[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#46829: `guix pull` uses incorrect certificate store
From: |
Ludovic Courtès |
Subject: |
bug#46829: `guix pull` uses incorrect certificate store |
Date: |
Wed, 14 Apr 2021 12:50:39 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Leo Famulari <leo@famulari.name> skribis:
> On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
>> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
>> pull’ uses the LE certs, but these certificates expire quite frequently,
>> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
>> authentication chain from the roots.
>
> No, that's incorrect. The certificates in le-certs expired after 5
> years, so it's not frequent.
>
> These are the root and intermediate certificates for the Let's Encrypt
> certificate authority — they are not the 90 day certificates used by a
> webserver.
>
> The problem is that we (I) failed to pay attention and let our le-certs
> package go stale.
OK. 5 years still looks kinda “frequent” to me. I would think that old
software installations (including “appliances”) would live longer than
that, no?
You install Guix on a laptop, you leave it in a drawer, and you come a
few years later and you can neither access HTTPS web sites nor run ‘guix
pull’?
>> For those who do not have ‘nss-certs’ installed, a workaround is to do
>> avoid HTTPS:
>
> The original motivation of le-certs was that nss-certs would not be
> required, and that `guix pull` would always work. I think we should
> still try to achieve this.
OK.
>> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
>
> I think we should avoid adding "use insecure connection" options. Even
> if the code itself is signed.
“Insecure” is a strong word: it still prevents eavesdropping, which is
the only property that matters in the presence of authenticated
channels.
> I'm going to figure out how to subscribe to Let's Encrypt announcements
> and I'll report back with ideas about how to avoid a repeat of the
> problem.
Yes, that’s the better option. Thank you!
Ludo’.
- bug#46829: Fresh install of 1.2.0 can't guix pull, (continued)
- bug#46829: Fresh install of 1.2.0 can't guix pull, Ludovic Courtès, 2021/04/12
- bug#46829: Fresh install of 1.2.0 can't guix pull, Leo Famulari, 2021/04/12
- bug#46829: Fresh install of 1.2.0 can't guix pull, Leo Famulari, 2021/04/12
- bug#46829: Fresh install of 1.2.0 can't guix pull, Ludovic Courtès, 2021/04/13
- bug#46829: Fresh install of 1.2.0 can't guix pull, Leo Famulari, 2021/04/13
- bug#46829: `guix pull` uses incorrect certificate store, Ludovic Courtès, 2021/04/13
- bug#46829: `guix pull` uses incorrect certificate store, Leo Famulari, 2021/04/13
- bug#46829: `guix pull` uses incorrect certificate store,
Ludovic Courtès <=
- bug#46829: `guix pull` uses incorrect certificate store, Maxime Devos, 2021/04/14
bug#46829: Fresh install of 1.2.0 can't guix pull, Leo Famulari, 2021/04/13