[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#30619: Cuirass requires TLS certificates
|
From: |
Ludovic Courtès |
|
Subject: |
bug#30619: Cuirass requires TLS certificates |
|
Date: |
Fri, 15 Oct 2021 17:20:57 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
zimoun <zimon.toutoune@gmail.com> skribis:
> On Thu, 16 Sep 2021 at 09:33, zimoun <zimon.toutoune@gmail.com> wrote:
>> On Tue, 27 Feb 2018 at 17:00, ludo@gnu.org (Ludovic Courtès) wrote:
>>> Andreas Enge <andreas@enge.fr> skribis:
>>>
>>>> the cuirass service requires TLS certificates to do continuous integration
>>>> of guix (or more generally, git repositories served over https). This works
>>>> when nss-certs is installed as a global package in the system.
>>>>
>>>> Should the service depend on the nss-certs package? Or maybe take as an
>>>> optional configuration parameter a certificate package?
>>>
>>> I thought that, instead of assuming /etc/ssl/certs exists, the Cuirass
>>> service could use (file-append nss-certs
>>> "/etc/ssl/certs/ca-certificates.crt").
>>> That would make it self-contained.
>>>
>>> That’s currently not possible though because this certificate bundle is
>>> built as a profile hook. We would first need to export the procedure
>>> that creates bundles, possibly by moving it to a new (guix
>>> x509-certificates) module.
>>
>> What is the status of this old bug [1]? Well, if it is not fixed yet,
>> it seems a forgotten bug. :-)
>>
>> 1: <http://issues.guix.gnu.org/issue/30619>
>
> From my understanding, this old bug could be closed. But I am not sure
> to get it right about this TLS story. So closing?
The Cuirass Shepherd service still does:
#:environment-variables
(list "GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt" …)
which means that users still need to install certificates globally.
Now, whether it’s an issue, I don’t know.
Maybe we can close?
Thanks,
Ludo’.