`guix pull` over HTTPS

Thu, 09 Feb 2017 07:56:00 -0800 

Currently, the default source for `guix pull` is
<http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz>.

It's suboptimal to download the Guix source code over HTTP, since the
data can be mutated and recorded in transit. [0]

The Savannah admins have been working tirelessly to improve the Savannah
infrastructure, and they will soon announce the public availability of
Git served over HTTPS. [1]

HTTPS is not a security panacea but, in my opinion, we should use it if
it's available, at least until `guix pull` can verify commit signatures.

However, it's a little harder to get right than HTTP. For example, `guix
pull` could fail if there is a problem with the user's certificate
store, or if their clock is wrong.

Does anyone have any specific concerns or advice about changing the
value of %snapshot-url in (guix scripts pull) to use the HTTPS URL?
Should the change be that simple, or should we do more?

The attached patch works for me on a foreign distro when SSL_CERT_DIR
and SSL_CERT_FILE are set as described in the manual (section 7.2.9
X.509 Certificates) and GnuTLS-Guile is available in my environment.

[0] Discussion of the general problems with `guix pull`:
http://bugs.gnu.org/22883

[1]
http://lists.gnu.org/archive/html/savannah-hackers-public/2017-02/msg00034.html

From 63eca1a41d993c04d662736589872fbc7123a168 Mon Sep 17 00:00:00 2001
From: Leo Famulari <l...@famulari.name>
Date: Thu, 9 Feb 2017 12:13:42 +0100
Subject: [PATCH] pull: Download GNU Guix with HTTPS.

* guix/scripts/pull.scm (%snapshot-url): Use HTTPS URL.
---
 guix/scripts/pull.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index 3f940f94d..2312eed29 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -45,7 +45,7 @@
 
 (define %snapshot-url
   ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download";
-  "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
+  "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
   )
 
 (define-syntax-rule (with-environment-variable variable value body ...)
-- 
2.11.0

Attachment: signature.asc
Description: PGP signature

Reply via email to