From patchwork Tue Dec 10 23:34:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34753 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DB2AA27BBEB; Tue, 10 Dec 2024 23:36:50 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A0B6E27BBE2 for ; Tue, 10 Dec 2024 23:36:50 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lt-0007pL-Ub; Tue, 10 Dec 2024 18:36:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9ls-0007oe-Ie for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:04 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9ls-0002e0-9k; Tue, 10 Dec 2024 18:36:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=HTZbWmZGhER0Oyu1yj0gCCZqCyXoPAm5/xH3oUx3cMs=; b=MHM+LJREC9YNyHjIM7nWTwpS2R/wDhpQ+Iwx43V+BgukziidHoJ5fepgIfBytBMZATlLpjj4x7MnWI8q7/ZLcHspBrTrHEErzk2B5J9XadzHEYXsn6WZ80PVclFvRM/Fl5KfYl33ExTvJvuD7tpFznnpzPlDYqVYYCVhGZIA9vMZQcXLN5yQRKrfCrMk7mJLNuiJPvqsh3Yb7JjEhP0C/bE8CGUo6qhj/f/S4h8DSndggebqAwaUBPxCaeifmFQVhsima62k/90UN3o5dAYO/yWxwXe6QKF0gBbJ7n/b0/TQfqoNSlcBHR7VQiRYaHFlXuQxLZ2MGhVWyWO8IieleA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9lq-0005d9-9Q; Tue, 10 Dec 2024 18:36:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 1/7] git: Remove Guile-Git < 0.4.0 compatibility fallback. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387370421053 (code B ref 74776); Tue, 10 Dec 2024 23:36:02 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:04 +0000 Received: from localhost ([127.0.0.1]:60044 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kt-0005TI-IB for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:04 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52832) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9ks-0005ST-6A for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:02 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9km-0002P6-VE; Tue, 10 Dec 2024 18:34:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=HTZbWmZGhER0Oyu1yj0gCCZqCyXoPAm5/xH3oUx3cMs=; b=enCzhvGa2rDqptpQtgxO qhZOBnNvm7bHkE9u54M5LXk2DcuuTUe94zPoj8jylY76+RiypPeKIYdsdiQagWnQOtT1XljBzIdCb eru7PuMkID8A1opaRfFDi68a11vARPm5r9nsHCGnbVDW2sx76yDXS8+1l3TdKUdklOcMDNxdsZ0yn OrHAxRCBQxA6SLasW3ruuS4TUksarySK9pESfDVPkDeJ9q2Xr77+fQSy3Fuuws81dfMZ17UP6dQny CZXmAbgiQYFGszZ07rAtNY3JPHmLfNrdpdphp1XPPvPGWvvPtv7M5xPZI8F35FFa4tLQ1bSu0pZUK L55iWsGDHnjxYA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:40 +0100 Message-ID: X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Guile-Git 0.4.0 was released in October 2020. * guix/git.scm (make-default-fetch-options): Remove ‘wrong-number-of-args’ fallback. Change-Id: I5ebcb7212fd96241ea5defc4127e9880a6dd9667 --- guix/git.scm | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/guix/git.scm b/guix/git.scm index 410cd4c153..1b0839b1e3 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -185,19 +185,13 @@ (define (show-progress progress) (define (make-default-fetch-options) "Return the default fetch options." (let ((auth-method (%make-auth-ssh-agent))) - ;; The #:transfer-progress and #:proxy-url options appeared in Guile-Git - ;; 0.4.0. Omit them when using an older version. - (catch 'wrong-number-of-args - (lambda () - (make-fetch-options auth-method - ;; Guile-Git doesn't distinguish between these. - #:proxy-url (or (getenv "http_proxy") - (getenv "https_proxy")) - #:transfer-progress - (and (isatty? (current-error-port)) - show-progress))) - (lambda args - (make-fetch-options auth-method))))) + (make-fetch-options auth-method + ;; Guile-Git doesn't distinguish between these. + #:proxy-url (or (getenv "http_proxy") + (getenv "https_proxy")) + #:transfer-progress + (and (isatty? (current-error-port)) + show-progress)))) (define GITERR_HTTP ;; Guile-Git <= 0.5.2 lacks this constant. From patchwork Tue Dec 10 23:34:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34750 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E600027BBE9; Tue, 10 Dec 2024 23:36:34 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B5D6927BBEA for ; Tue, 10 Dec 2024 23:36:33 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lv-0007qK-Cs; Tue, 10 Dec 2024 18:36:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9lt-0007oq-9J for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9ls-0002eC-Ty; Tue, 10 Dec 2024 18:36:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=lgOCsVTfZNd/lxKNLlV7JkSB2c8g32K+RXStQk+5hmE=; b=uC0PWMnwtIkhObCgq/M2Aldc29Ogxizn2uA6igBi8sfyK1vul0j1EYskBFUgF8Ok83Fw4kMqrbNxyqsmgBaww1vF0dgfLd9oZNKdHnP/B1TSPEjJ+a0jA+vfVXnxSqfbo0VwSX0eXMosymeDu7IBO/5e9QTPuXbzVpdeLPYMRHfsxvDZ1WFEiIHxbfLekYlEAweExdOKO8WJrrREupod0kITb4hshAw6g9HQnfp0u2XFcg6tb5rBv42uzZBldgFHcjPG5sp1wl9QSmVmlrUbRLIH9HnvUs5uISrESu4yYF+gkOsMHAEWcI1YEJ3PBE/v9URR8OVOOrvUnFuJIQBuuQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9lq-0005dJ-Pj; Tue, 10 Dec 2024 18:36:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 2/7] git: Allow X.509 certificate verification to be disabled. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387370821089 (code B ref 74776); Tue, 10 Dec 2024 23:36:02 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:08 +0000 Received: from localhost ([127.0.0.1]:60052 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kx-0005U4-Gh for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:08 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kt-0005SU-2D for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:03 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9kn-0002PH-Sc; Tue, 10 Dec 2024 18:34:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=lgOCsVTfZNd/lxKNLlV7JkSB2c8g32K+RXStQk+5hmE=; b=qnQO+c4jb58pqLzkWOpz h9J+fleWknnbREeZQzmcQUChvgP1xdnlLus6NI9CK3GBSrQJbB+MJ/vlIwUR+EkPp2Ao7R1X1h5y3 Xx4v8dDC8oSPlTl+C4KAwmbZzuLW4Po1zEcBrXWOMGCmHT4jXBZIm8h9SlWC65txZ3VyFS9oQx88T X7L9g9/JqK/yQaIPPi+7EPEYYBBHlJgRlaqmIVIJlzGqo93jpi1sKC+GH2klJ6iKD90EOabYb17Hy ejdg7P8sVQtM5QS827e19Rt3Q1hDBm0MbXl8ljiQgBnpxzp3JJBpuxFOVPwAhxjIUTO7PIBbph80l 1zT4mXDPb5Xh7g==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:41 +0100 Message-ID: X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/git.scm (make-default-fetch-options): Add #:verify-certificate? and honor it. Define ‘warn-for-invalid-certificate’. (clone*): Add #:verify-certificate? and pass it on. (clone/swh-fallback): Likewise. (update-cached-checkout): Likewise. (latest-repository-commit): Likewise. Change-Id: Ibf535a4a8d2a7e0c4026a896da9d4ab72e85401a --- guix/git.scm | 66 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 17 deletions(-) diff --git a/guix/git.scm b/guix/git.scm index 1b0839b1e3..6ac6e4e3a2 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -182,16 +182,29 @@ (define (show-progress progress) ;; Return true to indicate that we should go on. #t) -(define (make-default-fetch-options) - "Return the default fetch options." - (let ((auth-method (%make-auth-ssh-agent))) - (make-fetch-options auth-method - ;; Guile-Git doesn't distinguish between these. - #:proxy-url (or (getenv "http_proxy") - (getenv "https_proxy")) - #:transfer-progress - (and (isatty? (current-error-port)) - show-progress)))) +(define* (make-default-fetch-options #:key (verify-certificate? #t)) + "Return the default fetch options. VERIFY-CERTIFICATE? determines whether +to verify X.509 host certificates." + (define (warn-for-invalid-certificate host valid?) + (unless valid? + (warning (G_ "ignoring invalid certificate for '~a'~%") host))) + + (let* ((auth-method (%make-auth-ssh-agent)) + (options + (make-fetch-options auth-method + ;; Guile-Git doesn't distinguish between these. + #:proxy-url (or (getenv "http_proxy") + (getenv "https_proxy")) + #:transfer-progress + (and (isatty? (current-error-port)) + show-progress)))) + ;; When VERIFY-CERTIFICATE? is true, keep the default libgit2 behavior, + ;; which is to raise an exception upon invalid certificates. + (unless verify-certificate? + (let ((callbacks (fetch-options-remote-callbacks options))) + (set-remote-callbacks-certificate-check! callbacks + warn-for-invalid-certificate))) + options)) (define GITERR_HTTP ;; Guile-Git <= 0.5.2 lacks this constant. @@ -213,7 +226,7 @@ (define (set-git-timeouts connection-timeout read-timeout) read-timeout) (set-server-timeout! read-timeout))) -(define (clone* url directory) +(define* (clone* url directory #:key (verify-certificate? #t)) "Clone git repository at URL into DIRECTORY. Upon failure, make sure no empty directory is left behind." (with-throw-handler #t @@ -222,7 +235,8 @@ (define (clone* url directory) (clone url directory (make-clone-options - #:fetch-options (make-default-fetch-options)))) + #:fetch-options (make-default-fetch-options + #:verify-certificate? verify-certificate?)))) (lambda _ (false-if-exception (rmdir directory))))) @@ -445,7 +459,8 @@ (define (clone-from-swh url tag-or-commit output) (remote-set-url! repository "origin" url) repository))))) -(define (clone/swh-fallback url ref cache-directory) +(define* (clone/swh-fallback url ref cache-directory + #:key (verify-certificate? #t)) "Like 'clone', but fallback to Software Heritage if the repository cannot be found at URL." (define (inaccessible-url-error? err) @@ -456,7 +471,8 @@ (define (clone/swh-fallback url ref cache-directory) (catch 'git-error (lambda () - (clone* url cache-directory)) + (clone* url cache-directory + #:verify-certificate? verify-certificate?)) (lambda (key err) (match ref (((or 'commit 'tag-or-commit) . commit) @@ -526,6 +542,7 @@ (define* (update-cached-checkout url (check-out? #t) starting-commit (log-port (%make-void-port "w")) + (verify-certificate? #t) (cache-directory (url-cache-directory url (%repository-cache-directory) @@ -544,6 +561,9 @@ (define* (update-cached-checkout url When CHECK-OUT? is true, reset the cached working tree to REF; otherwise leave it unchanged. +When VERIFY-CERTIFICATE? is true, raise an error when encountering an invalid +X.509 host certificate; otherwise, warn about the problem and keep going. + Wait for up to CONNECTION-TIMEOUT milliseconds when establishing connection to the remote server, and for up to READ-TIMEOUT milliseconds when reading from it. When zero, use the system defaults for these timeouts; when false, leave @@ -573,15 +593,22 @@ (define* (update-cached-checkout url (let* ((cache-exists? (openable-repository? cache-directory)) (repository (if cache-exists? (repository-open cache-directory) - (clone/swh-fallback url ref cache-directory)))) + (clone/swh-fallback url ref cache-directory + #:verify-certificate? + verify-certificate?)))) ;; Only fetch remote if it has not been cloned just before. (when (and cache-exists? (not (reference-available? repository ref))) (remote-fetch (remote-lookup repository "origin") - #:fetch-options (make-default-fetch-options))) + #:fetch-options (make-default-fetch-options + #:verify-certificate? + verify-certificate?))) (when recursive? (update-submodules repository #:log-port log-port - #:fetch-options (make-default-fetch-options))) + #:fetch-options + (make-default-fetch-options + #:verify-certificate? + verify-certificate?))) ;; Note: call 'commit-relation' from here because it's more efficient ;; than letting users re-open the checkout later on. @@ -632,6 +659,7 @@ (define* (latest-repository-commit store url #:key recursive? (log-port (%make-void-port "w")) + (verify-certificate? #t) (cache-directory (%repository-cache-directory)) (ref '())) @@ -644,6 +672,9 @@ (define* (latest-repository-commit store url When RECURSIVE? is true, check out submodules as well, if any. +When VERIFY-CERTIFICATE? is true, raise an error when encountering an invalid +X.509 host certificate; otherwise, warn about the problem and keep going. + Git repositories are kept in the cache directory specified by %repository-cache-directory parameter. @@ -668,6 +699,7 @@ (define* (latest-repository-commit store url (url-cache-directory url cache-directory #:recursive? recursive?) + #:verify-certificate? verify-certificate? #:log-port log-port)) ((name) (url+commit->name url commit))) From patchwork Tue Dec 10 23:34:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34754 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8829227BBE9; Tue, 10 Dec 2024 23:36:51 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D41CF27BBEA for ; Tue, 10 Dec 2024 23:36:50 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lw-0007qR-G8; Tue, 10 Dec 2024 18:36:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0007pZ-B9 for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0002eR-1t; Tue, 10 Dec 2024 18:36:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=xMNozuDFaIcsOhBzPjyxJk0tD8mBPU08DflTV9ZKMfI=; b=iapZLwK70EDDQ3DYRJtv4d2uHbvL3SdeLgFNZgFtZ08Z/qrBexqdDB7XsPvNALKAsnmQZhX3rudBfxMCJVaf+5nXNxmkS/E5pAwpSIE3iHOJKhUSmoLX/0Z6LHsu4+IaS2idb62njrFZOUSGfg4I5pnZlmW/4uF3MQWBgFQkxWBBV2vY4B/7KnXkoQqI/E0XRLFHZT7M3oHn7Y7uUdqxa0eeZW/a05LMdISjKC1Z+jPAZsOHQtQl3a2KJqk/VGsepckV6+zh/sAYidrXzpn04tevbYe60dVcepkXTI+lD2gwyxj9xoQbTTaAs2+8JFWeWf4U+/BtWfouvV0MHu2Kew==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9lr-0005dW-8w; Tue, 10 Dec 2024 18:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 3/7] guix download: Honor =?utf-8?q?=E2=80=98--n?= =?utf-8?q?o-check-certificate=E2=80=99?= for =?utf-8?b?4oCYLS1naXTigJku?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387370921100 (code B ref 74776); Tue, 10 Dec 2024 23:36:03 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:09 +0000 Received: from localhost ([127.0.0.1]:60054 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9ky-0005U6-4u for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:08 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52858) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9ku-0005Sc-2H for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9ko-0002PS-S9; Tue, 10 Dec 2024 18:34:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=xMNozuDFaIcsOhBzPjyxJk0tD8mBPU08DflTV9ZKMfI=; b=cXaOh+bzZbXl/GwX0CpX HWCNEsdiNTTibxcchI/0efggo+fHaIBYNSY4BjCK7sNDPC47W/zkmpjpjrRTacK7n3+X7XBqzDT4D WZKckBrt0jIyGgRISEZPQ44FbySAkvzkdOUJ/HRDzL/l9Vlj1DbLHN87xjXwkuYIyVA5FvspTBSSd z+HRW9ochfmxxeDGSJnkVPz1PnGM/v/AWwD8WOkMGFN5P2TqfmQQu7fcmI9ULZ1P3osvUCbRkep9b TqNQfcMGxVwqo+h9a7pbSxAzCfB/iYu+wg+uhXWpaw5ZLZReWV5G5YmeCkTjPMWW8Z8bDnQhQmCnA Tb+nBxAbatxNGQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:42 +0100 Message-ID: <4c0835f5958108ad2235c4bb63f22d2b742356d2.1733873391.git.ludo@gnu.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Until now ‘--no-check-certificate’ had no effect when combined with ‘--git’. This can be tested with: guix shell libfaketime -- faketime 2019-01-01 \ guix download --no-check-certificate --git \ https://git.savannah.gnu.org/git/shepherd.git * guix/scripts/download.scm (git-download-to-file): Add #:verify-certificate? and honor it. (git-download-to-store*): Likewise. (add-git-download-option): Likewise. (%options): Likewise. Change-Id: Ib3905398199d814a02319ed3328eb8a4ed219bd5 --- guix/scripts/download.scm | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/guix/scripts/download.scm b/guix/scripts/download.scm index de68e6f328..f373e46941 100644 --- a/guix/scripts/download.scm +++ b/guix/scripts/download.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2015, 2016, 2017, 2020 Ludovic Courtès +;;; Copyright © 2012-2013, 2015-2017, 2020, 2024 Ludovic Courtès ;;; Copyright © 2021 Simon Tournier ;;; ;;; This file is part of GNU Guix. @@ -94,7 +94,8 @@ (define (copy-recursively-without-dot-git source destination) #t source)) -(define (git-download-to-file url file reference recursive?) +(define* (git-download-to-file url file reference recursive? + #:key (verify-certificate? #t)) "Download the git repo at URL to file, checked out at REFERENCE. REFERENCE must be a pair argument as understood by 'latest-repository-commit'. Return FILE." @@ -108,7 +109,8 @@ (define (git-download-to-file url file reference recursive?) (else url)))) (copy-recursively-without-dot-git (with-git-error-handling - (update-cached-checkout url #:ref reference #:recursive? recursive?)) + (update-cached-checkout url #:ref reference #:recursive? recursive? + #:verify-certificate? verify-certificate?)) file)) file) @@ -151,12 +153,13 @@ (define* (git-download-to-store* url (string-drop url (string-length "file:"))) url))) (with-store store - ;; TODO: Verify certificate support and deactivation. (with-git-error-handling (latest-repository-commit store url #:recursive? recursive? - #:ref reference))))) + #:ref reference + #:verify-certificate? + verify-certificate?))))) (define %default-options ;; Alist of default option values. @@ -207,9 +210,10 @@ (define (show-help) (define (add-git-download-option result) (alist-cons 'download-proc - ;; XXX: #:verify-certificate? currently ignored. (lambda* (url #:key verify-certificate? ref recursive?) - (git-download-to-store* url ref recursive?)) + (git-download-to-store* url ref recursive? + #:verify-certificate? + verify-certificate?)) (alist-delete 'download result))) (define %options @@ -243,20 +247,20 @@ (define %options (alist-cons 'verify-certificate? #f result))) (option '(#\o "output") #t #f (lambda (opt name arg result) - (let* ((git - (assoc-ref result 'git-reference))) + (let* ((git (assoc-ref result 'git-reference))) (if git (alist-cons 'download-proc - (lambda* (url - #:key - verify-certificate? - ref - recursive?) + (lambda* (url #:key + (verify-certificate? #t) + ref + recursive?) (git-download-to-file url arg (assoc-ref result 'git-reference) - recursive?)) + recursive? + #:verify-certificate? + verify-certificate?)) (alist-delete 'download result)) (alist-cons 'download-proc (lambda* (url From patchwork Tue Dec 10 23:34:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34755 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 754ED27BBEA; Tue, 10 Dec 2024 23:36:52 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C11E127BBE2 for ; Tue, 10 Dec 2024 23:36:51 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lt-0007pG-Tp; Tue, 10 Dec 2024 18:36:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9ls-0007oa-DI for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:04 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9ls-0002dw-0E; Tue, 10 Dec 2024 18:36:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=C12T3M4qjwe2uqZc0ZAenMUCgNo7S1ZYvf3oErX3FTs=; b=XtMJqY/oNWWrtmU0B0deHP2YoCtOSKQYCVowGjZgMVdK3igrORPdIS2VtC9j6QwRnh1wZ0RMCU0fM+v7xlTfF5aZmliY/JeezzAV2KgDZaz+7+xnFQSlimvMvlKJxWJgAt/iHXZFZO651mJ8drqCIpBXXGluTP/LK7c8vOd3g7mFlZNbGUSBprFpYlq+Jz9Hm1RQQsfzcil0OENggSnqkloinaFzQpagpGWk4n1Y0/1I9PPCpqha5fM9YOR0ixJ3GFZwBjhdpXJm3TlHcvTwJXamCAFgSauaRe9YBSFxoZlduc4K0mo5UlMspS9s7Rllyw5m7CrvX1G76scaYUIAHQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9lr-0005di-QD; Tue, 10 Dec 2024 18:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 4/7] channels: Add #:verify-certificate? and honor it. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387371121125 (code B ref 74776); Tue, 10 Dec 2024 23:36:03 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:11 +0000 Received: from localhost ([127.0.0.1]:60058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kz-0005UI-8Q for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:10 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39848) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kv-0005Se-2x for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9kp-0002Pe-Pk; Tue, 10 Dec 2024 18:34:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=C12T3M4qjwe2uqZc0ZAenMUCgNo7S1ZYvf3oErX3FTs=; b=opBvRxC2Y0mXoIg78lMm MP/Kds+QT4FuO+3IqVsCPMX04+ELqZfDd8ynKK8vfUblFc15EnnnsELn0ctce963jvnSk/SEuXJaw YMh4g6FG07Iuo9F3rJIECaZx7hrHRmzmBsymmd4zUJ3O7+BlPSy4TTuU00xWJUF0N5Ct3kK0gO1pC dkNQuanGrhuhKg2+l0uAIGJMCvMtgn+4hurIzU+TigPTv/NfZgc8o37OEX/A1byfTpVokp6c27yaO SGAuD12btsJ/kd8pjTGhlfMQlJsL6eGGaacLsUi17DeStAGsuQodWwLKI2DA9Makd/N8/1dWEfSSZ SFJOwhdPbN1VEQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:43 +0100 Message-ID: X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/channels.scm (latest-channel-instance): Add #:verify-certificate? and pass it on. (latest-channel-instances): Likewise. Change-Id: I43564738dfeefa5b735e6f9e349f9f5596d25164 --- guix/channels.scm | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/guix/channels.scm b/guix/channels.scm index 34f63eb833..4700f7a45d 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -407,12 +407,15 @@ (define* (authenticate-channel channel checkout commit (define* (latest-channel-instance store channel #:key (patches %patches) starting-commit - (authenticate? #f) + (authenticate? #t) (validate-pull - ensure-forward-channel-update)) + ensure-forward-channel-update) + (verify-certificate? #t)) "Return the latest channel instance for CHANNEL. When STARTING-COMMIT is true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and -their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated." +their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated. +When VERIFY-CERTIFICATE? is false, invalid X.509 host certificates are +accepted." (define (dot-git? file stat) (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat)))) @@ -421,7 +424,8 @@ (define* (latest-channel-instance store channel (checkout commit relation (update-cached-checkout (channel-url channel) #:ref (channel-reference channel) - #:starting-commit starting-commit))) + #:starting-commit starting-commit + #:verify-certificate? verify-certificate?))) (when relation (validate-pull channel starting-commit commit relation)) @@ -505,13 +509,17 @@ (define* (latest-channel-instances store channels (current-channels '()) (authenticate? #t) (validate-pull - ensure-forward-channel-update)) + ensure-forward-channel-update) + (verify-certificate? #t)) "Return a list of channel instances corresponding to the latest checkouts of CHANNELS and the channels on which they depend. When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a \"channel introduction\". +When VERIFY-CERTIFICATE? is false, invalid X.509 host certificates are +accepted. + CURRENT-CHANNELS is the list of currently used channels. It is compared against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called for each channel update and can choose to emit warnings or raise an error, @@ -562,7 +570,9 @@ (define* (latest-channel-instances store channels #:validate-pull validate-pull #:starting-commit - current))) + current + #:verify-certificate? + verify-certificate?))) (when authenticate? ;; CHANNEL is authenticated so we can trust the ;; primary URL advertised in its metadata and warn From patchwork Tue Dec 10 23:34:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34749 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3A03B27BBE2; Tue, 10 Dec 2024 23:36:34 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 78AAE27BBE9 for ; Tue, 10 Dec 2024 23:36:33 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lw-0007qP-FN; Tue, 10 Dec 2024 18:36:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0007pd-Hg for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0002eT-6X; Tue, 10 Dec 2024 18:36:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ZpHBPYx5+heUxCw5fDOkvdOYuBiHXoqqcOLUWK8laCQ=; b=qbpjC3UM3afbvo+TlQgep117F0vMQNj70OQcl+o7ucQ8GnsMIVJLenjtn/+rzeNBihjhybIFH42/VtoJOhejZTdb2VhqBn0H3EjB7bWS+vzuinohHodywUSgqj7fT5KUVL37zED5ncTPeBj4tAFxDJWV7HYRXaJ40rZjOMhPwUQHUzRUYnlZqvLbXkSr5FDHBclry4lSBfZAcoES5l/UGbgCp4h5hXXsihRj6ZhKCSow+9WuEFpOI8cLsHyc/Pgu23rONao0msl2xjBNoUzd4eefOpGaT3aGqXZWYho4OKGKircWw2n/9h/U0FYg1xL3vw/8OuKXdo8BENuGeo6ojw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9ls-0005dv-9E; Tue, 10 Dec 2024 18:36:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 5/7] pull: Add =?utf-8?b?4oCYLS1uby1jaGVjay1j?= =?utf-8?b?ZXJ0aWZpY2F0ZeKAmS4=?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, maxim.cournoyer@gmail.com, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387371221185 (code B ref 74776); Tue, 10 Dec 2024 23:36:04 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:12 +0000 Received: from localhost ([127.0.0.1]:60062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9l0-0005Ug-U4 for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39850) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kw-0005Sg-1t for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:06 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9kq-0002Pq-Ra; Tue, 10 Dec 2024 18:35:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ZpHBPYx5+heUxCw5fDOkvdOYuBiHXoqqcOLUWK8laCQ=; b=R7DxHyhPMbnv/VcGvNEA vxIsiK725/icdkMvKPAjPoWs0VOGVuyQzFh9e6SbC5EnnfKXKbbNk34ZQG5lP9UnHI/zEwIuGsnn2 JP1KvzXyCV/kUs4B+DSguwsbRAiolGWqwSYgSXqoVMzGJNHx7Yb6RvaZn7PLqJWF77f/7X+9hJLZR HKipzmkThr2mf3FGLUUktV+CRenZVLMxhmARkUrUMOkoNRcKOo7TcLELOiD+RWm0hYTvIvR5HjYlb ZqVjyulPBpPs6qI55MDMwBTzQVrT6bHK+q0Sx0EZt7EAHuODLRpp8gmPIrqK0kKUid5mXdF1TS9yB BzgcY7f2lQAiSg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:44 +0100 Message-ID: X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This can be tested with: guix shell libfaketime -- faketime 2019-01-01 \ guix pull -q --no-check-certificate -p /tmp/p * guix/scripts/pull.scm (%options, show-help): Add ‘--no-check-certificate’. (%default-options): Add ‘verify-certificate?’ key. (guix-pull): Honor it. * doc/guix.texi (Invoking guix pull): Document it. Change-Id: Ia9d7af1c64156b112e86027fb637e2e02dae6e3c Reviewed-by: Maxim Cournoyer --- doc/guix.texi | 8 ++++++++ guix/scripts/pull.scm | 16 +++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a2915de954..cad16a0660 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4635,6 +4635,14 @@ Invoking guix pull @option{--disable-authentication}. @end quotation +@item --no-check-certificate +Do not validate the X.509 certificates of HTTPS servers. + +When using this option, you have @emph{absolutely no guarantee} that you +are communicating with the authentic server responsible for the given +URL. Unless the channel is authenticated, this makes you vulnerable to +``man-in-the-middle'' attacks. + @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 58d3cd7e83..76aed0b5cc 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2015, 2017-2023 Ludovic Courtès +;;; Copyright © 2013-2015, 2017-2024 Ludovic Courtès ;;; Copyright © 2017 Marius Bakke ;;; Copyright © 2020, 2021 Tobias Geerinckx-Rice ;;; @@ -77,6 +77,7 @@ (define %default-options (debug . 0) (verbosity . 1) (authenticate-channels? . #t) + (verify-certificate? . #t) (validate-pull . ,ensure-forward-channel-update))) (define (show-help) @@ -98,6 +99,9 @@ (define (show-help) (display (G_ " --disable-authentication disable channel authentication")) + (display (G_ " + --no-check-certificate + do not validate the certificate of HTTPS servers")) (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ " @@ -183,6 +187,9 @@ (define %options (option '("disable-authentication") #f #f (lambda (opt name arg result) (alist-cons 'authenticate-channels? #f result))) + (option '("no-check-certificate") #f #f + (lambda (opt name arg result) + (alist-cons 'verify-certificate? #f result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg) @@ -845,7 +852,8 @@ (define-command (guix-pull . args) (profile (or (assoc-ref opts 'profile) %current-profile)) (current-channels (profile-channels profile)) (validate-pull (assoc-ref opts 'validate-pull)) - (authenticate? (assoc-ref opts 'authenticate-channels?))) + (authenticate? (assoc-ref opts 'authenticate-channels?)) + (verify-certificate? (assoc-ref opts 'verify-certificate?))) (cond ((assoc-ref opts 'query) (process-query opts profile)) @@ -877,7 +885,9 @@ (define-command (guix-pull . args) #:validate-pull validate-pull #:authenticate? - authenticate?))) + authenticate? + #:verify-certificate? + verify-certificate?))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%" From patchwork Tue Dec 10 23:34:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34752 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EDD1927BBEB; Tue, 10 Dec 2024 23:36:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7096127BBE2 for ; Tue, 10 Dec 2024 23:36:40 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lw-0007qV-Mn; Tue, 10 Dec 2024 18:36:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9lv-0007pu-45 for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:07 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0002ej-J5; Tue, 10 Dec 2024 18:36:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=p17ggAbyAeGglmwSyQVAFYFphqkimWtTXp9aVZjSqgQ=; b=n7cIVxXWEKdgq3TGyspgTHpEH7/CGw3Liu2VW/SKNPUuPshRjZcZtrV60T13lZyEMjsIumRj22zl689LzE9qp+i3RtTNf+pCgDB+y+nDZTlvfLh2Q47Tv87Kl1RObtPk+XaaNxS1YRnp4YRjjS6+LdAftGWK9OfePriZ5UhfI4Z+EU2n2yRN1j2ptZQd+C1c7tNltFHi1NknfD2afxwqhI5PVFcfVFjQozQRM5vMe3rhb/8ruzWfCNzVC7HFR4g6wTa62Kgy3rzoiFPXKMdZBUvq/JwN0fOjiXHfP0tYaTSsuPpESTrYPvtTeEeRxScwZSjZ01c3EckYEDCTgDziyg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9ls-0005e7-P3; Tue, 10 Dec 2024 18:36:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 6/7] inferior: Add #:verify-certificate? to =?utf-8?b?4oCYY2FjaGVkLWNoYW5uZWwtaW5zdGFuY2XigJku?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387371721422 (code B ref 74776); Tue, 10 Dec 2024 23:36:04 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:17 +0000 Received: from localhost ([127.0.0.1]:60065 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9l6-0005Y7-8t for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:17 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39866) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9ky-0005TH-FJ for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:09 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9kt-0002Uw-1n; Tue, 10 Dec 2024 18:35:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=p17ggAbyAeGglmwSyQVAFYFphqkimWtTXp9aVZjSqgQ=; b=bJow8PumT09De7hiiR9H Y+j7LBxZNZqr8pzkWvY1bAsc+9FGyrBoItbf0aI+1pqe+Ba+ctyJfAdkz3aYagQ66zKS0Fmxjp+Ot 0wZVGX066/qEM0nR2eOPq4+VVWOuK+0xzuCwul3jJRvOv0g7iEaA15snwwOQ+yAiIPuzxDQXrDozu 816mj/UtiqfF3QzpBBIz3mIUN6QtZYcyx1Rn9xK+R3t2OqSK+bYXN7AWfNd6Ggk6vW0xrbnsNP9vy a65z4yZ5z4P0+udv3XnZBwPSMaRsWHaldeo/rTyGOnZDEUvn0FnvLpTYK9XtbobZY2E8GVb09xonY QesOsrw81QKN3g==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:45 +0100 Message-ID: <2ca2cc830049e38f4ef6dde25da3a111ca99e8d1.1733873391.git.ludo@gnu.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/inferior.scm (channel-full-commit): Add #:verify-certificate? and pass it on. (cached-channel-instance): Likewise. Change-Id: I9882660ac9eee2c4d9bb5e227979fd8de10555b1 --- guix/inferior.scm | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/guix/inferior.scm b/guix/inferior.scm index b60bf1ab01..8066cce2fc 100644 --- a/guix/inferior.scm +++ b/guix/inferior.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018-2023 Ludovic Courtès +;;; Copyright © 2018-2024 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -864,7 +864,7 @@ (define %inferior-cache-directory (make-parameter (string-append (cache-directory #:ensure? #f) "/inferiors"))) -(define (channel-full-commit channel) +(define* (channel-full-commit channel #:key (verify-certificate? #t)) "Return the commit designated by CHANNEL as quickly as possible. If CHANNEL's 'commit' field is a full SHA1, return it as-is; if it's a SHA1 prefix, resolve it; and if 'commit' is unset, fetch CHANNEL's branch tip." @@ -876,7 +876,8 @@ (define (channel-full-commit channel) (cache commit relation (update-cached-checkout (channel-url channel) #:ref ref - #:check-out? #f))) + #:check-out? #f + #:verify-certificate? verify-certificate?))) commit)))) (define* (cached-channel-instance store @@ -886,7 +887,8 @@ (define* (cached-channel-instance store (cache-directory (%inferior-cache-directory)) (ttl (* 3600 24 30)) (reference-channels '()) - (validate-channels (const #t))) + (validate-channels (const #t)) + (verify-certificate? #t)) "Return a directory containing a guix filetree defined by CHANNELS, a list of channels. The directory is a subdirectory of CACHE-DIRECTORY, where entries can be reclaimed after TTL seconds. This procedure opens a new connection to the @@ -895,12 +897,18 @@ (define* (cached-channel-instance store VALIDATE-CHANNELS must be a four-argument procedure used to validate channel instances against REFERENCE-CHANNELS; it is passed as #:validate-pull to 'latest-channel-instances' and should raise an exception in case a target -channel commit is deemed \"invalid\"." +channel commit is deemed \"invalid\". + +When VERIFY-CERTIFICATE? is true, raise an error when encountering an invalid +X.509 host certificate; otherwise, warn about the problem and keep going." (define commits ;; Since computing the instances of CHANNELS is I/O-intensive, use a ;; cheaper way to get the commit list of CHANNELS. This limits overhead ;; to the minimum in case of a cache hit. - (map channel-full-commit channels)) + (map (lambda (channel) + (channel-full-commit channel + #:verify-certificate? verify-certificate?)) + channels)) (define key (bytevector->base32-string @@ -951,7 +959,9 @@ (define* (cached-channel-instance store #:current-channels reference-channels #:validate-pull - validate-channels)) + validate-channels + #:verify-certificate? + verify-certificate?)) (profile (channel-instances->derivation instances))) (mbegin %store-monad From patchwork Tue Dec 10 23:34:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 34751 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 448DC27BBEA; Tue, 10 Dec 2024 23:36:36 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C8C6427BBE2 for ; Tue, 10 Dec 2024 23:36:35 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tL9lw-0007qQ-G0; Tue, 10 Dec 2024 18:36:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9lv-0007px-5L for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:07 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tL9lu-0002ek-Ka; Tue, 10 Dec 2024 18:36:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=GTlCADlZ1AP8lQOQ3qonievBGRLFBAlMDgD5anqEijU=; b=UNj+lZjQSGxIAHYoAFyMiy45p8cbpw0sLlXffbJjqRqaWaffy3RSbPP2eTVtUOM9kJy6XCOlWQ/1xRHlz50+7umvdZKDAGoTteO0z9m4pZcUvzm9DU/bCObvUj/1thuzNkKH/EXfCIuDJuRsqFj6M9IjY4TNItUi0siagtoe50jOzg324W06JSuIH1EYF8yISOr83aX7nFuRV4Odns0El/LjOYXr2SRkK5OKK+Pmc+Ivy/1Yg45BsyktiiFvOx+WWUKAZ2AcH0AgKRIe5Qa9p+J7FO23mY4AsVugQ/PQGBe/EnExj+SDZPkaApW1N48uOzPnEKlN+/ojkdRdvpgv1g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tL9lt-0005eK-8P; Tue, 10 Dec 2024 18:36:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74776] [PATCH 7/7] time-machine: Add =?utf-8?b?4oCYLS1uby1j?= =?utf-8?b?aGVjay1jZXJ0aWZpY2F0ZeKAmS4=?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 10 Dec 2024 23:36:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74776 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74776@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387371821479 (code B ref 74776); Tue, 10 Dec 2024 23:36:05 +0000 Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:18 +0000 Received: from localhost ([127.0.0.1]:60067 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9l7-0005ZQ-HR for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:17 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39876) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tL9kz-0005TT-2u for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:10 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tL9kt-0002b9-SI; Tue, 10 Dec 2024 18:35:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=GTlCADlZ1AP8lQOQ3qonievBGRLFBAlMDgD5anqEijU=; b=qz9bpwqNLAa47hpK530Y dfDkmEYQ0FglQabnisMO1kjtFp+x6XG28yBuoSvkE/8bdNhPvHz4lS/5BH9stuT5NgmINi/V9VoWj 1rdDiCCLCat+fRIOyckevDLTpT7B8POy9SVjshWgKUEuX0tKUMRLX6+nAuEHKm+StW32QffFx5F5+ xE6r3j0GIh20uNfe9iTpat/n8SGYAwWRVrmWGCvZcPvcIwmVsN5ZOGIZrbgIWFXOa+v0yexc71ZVT SrXUYAmViPOyhZao/ukPT4rkQjjyoi9Skr+TRnJvzcuOqKjtbIgLEbc3LaoXv8L3zqvchsX6VmQk8 /85rYeTNKsJBKQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 11 Dec 2024 00:34:46 +0100 Message-ID: <54a8cf29cc3853916105da244a8c56b0b060fc29.1733873391.git.ludo@gnu.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This can be tested with: guix shell libfaketime -- faketime 2019-01-01 \ guix time-machine -q --no-check-certificate * guix/scripts/time-machine.scm (%options, show-help): Add ‘--no-check-certificate’. (%default-options): Add ‘verify-certificate?’ key. (guix-time-machine): Honor it. Change-Id: I25a29d03d4df78d1618c6a416ec85fd8e90fec6c --- guix/scripts/time-machine.scm | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/guix/scripts/time-machine.scm b/guix/scripts/time-machine.scm index 21145239d4..0fd2d15eb5 100644 --- a/guix/scripts/time-machine.scm +++ b/guix/scripts/time-machine.scm @@ -70,6 +70,9 @@ (define (show-help) (display (G_ " --disable-authentication disable channel authentication")) + (display (G_ " + --no-check-certificate + do not validate the certificate of HTTPS servers")) (newline) (show-build-options-help) (newline) @@ -101,6 +104,9 @@ (define %options (option '("disable-authentication") #f #f (lambda (opt name arg result) (alist-cons 'authenticate-channels? #f result))) + (option '("no-check-certificate") #f #f + (lambda (opt name arg result) + (alist-cons 'verify-certificate? #f result))) (option '(#\h "help") #f #f (lambda args (leave-on-EPIPE (show-help)) @@ -120,6 +126,7 @@ (define %default-options (print-extended-build-trace? . #t) (multiplexed-build-output? . #t) (authenticate-channels? . #t) + (verify-certificate? . #t) (graft? . #t) (debug . 0) (verbosity . 1))) @@ -180,7 +187,8 @@ (define-command (guix-time-machine . args) (command-line (assoc-ref opts 'exec)) (ref (assoc-ref opts 'ref)) (substitutes? (assoc-ref opts 'substitutes?)) - (authenticate? (assoc-ref opts 'authenticate-channels?))) + (authenticate? (assoc-ref opts 'authenticate-channels?)) + (verify-certificate? (assoc-ref opts 'verify-certificate?))) (let* ((directory (with-store store (with-status-verbosity (assoc-ref opts 'verbosity) @@ -195,7 +203,9 @@ (define-command (guix-time-machine . args) #:reference-channels %reference-channels #:validate-channels - validate-guix-channel))))) + validate-guix-channel + #:verify-certificate? + verify-certificate?))))) (executable (string-append directory "/bin/guix"))) (if command-line (apply execl (cons* executable executable command-line))