Hi! Marius Bakke <mba...@fastmail.com> skribis:
> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 > From: Marius Bakke <mba...@fastmail.com> > Date: Tue, 28 Feb 2017 22:34:29 +0100 > Subject: [PATCH] pull: Default to HTTPS. > > * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a > search string for certificates. > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Verify against the store path of NSS-CERTS. > --- > guix/build/download.scm | 7 +++++-- > guix/scripts/pull.scm | 8 ++++++-- > 2 files changed, 11 insertions(+), 4 deletions(-) > > diff --git a/guix/build/download.scm b/guix/build/download.scm > index 203338b52..88da1776f 100644 > --- a/guix/build/download.scm > +++ b/guix/build/download.scm > @@ -342,13 +342,16 @@ way." > > (define* (tls-wrap port server #:key (verify-certificate? #t)) > "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS > -host name without trailing dot." > +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is > +assumed to be the search path for TLS certificates passed to gnutls." > (define (log level str) > (format (current-error-port) > "gnutls: [~a|~a] ~a" (getpid) level str)) > > (let ((session (make-session connection-end/client)) > - (ca-certs (%x509-certificate-directory))) > + (ca-certs (if (string? verify-certificate?) > + verify-certificate? > + (%x509-certificate-directory)))) Nitpick: I would prefer to use a different argument for the certificate directory. Something like this: (define* (tls-wrap port server #:key (verify-certificate? #t) (certificate-directory (%x509-certificate-directory))) …) Also the ‘guix pull’ part should be a separate patch. Great work, thank you! Ludo’.