From 7d235a67998433d40a8f813f6990f5406a980ba7 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Tue, 10 Dec 2024 23:58:12 +0100
Subject: pull: Add ‘--no-check-certificate’.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This can be tested with:

  guix shell libfaketime -- faketime 2019-01-01 \
    guix pull -q --no-check-certificate -p /tmp/p

* guix/scripts/pull.scm (%options, show-help): Add
‘--no-check-certificate’.
(%default-options): Add ‘verify-certificate?’ key.
(guix-pull): Honor it.
* doc/guix.texi (Invoking guix pull): Document it.

Change-Id: Ia9d7af1c64156b112e86027fb637e2e02dae6e3c
---
 doc/guix.texi | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'doc')

diff --git a/doc/guix.texi b/doc/guix.texi
index 31deb5b003..da4d2f5ebc 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4643,6 +4643,14 @@ Make sure you understand its security implications before using
 @option{--disable-authentication}.
 @end quotation
 
+@item --no-check-certificate
+Do not validate the X.509 certificates of HTTPS servers.
+
+When using this option, you have @emph{absolutely no guarantee} that you
+are communicating with the authentic server responsible for the given
+URL.  Unless the channel is authenticated, this makes you vulnerable to
+``man-in-the-middle'' attacks.
+
 @item --system=@var{system}
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
-- 
cgit v1.2.3