-control.html>).
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 18 Feb 2022 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 67 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.