From patchwork Thu Apr 18 10:07:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabio Natali X-Patchwork-Id: 63122 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B1D3727BBE9; Thu, 18 Apr 2024 11:17:25 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1410F27BBEA for ; Thu, 18 Apr 2024 11:17:23 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxOpF-0002xo-W3; Thu, 18 Apr 2024 06:17:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOpE-0002xe-2n for guix-patches@gnu.org; Thu, 18 Apr 2024 06:17:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rxOpC-0005wO-Vy; Thu, 18 Apr 2024 06:17:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rxOpP-0007U1-Rr; Thu, 18 Apr 2024 06:17:15 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70451] [PATCH] gnu: system: Add nss-certs to %base-packages. Resent-From: Fabio Natali Original-Sender: "Debbugs-submit" Resent-CC: dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, guix-patches@gnu.org Resent-Date: Thu, 18 Apr 2024 10:17:12 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70451 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70451@debbugs.gnu.org Cc: Fabio Natali , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe Received: via spool by submit@debbugs.gnu.org id=B.171343539828545 (code B ref -1); Thu, 18 Apr 2024 10:17:12 +0000 Received: (at submit) by debbugs.gnu.org; 18 Apr 2024 10:16:38 +0000 Received: from localhost ([127.0.0.1]:51517 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxOoX-0007Om-Ma for submit@debbugs.gnu.org; Thu, 18 Apr 2024 06:16:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:51106) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rxOmB-00078c-BR for submit@debbugs.gnu.org; Thu, 18 Apr 2024 06:14:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOll-0005xD-Od for guix-patches@gnu.org; Thu, 18 Apr 2024 06:13:33 -0400 Received: from relay7-d.mail.gandi.net ([2001:4b98:dc4:8::227]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxOlh-00059F-67 for guix-patches@gnu.org; Thu, 18 Apr 2024 06:13:28 -0400 Received: by mail.gandi.net (Postfix) with ESMTPSA id E139120010; Thu, 18 Apr 2024 10:13:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com; s=gm1; t=1713435200; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9tq/g3a1y3jSF99ZgRffNtYpLZwa/f193zj2IUnN7d0=; b=JDqsRFoOzmQOZ5okaNG6KvHUMLajNkQMmEScstjQa0ztepiC3u/59B4vrD0taGJWrtAX6r DuQuDTWRtZNIESMiyfcKdaYSxP4uIPLVWomUz6HnWnkhhKiCLj64tQ1va9HCBKK2f0EnnY egEqF8diIB63k4D2ES0joNeA08YcpxGtnFVWysqMDk0DD5IaEKB8nAPvMHDwO+wHqmYFl9 9ZemMxVO0HTHmmQIL/sWXdL6792RHuTg6WB9x4+cQocv2iymZjlPSJyodMJDpoYwliRwHc 1vKdXTRzbZLHxz0aRKwCF3Kx4n4UNGFX+C/DtH3lcueU/1B51CaXC175fWfpRg== Date: Thu, 18 Apr 2024 11:07:06 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-GND-Sasl: me@fabionatali.com Received-SPF: pass client-ip=2001:4b98:dc4:8::227; envelope-from=me@fabionatali.com; helo=relay7-d.mail.gandi.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Fabio Natali X-ACL-Warn: , Fabio Natali via Guix-patches X-Patchwork-Original-From: Fabio Natali via Guix-patches via From: Fabio Natali Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/system.scm (%base-packages-networking): Add 'nss-certs'. * gnu/installer/services.scm (%system-services): Remove the 'nss-certs' system service. * doc/guix.texi (Using the Configuration System): Remove various 'nss-certs' occurrences as the package is now part of '%default-packages' already. * doc/guix.texi (Web Services): Update to reflect that 'nss-certs' is part of '%default-packages'. * doc/guix.texi (Certificates): Update to reflect that 'nss-certs' is part of '%default-packages'. * gnu/system/examples/bare-bones.tmpl: Update to reflect that 'nss-certs' is part of '%default-packages'. * gnu/system/examples/lightweight-desktop.tmpl: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/examples/raspberry-pi-64-nfs-root.tmpl: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/images/orangepi-r1-plus-lts-rk3328.scm: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/images/pine64.scm: Remove 'nss-certs' as it is part of '%default-packages' already. * gnu/system/install.scm: Remove 'nss-certs' as it is part of '%default-packages' already. Change-Id: Icad8f5461e03c32c21c7ef715af6bd3a96eac5a9 --- Hi, This is a little patch to add the 'nss-certs' certificates package to the list of '%default-packages'. This has been discussed in this email thread: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html Thanks, best wishes, Fabio. doc/guix.texi | 21 ++++++++++--------- gnu/installer/services.scm | 5 ----- gnu/system.scm | 2 ++ gnu/system/examples/bare-bones.tmpl | 5 ----- gnu/system/examples/lightweight-desktop.tmpl | 4 +--- .../examples/raspberry-pi-64-nfs-root.tmpl | 3 +-- .../images/orangepi-r1-plus-lts-rk3328.scm | 3 +-- gnu/system/images/pine64.scm | 3 +-- gnu/system/install.scm | 3 +-- 9 files changed, 18 insertions(+), 31 deletions(-) base-commit: 2126dab4cd81db4cbde4566d8c638e45a4c0077c diff --git a/doc/guix.texi b/doc/guix.texi index f4f21c4744..dc46ccf962 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17152,7 +17152,7 @@ Using the Configuration System (operating-system ;; ... (packages (append (map specification->package+output - '("nss-certs" "git" "git:send-email")) + '("git" "git:send-email")) %base-packages))) @end lisp @@ -17240,8 +17240,7 @@ Using the Configuration System as returned by the @command{blkid} command. @xref{Desktop Services}, for the exact list of services provided by -@code{%desktop-services}. @xref{X.509 Certificates}, for background -information about the @code{nss-certs} package that is used here. +@code{%desktop-services}. Again, @code{%desktop-services} is just a list of service objects. If you want to remove services from there, you can do so using the @@ -32457,9 +32456,11 @@ Web Services so that it can authenticate Git servers when communicating over HTTPS, and it assumes that @file{/etc/ssl/certs} contains those certificates. -Thus, make sure to add @code{nss-certs} or another certificate package to the -@code{packages} field of your configuration. @ref{X.509 Certificates}, for -more information on X.509 certificates. +The @code{nss-certs} certificate package is provided by default as part +@code{%base-packages}. Should you not be using @code{%base-packages}, +make sure that @code{nss-certs} (or a similar certificate package) is +added to the @code{packages} field of your configuration. @ref{X.509 +Certificates}, for more information on X.509 certificates. @end quotation @subsubheading gmnisrv @@ -41006,10 +41007,10 @@ X.509 Certificates is a set of CA certificates provided as part of Mozilla's Network Security Services. -Note that it is @emph{not} part of @code{%base-packages}, so you need to -explicitly add it. The @file{/etc/ssl/certs} directory, which is where -most applications and libraries look for certificates by default, points -to the certificates installed globally. +This package is part of @code{%base-packages}, so there's usually no +need to explicitly add it. The @file{/etc/ssl/certs} directory, which +is where most applications and libraries look for certificates by +default, points to the certificates installed globally. Unprivileged users, including users of Guix on a foreign distro, can also install their own certificate package in diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm index 4dfed78785..1cb9dc579c 100644 --- a/gnu/installer/services.scm +++ b/gnu/installer/services.scm @@ -110,11 +110,6 @@ (define %system-services (name (G_ "Tor anonymous network router")) (type 'networking) (snippet '((service tor-service-type)))) - (system-service - (name (G_ "Mozilla NSS certificates, for HTTPS access")) - (type 'networking) - (packages '((specification->package "nss-certs"))) - (recommended? #t)) ;; Miscellaneous system administration services. (system-service diff --git a/gnu/system.scm b/gnu/system.scm index 9b5c96d0ad..91bce727a8 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -50,6 +50,7 @@ (define-module (gnu system) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages bash) + #:use-module (gnu packages certs) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages firmware) @@ -925,6 +926,7 @@ (define %base-packages-networking ;; Default set of networking packages. (list inetutils isc-dhcp iproute + nss-certs wget ;; wireless-tools is deprecated in favor of iw, but it's still what ;; many people are familiar with, so keep it around. diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl index dc6aff5273..7b6a4b09b0 100644 --- a/gnu/system/examples/bare-bones.tmpl +++ b/gnu/system/examples/bare-bones.tmpl @@ -4,9 +4,6 @@ (use-modules (gnu)) (use-service-modules networking ssh) -;; If you want to use HTTPS, you most likely want to include -;; "certs" in the line below. Also read the comment about -;; "nss-certs" later in this file. (use-package-modules screen ssh) (operating-system @@ -46,8 +43,6 @@ %base-user-accounts)) ;; Globally-installed packages. - ;; Add "nss-certs" for Mozilla's approved CA certs. You would - ;; have to have included "certs" in use-package-modules above. (packages (cons screen %base-packages)) ;; Add services to the baseline: a DHCP client and an SSH diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/examples/lightweight-desktop.tmpl index 4cb3c38311..f581a669c2 100644 --- a/gnu/system/examples/lightweight-desktop.tmpl +++ b/gnu/system/examples/lightweight-desktop.tmpl @@ -47,9 +47,7 @@ ratpoison i3-wm i3status dmenu emacs emacs-exwm emacs-desktop-environment ;; terminal emulator - xterm - ;; for HTTPS access - nss-certs) + xterm) %base-packages)) ;; Use the "desktop" services, which include the X11 diff --git a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl index 2203375270..7d1a9bf66e 100644 --- a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl +++ b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl @@ -56,8 +56,7 @@ (supplementary-groups '("wheel" "netdev" "audio" "video")) (home-directory "/home/pi")) %base-user-accounts)) - (packages (cons* nss-certs - openssh + (packages (cons* openssh %base-packages)) (services (cons* (service avahi-service-type) (service dhcp-client-service-type) diff --git a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm index eaaa12ba78..f871c63078 100644 --- a/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm +++ b/gnu/system/images/orangepi-r1-plus-lts-rk3328.scm @@ -55,8 +55,7 @@ (define orangepi-r1-plus-lts-rk3328-barebones-os (term "vt100") (tty "ttyS2"))) (service dhcp-client-service-type) - (service ntp-service-type) %base-services)) - (packages (cons nss-certs %base-packages)))) + (service ntp-service-type) %base-services)))) (define orangepi-r1-plus-lts-rk3328-image-type (image-type (name 'orangepi-r1-plus-lts-rk3328-raw) diff --git a/gnu/system/images/pine64.scm b/gnu/system/images/pine64.scm index 3feb69764d..457ff4345f 100644 --- a/gnu/system/images/pine64.scm +++ b/gnu/system/images/pine64.scm @@ -59,8 +59,7 @@ (define pine64-barebones-os (tty "ttyS0"))) (service dhcp-client-service-type) (service ntp-service-type) - %base-services)) - (packages (cons nss-certs %base-packages)))) + %base-services)))) (define pine64-image-type (image-type diff --git a/gnu/system/install.scm b/gnu/system/install.scm index 371bfc2a63..0c9556e087 100644 --- a/gnu/system/install.scm +++ b/gnu/system/install.scm @@ -551,8 +551,7 @@ (define installation-os (list glibc ; for 'tzselect' & co. fontconfig font-dejavu font-gnu-unifont - grub ; mostly so xrefs to its manual work - nss-certs) ; To access HTTPS, use git, etc. + grub) ; mostly so xrefs to its manual work %installer-disk-utilities %base-packages))))