Acknowledgement sent
to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Sat, 10 Jul 2021 17:29:02 GMT) (full text, mbox, link).
Subject: Implement --allow-insecure-transport for `guix pull`
Date: Sat, 10 Jul 2021 13:28:10 -0400
As discussed in #46829, `guix pull` needs an option like
--allow-insecure-transport so that users can continue to pull from the
same channel even when their local certificate store has expired or is
otherwise invalid.
[0] <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46829#114>
Added indication that bug 49508 blocks53214
Request was from Leo Famulari <leo@famulari.name>
to control@debbugs.gnu.org.
(Thu, 03 Feb 2022 17:45:01 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org: bug#49508; Package guix.
(Tue, 08 Feb 2022 10:19:01 GMT) (full text, mbox, link).
Subject: Re: bug#49508: Implement --allow-insecure-transport for `guix pull`
Date: Tue, 08 Feb 2022 11:18:08 +0100
Hi,
Leo Famulari <leo@famulari.name> skribis:
> As discussed in #46829, `guix pull` needs an option like
> --allow-insecure-transport so that users can continue to pull from the
> same channel even when their local certificate store has expired or is
> otherwise invalid.
Agreed.
Unfortunately it seems that libgit2 doesn’t let us turn off certificate
verification:
https://libgit2.org/libgit2/#HEAD/group/libgit2
‘verify_server_cert’ in src/streams/openssl.c is called
unconditionally. So it seems that the first thing to do would be to
submit a patch upstream that would allow users to disable certificate
checks via ‘git_libgit2_opts’.
Now, by default, ‘guix pull’ honors /etc/ssl/certs. Assuming those are
up-to-date, it should be fine, right?
Thanks,
Ludo’.
Severity set to 'important' from 'normal'
Request was from Ludovic Courtès <ludo@gnu.org>
to control@debbugs.gnu.org.
(Tue, 08 Feb 2022 10:19:01 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org: bug#49508; Package guix.
(Tue, 08 Feb 2022 17:12:01 GMT) (full text, mbox, link).
Subject: Re: bug#49508: Implement --allow-insecure-transport for `guix pull`
Date: Tue, 8 Feb 2022 12:11:32 -0500
On Tue, Feb 08, 2022 at 11:18:08AM +0100, Ludovic Courtès wrote:
> Unfortunately it seems that libgit2 doesn’t let us turn off certificate
> verification:
>
> https://libgit2.org/libgit2/#HEAD/group/libgit2
>
> ‘verify_server_cert’ in src/streams/openssl.c is called
> unconditionally.
Ah, that's not surprising.
> So it seems that the first thing to do would be to
> submit a patch upstream that would allow users to disable certificate
> checks via ‘git_libgit2_opts’.
Right, but it might not be accepted.
> Now, by default, ‘guix pull’ honors /etc/ssl/certs. Assuming those are
> up-to-date, it should be fine, right?
Yeah, I think so.
Information forwarded
to bug-guix@gnu.org: bug#49508; Package guix.
(Tue, 01 Nov 2022 17:32:02 GMT) (full text, mbox, link).
Cc: 49508@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: bug#49508: Implement --allow-insecure-transport for `guix pull`
Date: Tue, 01 Nov 2022 18:30:52 +0100
Hello,
> ‘verify_server_cert’ in src/streams/openssl.c is called
> unconditionally. So it seems that the first thing to do would be to
> submit a patch upstream that would allow users to disable certificate
> checks via ‘git_libgit2_opts’.
While this seems like something that we definitely want, I think we
shouldn't block the release with a contribution that can take time to be
upstreamed in libgit2.
Unblocking #53214.
Mathieu
Removed indication that bug 49508 blocks
Request was from Mathieu Othacehe <mathieu@meije.mail-host-address-is-not-set>
to control@debbugs.gnu.org.
(Tue, 01 Nov 2022 17:33:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.