GNU logs - #70314, boring messages

Message sent to guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:

Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Richard Sent <richard@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN
Resent-Date: Tue, 09 Apr 2024 19:15:01 +0000
Resent-Message-ID: <handler.70314.B.171269009112050 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 70314 <at> debbugs.gnu.org
Cc: Richard Sent <richard@HIDDEN>, Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
From: Richard Sent <richard@HIDDEN>
Date: Tue,  9 Apr 2024 15:05:29 -0400
Message-ID: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=136.175.108.156;
 envelope-from=richard@HIDDEN; helo=mail-108-mta156.mxroute.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
container with -N, add nss-certs package and set SSL_CERT_DIR and
SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
behavior.
* doc/guix.texi: Document it.

Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
---
Hi Guix!

Given the discussion on IRC and guix-devel [1] recently about making
nss-certs easier to use, this patch modifies guix environment (and
thus guix shell) to automatically add nss-certs to the profile when
sharing the network namespace, as well as setting the
mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
variables.

This behavior can be reverted with the --no-tls flag. Since presumably
the majority of shell users want TLS to work out of the box, adding
TLS by default makes sense to me.

Previous workarounds were verbose [2] and prone to failure [3].

[1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html

[2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html

[3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2]
works coincidentally since guix system w/ nss-certs happens to have
identical nss-certs hash as the guix building the shell profile.
Otherwise the system version would not be visible inside the
container.

 doc/guix.texi                |  8 ++++++++
 guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..912ed79ccd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6214,6 +6214,10 @@ Invoking guix shell
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
@@ -6711,6 +6715,10 @@ Invoking guix environment
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1d7a6e198d..b38882a4ca 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -49,6 +49,7 @@ (define-module (guix scripts environment)
   #:autoload   (guix build syscalls) (set-network-interface-up openpty login-tty)
   #:use-module (gnu system file-systems)
   #:autoload   (gnu packages) (specification->package+output)
+  #:autoload   (gnu packages certs) (nss-certs)
   #:autoload   (gnu packages bash) (bash)
   #:autoload   (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
   #:autoload   (gnu packages package-management) (guix)
@@ -72,6 +73,9 @@ (define-module (guix scripts environment)
 (define %default-shell
   (or (getenv "SHELL") "/bin/sh"))
 
+(define %default-tls-certs
+  (list nss-certs))
+
 (define* (show-search-paths profile manifest #:key pure?)
   "Display the search paths of MANIFEST applied to PROFILE.  When PURE? is #t,
 do not augment existing environment variables with additional search paths."
@@ -108,6 +112,9 @@ (define (show-environment-options-help)
   -C, --container        run command within an isolated container"))
   (display (G_ "
   -N, --network          allow containers to access the network"))
+  (display (G_ "
+      --no-tls           do not add SSL/TLS certificates or set environment
+                         variables for a networked container"))
   (display (G_ "
   -P, --link-profile     link environment profile to ~/.guix-profile within
                          an isolated container"))
@@ -244,6 +251,9 @@ (define %options
          (option '(#\N "network") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'network? #t result)))
+         (option '(#\T "no-tls") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'no-tls? #t result)))
          (option '(#\W "nesting") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'nesting? #t result)))
@@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
                      (packages->outputs (load* file module) mode)))
                   (('manifest . file)
                    (manifest-entries (load-manifest file)))
+                  (('network? . #t)
+                   (if (assoc-ref opts 'no-tls?)
+                       '()
+                       (manifest-entries
+                        (packages->manifest %default-tls-certs))))
                   (('nesting? . #t)
                    (if (assoc-ref opts 'profile)
                        '()
@@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
 
 (define* (launch-environment/container #:key command bash user user-mappings
                                        profile manifest link-profile? network?
-                                       map-cwd? emulate-fhs? nesting?
+                                       no-tls? map-cwd? emulate-fhs? nesting?
                                        (setup-hook #f)
                                        (symlinks '()) (white-list '()))
   "Run COMMAND within a container that features the software in PROFILE.
@@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
               ;; Allow local AF_INET communications.
               (set-network-interface-up "lo"))
 
+            (unless no-tls?
+              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+                                                     "/ca-certificates.crt")))
+
             ;; For convenience, start in the user's current working
             ;; directory or, if unmapped, the home directory.
             (chdir (if map-cwd?
@@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
          (link-prof?   (assoc-ref opts 'link-profile?))
          (symlinks     (assoc-ref opts 'symlinks))
          (network?     (assoc-ref opts 'network?))
+         (no-tls?      (assoc-ref opts 'no-tls?))
          (no-cwd?      (assoc-ref opts 'no-cwd?))
          (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
          (nesting?     (assoc-ref opts 'nesting?))
@@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
       (when (pair? symlinks)
         (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
 
+    (when (and (not network?)
+               no-tls?)
+      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
+
     (with-store/maybe store
       (with-status-verbosity (assoc-ref opts 'verbosity)
         (define manifest-from-opts
@@ -1212,6 +1237,7 @@ (define (guix-environment* opts)
                                                   #:network? network?
                                                   #:map-cwd? (not no-cwd?)
                                                   #:emulate-fhs? emulate-fhs?
+                                                  #:no-tls? no-tls?
                                                   #:nesting? nesting?
                                                   #:symlinks symlinks
                                                   #:setup-hook

base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35
-- 
2.41.0

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Richard Sent <richard@HIDDEN>
Subject: bug#70314: Acknowledgement ([PATCH] guix: scripts: environment:
 add tls certs to networked containers)
Message-ID: <handler.70314.B.171269009112050.ack <at> debbugs.gnu.org>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
X-Gnu-PR-Message: ack 70314
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 70314 <at> debbugs.gnu.org
Date: Tue, 09 Apr 2024 19:15:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>,=
 Ludovic Court=C3=A8s <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, =
Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN=
om>, Tobias Geerinckx-Rice <me@HIDDEN>
(after having been given a bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 70314 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
70314: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D70314
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 04 Sep 2024 13:35:01 +0000
Resent-Message-ID: <handler.70314.B70314.17254568886445 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Richard Sent <richard@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Wed, 04 Sep 2024 15:33:30 +0200
Message-ID: <87jzfree6t.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi Richard,

Richard Sent <richard@HIDDEN> skribis:

> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7

Apparently this patch fell through the cracks, despite the long Cc:
list.

> Given the discussion on IRC and guix-devel [1] recently about making
> nss-certs easier to use, this patch modifies guix environment (and
> thus guix shell) to automatically add nss-certs to the profile when
> sharing the network namespace, as well as setting the
> mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
> variables.
>
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.

[...]

> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))

Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather e=
xpose
/etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
certificates will be used, and (2) it=E2=80=99s less expensive than having =
to
compute the derivation of =E2=80=98nss-certs=E2=80=99.

Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can al=
ways add it to the
shell and it will take precedence over /etc/ssl/certs, assuming
SSL_CERT_{FILE,DIR} is defined.

WDYT?

Thanks,
Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Richard Sent <richard@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 04 Sep 2024 15:04:02 +0000
Resent-Message-ID: <handler.70314.B70314.172546219817417 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
From: Richard Sent <richard@HIDDEN>
In-Reply-To: <87jzfree6t.fsf@HIDDEN> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Wed, 04 Sep 2024 15:33:30 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN>
Date: Wed, 04 Sep 2024 11:01:53 -0400
Message-ID: <871q1zsbry.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi Ludo!

Thanks for the response!

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather=
 expose
> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
> certificates will be used, and (2) it=E2=80=99s less expensive than havin=
g to
> compute the derivation of =E2=80=98nss-certs=E2=80=99.

There is an issue with this that's cropped up in the past. The files in
/etc/ssl/certs/* are symlinks to store items. Because containers only
see a subset of store items that are in that container's profile, it
often sees the symlinks to store items but not the target file.

For example:

--8<---------------cut here---------------start------------->8---
$ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash
[env]$ ls /etc/ssl/certs/ca*
/etc/ssl/certs/ca-certificates.crt  /etc/ssl/certs/ca6e4ad9.0
[env]$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
[env]$ ls -l /etc/ssl/certs/ca6e4ad9.0
lrwxrwxrwx 1 65534 overflow 85 Jan  1  1970 /etc/ssl/certs/ca6e4ad9.0 -> /g=
nu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca=
6e4ad9.0
[env]$ cat /etc/ssl/certs/ca6e4ad9.0=20=20
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
--8<---------------cut here---------------end--------------->8---

We can /sort of/ solve this by adding nss-certs to the container, but
only when the nss-certs being added has the same hash as the nss-certs
package.

--8<---------------cut here---------------start------------->8---
# nss-certs w/o version adds v3.99 to the profile, which doesn't match
# the system. Ergo it's still unavailable.
~ $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash -c 'cat =
/etc/ssl/certs/ca6e4ad9.0'
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
#=20
# If we specify 3.88.1, it does work, but only for various nss-certificates,
# not the ca-certificates.crt bundle file (which isn't a package).
guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs -- =
bash -c 'cat /etc/ssl/certs/ca6e4ad9.0'
# snip, contents of ca6e4ad9.0
#=20
~ $ guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs=
 -- bash -c 'cat /etc/ssl/certs/ca-certificates.crt'
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
--8<---------------cut here---------------end--------------->8---

This problem becomes impossible to solve in situations where the system
Guix and user Guix have different nss-certs hashes.

Be it by adding nss-certs to the container profile or by exposing
/etc/ssl/certs, we still need to calculate the nss-certs derivation.

(Perhaps a alternative solution is making sure symlink targets to store
items visible to a container are persisted. I don't know how complicated
that would be, but I imagine it's nontrivial.)

> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can =
always add it to the
> shell and it will take precedence over /etc/ssl/certs, assuming
> SSL_CERT_{FILE,DIR} is defined.

True, although at present anyone who wants to use nss-certs must set
SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
registers the search path).

--8<---------------cut here---------------start------------->8---
# nss-certs alone doesn't set SSL_CERT_DIR
~ $ guix shell -C bash coreutils nss-certs@HIDDEN -- bash -c 'echo $SSL_CER=
T_DIR'
# blank
#
# curl registers $SSL_CERT_{FILE,DIR}
~ $ guix shell -C bash coreutils nss-certs@HIDDEN curl -- bash -c 'echo $SS=
L_CERT_DIR'
/gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs
--8<---------------cut here---------------end--------------->8---

This is unintuitive. Many packages that make use of nss-certs don't
register the search path, e.g. rust-cargo [1]. I'd rather avoid a
solution that is "edit every package that may possibly use nss-certs now
and in the future to register the search path".

> WDYT?

My thoughts are if we have to decide between

1. Users who want TLS with standard public endpoints
2. Users who want TLS with custom private endpoints

it's better to prioritize a good experience for 1 and let 2 opt-out of
the "hand holding" defaults. But perhaps it's possible to make everyone
happy.

If desired this patch can be reworked as opt-in.

[1]: https://logs.guix.gnu.org/guix/2024-04-08.log

--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 15 Sep 2024 21:41:02 +0000
Resent-Message-ID: <handler.70314.B70314.172643640826105 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Richard Sent <richard@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172643640826105
          (code B ref 70314); Sun, 15 Sep 2024 21:41:02 +0000
Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:40:08 +0000
Received: from localhost ([127.0.0.1]:50631 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spwyV-0006mz-C1
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:07 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54632)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1spwyS-0006mG-C4
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1spwy7-0007DX-38; Sun, 15 Sep 2024 17:39:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=eiCSItnXRucQ+1gRvycS
 WhsMrVJUn2ClDOA9YxNQwhKm1HeAV5fYtoXqhU5PQKGd+xSowzVvrBrIUufjvnxrZMbVNE05VPhSS
 BKIVT/f9CUQT05pnLtxMxH5fKfbXVAJjs1QRPqwgc6kQ4FqfUWjG6CnsSGZqBG+xNuJFpJYGDiEoR
 Sk3H4nEamREEOWf4kYi9ikz/TjROp8/T99uj3pBKTsgl1dHHMMf0EytrRSh6Whscij7U6flStmpyt
 IHZpwWL8iM/yfkYgyUorCFUXbBg5e8RIGwdRgYWwOkOyNFBj/+w1tc4YFK/kN1GM4rZPxhnqP7l0G
 rPmVStcGrkhCyw==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <871q1zsbry.fsf@HIDDEN> (Richard Sent's message of
 "Wed, 04 Sep 2024 11:01:53 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN>
Date: Sun, 15 Sep 2024 23:39:39 +0200
Message-ID: <875xqwd2as.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Richard,

Cc: guix-devel to get more feedback: this is about adding =E2=80=98nss-cert=
s=E2=80=99 by
default in =E2=80=98guix shell -CN=E2=80=99 containers, along with a =E2=80=
=98--no-tls=E2=80=99 option
to opt out:

  https://issues.guix.gnu.org/70314

Richard Sent <richard@HIDDEN> skribis:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rathe=
r expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it=E2=80=99s less expensive than havi=
ng to
>> compute the derivation of =E2=80=98nss-certs=E2=80=99.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.

Oh, indeed.

[...]

>> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can=
 always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).

Right.

[...]

> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.

You=E2=80=99ve convinced me.

That it=E2=80=99s opt-out sounds reasonable to me.  =E2=80=98--no-tls=E2=80=
=99 sounds reasonable
too as a name (I thought about =E2=80=98--no-x509-certificates=E2=80=99 but=
 that=E2=80=99s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).

I have some comments about the patch and I=E2=80=99d like others to weigh i=
n too
before we commit this change.

Thank you!

Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 15 Sep 2024 21:50:02 +0000
Resent-Message-ID: <handler.70314.B70314.172643699328126 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Richard Sent <richard@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172643699328126
          (code B ref 70314); Sun, 15 Sep 2024 21:50:02 +0000
Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:49:53 +0000
Received: from localhost ([127.0.0.1]:50640 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spx7x-0007Ja-08
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:53 -0400
Received: from eggs.gnu.org ([209.51.188.92]:51078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1spx7v-0007JM-9J
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:51 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1spx7b-00083s-7g; Sun, 15 Sep 2024 17:49:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=Flyb58OuaO0/Yx6bVWpF
 WPatEkJt+UuBeHC4p2UjAZxbAbKJV/OcKB/qjFIcmt655TSC4271Lk+TSjue+frsjmJAkmYZKMwEW
 wfttLbGySDEX9ZA3LxaBVP4FemQ3zxbGQYJrYkXyTyA69NYgdl1in3uWKBi73eEExsuM5jnMvgm4Z
 uFToP6jHldj9TcoVuG2RlM0ceT+wdqjMqq6cAnNi8no7CWQSt35yu2Y1O561+c+DxJZpyhfh0c0Bv
 srw04pnjiqW2vLVuxoYGschtPo5vd85BsYBagueF4UeB18d+0rhdpMc+6MT4pnN8c+2ZcjhWjF48A
 QyEAxMqeH5kjLg==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Sun, 15 Sep 2024 23:49:27 +0200
Message-ID: <87o74obna0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Richard Sent <richard@HIDDEN> skribis:

> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7

[...]

> +  #:autoload   (gnu packages certs) (nss-certs)
>    #:autoload   (gnu packages bash) (bash)
>    #:autoload   (gnu packages bootstrap) (bootstrap-executable %bootstrap=
-guile)
>    #:autoload   (gnu packages package-management) (guix)
> @@ -72,6 +73,9 @@ (define-module (guix scripts environment)
>  (define %default-shell
>    (or (getenv "SHELL") "/bin/sh"))
>=20=20
> +(define %default-tls-certs
> +  (list nss-certs))

This would force all the package modules to be loaded upfront.  Instead
you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=E2=
=80=99s needed.

This matters for startup time.  To see how it affects the command, you
can run:

  strace -c guix shell coreutils -- true

The second run should make as few system calls as possible.

> +                 (lambda (opt name arg result)
> +                   (alist-cons 'no-tls? #t result)))

Internally, I would reverse the logic to have =E2=80=98tls?=E2=80=99 instea=
d (as a rule
of thumb, I always avoid negating Booleans in code).

> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))

Can we delay changes to the manifest until after all options have been
parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?

That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98nss=
-certs=E2=80=99 to the
environments.

>  (define* (launch-environment/container #:key command bash user user-mapp=
ings
>                                         profile manifest link-profile? ne=
twork?
> -                                       map-cwd? emulate-fhs? nesting?
> +                                       no-tls? map-cwd? emulate-fhs? nes=
ting?

Same as above: =E2=80=98tls?=E2=80=99 rather than =E2=80=98no-tls?=E2=80=99.

Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
pass.

Thanks,
Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Ryan Prior <rprior@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 16 Sep 2024 00:05:02 +0000
Resent-Message-ID: <handler.70314.B70314.172644509023930 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172644509023930
          (code B ref 70314); Mon, 16 Sep 2024 00:05:02 +0000
Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 00:04:50 +0000
Received: from localhost ([127.0.0.1]:50729 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spzEY-0006Du-0G
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:50 -0400
Received: from mail-40131.protonmail.ch ([185.70.40.131]:10517)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rprior@HIDDEN>) id 1spzEV-0006Db-Js
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1726445068; x=1726704268;
 bh=IZNAB1v6dghE+Yx+bF9h+47HXdIven7FmQpQ/dgQFDM=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=uXa8y1ibrp5IiJIytXMVBcHUIMcs51V0jQCfY5EpNaeKeu9uEhm7qgWj9u9H7E6ss
 bRTWkdCguD8cgPO+53D6rRudN6RRAscQpanrozk+iGr1nDnTw/oWBdgriRo9TpsuSO
 P9fgsoGBYBa95UbjQ5XChBtvOPvkNumispcmDrLks9dQirNlIjCntxlPyl8ko8xhdM
 ijGRHi0jPU0h3u0u7hszvjjzJx3PXSHqd5VuMep2cvkagYNJHs8Wx9iHsU+3xlbxQo
 3ykmowiU4gA/oOgYkPJ8uHabxWjqIOC5mBhVa3C0q9NRIOArIDnVtRbcohoGRn47Ij
 RFNA2RL9yLr+Q==
Date: Mon, 16 Sep 2024 00:04:23 +0000
From: Ryan Prior <rprior@HIDDEN>
Message-ID: <ub_UIyami0aM1f_ld_Va6H_pNf_f1eJsqs-L3lNq2HXiiB9T57OqAITFdGC4OVrrRshTFvMCuyqGZpRPg0Rg_MtWe_1Cmrj1XaSJZcMOH3c=@protonmail.com>
In-Reply-To: <875xqwd2as.fsf@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN>
 <875xqwd2as.fsf@HIDDEN>
Feedback-ID: 7396961:user:proton
X-Pm-Message-ID: 080af1fce6a982544a638f46abd071a3d0aa1417
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


On Sunday, September 15th, 2024 at 4:39 PM, Ludovic Court=C3=A8s <ludo@gnu.=
org> wrote:

> You=E2=80=99ve convinced me.
>=20
> That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls=
=E2=80=99 sounds reasonable
> too as a name


Agreed on all points. Even though I'm aware of the need, I've forgotten to =
add tls-certs many times. Removing a known footgun for containers is a grea=
t plan.

Thanks!
Ryan

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Richard Sent <richard@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 16 Sep 2024 15:23:02 +0000
Resent-Message-ID: <handler.70314.B70314.172650016124594 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172650016124594
          (code B ref 70314); Mon, 16 Sep 2024 15:23:02 +0000
Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 15:22:41 +0000
Received: from localhost ([127.0.0.1]:53052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sqDYm-0006Oa-Uv
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:41 -0400
Received: from mail-108-mta228.mxroute.com ([136.175.108.228]:36793)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sqDYk-0006OS-Vf
 for 70314 <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:40 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta228.mxroute.com (ZoneMTA) with ESMTPSA id
 191fb6d75110013e01.002 for <70314 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Mon, 16 Sep 2024 15:22:20 +0000
X-Zone-Loop: d1845798e40e69d6d4a98721eda0343dbf5723b6c2db
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
 MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender
 :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
 List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=D3iQ2emaxbbu2Zh4abCa+GXZnlkStdid/BWp5LUE2HM=; b=c6cL+3mnG00FEt3CRlvK5pIWR6
 1pPc8jThBb77fKklLh318a+zhlkehzh5jy49Dv59MXT/0YB7j+QRNkH0NGCzPMXng4a2DMzEyrGZm
 L4Hk9nQjsEiPe5kX4o8g4telHi2geucpuPQXPJfLHApfK1ncCPK6byJjUg9wOI86nvhQX0AiDHqaC
 2xVJJet6fhcxpC8aEKlfQeaHnypyW3L2E7GDieH4pbx1o5AkOeA4OMVnuWqG55LIHLXDrl9pCYM6/
 01O3V6NQV60o3/EJT341GR6N4TqUUeFcFmd8+zXKb55Kr5Rh8gJW1KSggmAtk26At/IFatZGgyUXo
 bSpuO0DA==;
From: Richard Sent <richard@HIDDEN>
In-Reply-To: <87o74obna0.fsf@HIDDEN> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Sun, 15 Sep 2024 23:49:27 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87o74obna0.fsf@HIDDEN>
Date: Mon, 16 Sep 2024 11:22:03 -0400
Message-ID: <87ldzrd3ok.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?
>=20
> That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98n=
ss-certs=E2=80=99 to the
> environments.

Is `$ guix shell -N -- true` valid? I know it works at present, but my
understanding is sharing the network only works with containers. From
the manual:

> =E2=80=98--network=E2=80=99
> =E2=80=98-N=E2=80=99
>      For containers, share the network namespace with the host system.
>      Containers created without this flag only have access to the
>      loopback device.

Perhaps instead we should error when -N is passed without -C, ala

--8<---------------cut here---------------start------------->8---
modified   guix/scripts/environment.scm
@@ -1153,7 +1153,9 @@ (define (guix-environment* opts)
       (when nesting?
         (leave (G_ "'--nesting' cannot be used without '--container'~%")))
       (when (pair? symlinks)
-        (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+        (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+      (when network?
+        (leave (G_ "'--network cannot be used without '--container'~%"))))
=20
     (when (and (not network?)
                no-tls?)
--8<---------------cut here---------------end--------------->8---

--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Simon Tournier <zimon.toutoune@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 20 Sep 2024 16:12:02 +0000
Resent-Message-ID: <handler.70314.B70314.172684869115391 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Richard Sent <richard@HIDDEN>, 70314 <at> debbugs.gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172684869115391
          (code B ref 70314); Fri, 20 Sep 2024 16:12:02 +0000
Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:31 +0000
Received: from localhost ([127.0.0.1]:36141 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1srgEE-000405-HU
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:30 -0400
Received: from mail-wm1-f42.google.com ([209.85.128.42]:57389)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1srgEC-0003zR-DB
 for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-42cb5b3c57eso20676775e9.2
 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1726848603; x=1727453403; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
 b=e5XJym1aeAGRtI12DZHLKRIUWqDHeI0B0JvYEWuy78hRtRxtWjZ6jldNzLbxpIzrUq
 CzrWdw8Ywp5p44fQ/nxWVqmxLYPR6ac7M3JpU7AZNOnVCt0rDpSjRrsJ8MprKLyiikVh
 pzXBng3qFd7mveJ3ESZuTe2tWsDaWQjPUVGR8BnKwcagiClln0WJh8nD+NLpnUXkMJzs
 XLMT8AwfisdqaiBnSYHS8eI0CXcGfkOUpP3K9NVoNSc2FSSPkiHRcEVpa+/cQyZEy9+l
 oeDUx42JN5sQ2CfOpnPLlXjcRJS5HNWpTG3A+TS8mRu6ziiOtdRe3RZQn4aarCoaFj6u
 756Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1726848603; x=1727453403;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
 b=l4BjwJaj/lh7dKqLTIJ20JeD17hnczAsyXhQCO0bxz6i5G5cQbQNeOHS7HMGyBsgra
 qkc1kfDh2yp2nkozWysoMORquFZZQRgDVdFCPJprs777ha7vIkLgrY6E9TQmWhON5B67
 4rH83KjIa9hCTdSbcuNFvx7P53AxRhqWnz0M29WPjWFmo6rGo4gmFsfCCoV2KCAIY0dt
 W0AYQX7Mvrl505dLraBVzGkT6hTGUIadcUkMMIOCaUjy6LY56Z769Nu4bJjEcsTXbykj
 CHwzLUkqOyuItuR4eSb5yNzXbR6dZlMsCMXkTP8j90NQkdqxemehA/PDY8HKJ3CxegR7
 uGYw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXYRdNExBkhQSvxbCQ58LZioxxdJ1wb4FmZPxnbtSicwBRSEBcr6nm8lqVyCA/QTc5LVsN8eA==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YzukUMtFeBDbua3kwEeleVrUpw7JepmB2jDmAvadWEKisynn4N0
 MVkiJRryQTcu2ostJvDVufk2xnQmrrSH2B9Q2eS1vTMdpEYhj3ce
X-Google-Smtp-Source: AGHT+IFlb47XvbCruMXC3Z004FvXdWXHM4Ns/QvrnEMcNp0DI+Lf2O8MPVkHALpUj4Vhg1eRHT4a8g==
X-Received: by 2002:a05:600c:548e:b0:42c:b1ee:4b04 with SMTP id
 5b1f17b1804b1-42e7c19bb69mr22867305e9.28.1726848603299; 
 Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-378e78054cesm18175255f8f.108.2024.09.20.09.10.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 20 Sep 2024 09:10:02 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Fri, 20 Sep 2024 17:04:44 +0200
Message-ID: <87h6aatlgz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On mar., 09 avril 2024 at 15:05, Richard Sent <richard@HIDDEN>=
 wrote:

> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.

I agree.  I have been annoyed more than once with this.  Then it becomes
something odd that I have forgotten it=E2=80=99s odd. :-)


> +  (display (G_ "
> +      --no-tls           do not add SSL/TLS certificates or set environm=
ent
> +                         variables for a networked container"))

[...]

> +         (option '(#\T "no-tls") #f #f
> +                 (lambda (opt name arg result)
> +                   (alist-cons 'no-tls? #t result)))

There is a discrepancy, no?  Missing the short =E2=80=99-T=E2=80=99 option =
in the help?

Well, that=E2=80=99s said, I would prefer to not have any short option at a=
ll.
Because I think that option would be a rare option.  And if it is not
and many people use =E2=80=9Cguix shell=E2=80=9D without the package =E2=80=
=99nss-tls=E2=80=99, then we
will still be able to add the short option.  The converse is not true


>           (option '(#\W "nesting") #f #f
>                   (lambda (opt name arg result)
>                     (alist-cons 'nesting? #t result)))
> @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
>                       (packages->outputs (load* file module) mode)))
>                    (('manifest . file)
>                     (manifest-entries (load-manifest file)))
> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))
>                    (('nesting? . #t)
>                     (if (assoc-ref opts 'profile)
>                         '()
> @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile man=
ifest
>=20=20
>  (define* (launch-environment/container #:key command bash user user-mapp=
ings
>                                         profile manifest link-profile? ne=
twork?
> -                                       map-cwd? emulate-fhs? nesting?
> +                                       no-tls? map-cwd? emulate-fhs? nes=
ting?
>                                         (setup-hook #f)
>                                         (symlinks '()) (white-list '()))
>    "Run COMMAND within a container that features the software in PROFILE.
> @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command=
 bash user user-mappings
>                ;; Allow local AF_INET communications.
>                (set-network-interface-up "lo"))
>=20=20
> +            (unless no-tls?
> +              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce=
rts"))
> +              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D=
IR")
> +                                                     "/ca-certificates.c=
rt")))
> +
>              ;; For convenience, start in the user's current working
>              ;; directory or, if unmapped, the home directory.
>              (chdir (if map-cwd?
> @@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
>           (link-prof?   (assoc-ref opts 'link-profile?))
>           (symlinks     (assoc-ref opts 'symlinks))
>           (network?     (assoc-ref opts 'network?))
> +         (no-tls?      (assoc-ref opts 'no-tls?))
>           (no-cwd?      (assoc-ref opts 'no-cwd?))
>           (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
>           (nesting?     (assoc-ref opts 'nesting?))
> @@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
>        (when (pair? symlinks)
>          (leave (G_ "'--symlink' cannot be used without '--container'~%")=
)))
>=20=20
> +    (when (and (not network?)
> +               no-tls?)
> +      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
> +

Why not a warning instead of leaving with an error?


Cheers,
simon

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers
Resent-From: Simon Tournier <zimon.toutoune@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 20 Sep 2024 16:12:02 +0000
Resent-Message-ID: <handler.70314.B70314.172684870315444 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70314
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Richard Sent <richard@HIDDEN>
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
Received: via spool by 70314-submit <at> debbugs.gnu.org id=B70314.172684870315444
          (code B ref 70314); Fri, 20 Sep 2024 16:12:02 +0000
Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:43 +0000
Received: from localhost ([127.0.0.1]:36146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1srgER-000411-0O
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:43 -0400
Received: from mail-wm1-f47.google.com ([209.85.128.47]:60874)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1srgED-0003zT-7h
 for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4280ca0791bso20303125e9.1
 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1726848604; x=1727453404; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
 b=mFKij3nRMteKu4wN+IJAXOLvyKr4gyIeL2QsVKmRe/BQlrmPUehYj8NdVUCJSa4zzP
 DUzWdPMUogtZkiyKLEx7viUpmCwpzUuhn4saItX0IB/RcVi2210U2w1G6tIUr4N32iUN
 4NNq4FF6o7odgvOuUEN9Lo30QSghrLeWdsjExjQz2WSvq2JVDUvmHx4lML3bEPNvI501
 IC83g17pVTFyz+nLytPRA4Q6zsH0kXrzIbAG+1PXjQ8DpYCly63ee5c+oro1YOSDv/mD
 d4+1Q8vkE0I42P5TE+yGNZht6hdICnw7qHpB7GRRcfKdO4VA03nP8JMm1JJCpMxZjT+W
 i7xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1726848604; x=1727453404;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
 b=Ebudz/jMJj/zkuO+sKxOGBWouK55B9jhtU8L1YG6d2N9btJlzTEu0IZtJs1d+BNCfC
 onhM69AfylaG/9w2ta3um7BQNe6sajxggTzTdJhLvtBB+QHwUdE01tYJsVnG91sQogpy
 EPGkXH/E7JE9EU/K1M7l66DRz5koge+m3DCcMasNP9fBaJQYAUqOMIzyCkSUJCZoRgVD
 z/YtIDQUX9DWmedAz1OHDmDuzFuXzoQTSEZaDdL1oznQrKM0J4FvgCE/8CdN+Jxxp18R
 y0dPt93GCvyW4CTSiN3fh0thYNRvgKTFEHYE2VfXeDvnqvHzTYUTog2IrXMbU5DoS654
 1yJA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWwuRa5Mq8zq+bL7zgH03hpoqrE95AKXiOEyFKQ2iDZtcPfn7Ckfw1S18y3e5+nwaIGHxpt+A==@debbugs.gnu.org
X-Gm-Message-State: AOJu0Yw6LBlLZXYt0mCnaZGEGwTxzZMabb/JdYa9SWQ7Co66GzXNXLG3
 0RV+4j2i/ll7z7+AChlQJMEQx+mzi00QryXeP2e4zbvf3x861i2bl3Urvw==
X-Google-Smtp-Source: AGHT+IEDkMy2BMG03y0YwU8d9UKV2xamVW6d7eBamygke2jNzqIp8d1e60RUl+UysDtkQdLoMt9/Mw==
X-Received: by 2002:a05:600c:358b:b0:42c:b1e1:a45b with SMTP id
 5b1f17b1804b1-42e7c16ed53mr24131445e9.19.1726848604261; 
 Fri, 20 Sep 2024 09:10:04 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-42e7540e4e1sm53202095e9.10.2024.09.20.09.10.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
In-Reply-To: <87o74obna0.fsf@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87o74obna0.fsf@HIDDEN>
Date: Fri, 20 Sep 2024 17:19:59 +0200
Message-ID: <87ed5etkrk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo,

On dim., 15 sept. 2024 at 23:49, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:

>> +  #:autoload   (gnu packages certs) (nss-certs)

[...]

>> +(define %default-tls-certs
>> +  (list nss-certs))

>
> This would force all the package modules to be loaded upfront.  Instead
> you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=
=E2=80=99s needed.

This is a question I had but not reported when commenting elsewhere this
patch.  I was thinking to suggest:

    (module-ref (resolve-interface '(gnu packages certs)) 'nss-certs)

which lazily loads, IIUC.  Then I gave a look to Guile manual which
mentions:

     =E2=80=98#:autoload MODULE SYMBOL-LIST=E2=80=99
[...]
          An autoload is a good way to put off loading a big module
          until it=E2=80=99s really needed, for instance for faster startup=
 or
          if it will only be needed in certain circumstances.

Therefore, could you explain the difference if there is one?



Cheers,
simon

Last modified: Sun, 12 Jan 2025 05:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.