bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#74711: Is grub broken and breaking Guix ?

From: Ludovic Courtès
Subject: bug#74711: Is grub broken and breaking Guix ?
Date: Tue, 10 Dec 2024 23:27:24 +0100
User-agent: Gnus/5.13 (Gnus v5.13) 
ngraves@ngraves.fr skribis:

> By the way, guix install did work perfectly fine despite SSL
> certificates failing, does that mean that it doesn't do any SSL
> certificate verification ? Is that considered safe? How about
> man-in-the-middle and data-tampering attacks? Are they impossible due
> to sha checksums in Guix, or is that a vulnerability ?

The error with ‘guix pull’ comes from libgit2 when talking to
https://git.sv.gnu.org.

‘guix install’ does not do that.  When it downloads substitutes, it
authenticates them (narinfos are signed) and checks their integrity once
the download is complete.

X.509 certificates do not matter at all here and are explicitly ignored;
see #:verify-certificate? in (guix scripts substitutes).

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]