Pjotr Prins <pjotr.publi...@thebird.nl> skribis: > On Wed, May 24, 2017 at 05:45:39PM -0400, Leo Famulari wrote: >> [1] `guix pull` verifies the certificate of <git.savannah.gnu.org> >> against the Let's Encrypt trust chain *only*. > > This brings up another annoyance. Before a first 'git pull' as a > newbie you have to go through a number of steps which are, arguably, > redundant.
Note that the Let’s Encrypt certificate check by ‘guix pull’ works out of the box: users don’t need to install ‘nss-certs’, define a bunch of environment variables, etc. > I am talking about installing a first key to trust the guix server. > Well, if we have installed guix AND we use guix pull, I think we can > assume the guix server is trusted (by the user). Therefore, that key > should work out of the box (it is what people install from the tree > anyway!). It is a redundant step. Debian also uses keys and works > out of the box. Substitute servers are fundamentally different from servers that provide Guix packages, which is why it’s treated differently. On GuixSD, the key of hydra.gnu.org and bayfront.guixsd.org are always registered by default. We cannot do that for someone installing Guix on a foreign distro because that involves creating a file in /etc. > The other thing is permissions. Sometimes the user profile needs > explicit permission settings. What do you mean? Thanks, Ludo’.
