ngra...@ngraves.fr skribis: > By the way, guix install did work perfectly fine despite SSL > certificates failing, does that mean that it doesn't do any SSL > certificate verification ? Is that considered safe? How about > man-in-the-middle and data-tampering attacks? Are they impossible due > to sha checksums in Guix, or is that a vulnerability ?
The error with ‘guix pull’ comes from libgit2 when talking to https://git.sv.gnu.org. ‘guix install’ does not do that. When it downloads substitutes, it authenticates them (narinfos are signed) and checks their integrity once the download is complete. X.509 certificates do not matter at all here and are explicitly ignored; see #:verify-certificate? in (guix scripts substitutes). Ludo’.