Leo Famulari <l...@famulari.name> skribis: > On Thu, Feb 09, 2017 at 04:55:12PM +0100, Leo Famulari wrote: >> Does anyone have any specific concerns or advice about changing the >> value of %snapshot-url in (guix scripts pull) to use the HTTPS URL? >> Should the change be that simple, or should we do more? > > While testing, I realized that an X.509 certificate store is not a > standard feature of GuixSD, so using Savannah's HTTPS URL will not work > in all cases. > > SSL_CERT_FILE and SSL_CERT_DIR appear to be set unconditionally in (gnu > system operating-system-environment-variables), so it's not enough to > test that they are set in order to decide which protocol to download the > Guix source code with. > > Any advice on how to proceed?
Initially, I didn’t want to have ‘nss-certs’ in ‘%base-packages’ or anything like that, on the grounds that the whole X.509 CA story is completely broken IMO. I wonder if we should revisit that, on the grounds that “it’s better than nothing.” The next question is what to do with foreign distros, and whether we should bundle ‘nss-certs’ in the binary tarball, which is not exciting. Alternately we could have a package that provides only the Let’s Encrypt certificate chain, if that’s what Savannah uses. Thoughts? Ludo’.