bug#46829: `guix pull` uses incorrect certificate store

[Leo Famulari]

On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
> pull’ uses the LE certs, but these certificates expire quite frequently,
> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
> authentication chain from the roots.

No, that's incorrect. The certificates in le-certs expired after 5
years, so it's not frequent.

These are the root and intermediate certificates for the Let's Encrypt
certificate authority — they are not the 90 day certificates used by a
webserver.

The problem is that we (I) failed to pay attention and let our le-certs
package go stale.

> For those who do not have ‘nss-certs’ installed, a workaround is to do
> avoid HTTPS:

The original motivation of le-certs was that nss-certs would not be
required, and that `guix pull` would always work. I think we should
still try to achieve this.

>   guix pull --url=http://git.savannah.gnu.org/git/guix.git
> 
> This is fine because the ‘guix’ channel is authenticated anyway.

Yes, that works and is pretty safe. Although Guix will complain because
it can't tell that this is the same repo.

> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.

I think we should avoid adding "use insecure connection" options. Even
if the code itself is signed.

I'm going to figure out how to subscribe to Let's Encrypt announcements
and I'll report back with ideas about how to avoid a repeat of the
problem.

signature.asc
Description: PGP signature