From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#25422: GIT_SSL_CAINFO set incorrectly
Date: Sat, 14 Jan 2017 22:20:59 +0100
Message-ID: <87h951jq2s.fsf@gnu.org>
References: <20170111203631.GA30202@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36861)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1cSVm1-0006kn-Ml
	for bug-guix@gnu.org; Sat, 14 Jan 2017 16:22:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1cSVly-00068c-IA
	for bug-guix@gnu.org; Sat, 14 Jan 2017 16:22:05 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:38821)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1cSVly-00068W-Em
	for bug-guix@gnu.org; Sat, 14 Jan 2017 16:22:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1cSVly-0007CD-5x
	for bug-guix@gnu.org; Sat, 14 Jan 2017 16:22:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.25422.B25422.148442887127604@debbugs.gnu.org>
In-Reply-To: <20170111203631.GA30202@jasmine> (Leo Famulari's message of "Wed,
	11 Jan 2017 15:36:31 -0500")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 25422@debbugs.gnu.org

Hi!

Leo Famulari <leo@famulari.name> skribis:

> Recently, Guix started to set the environment GIT_SSL_CAINFO like a
> search path, instead of pointing to single file, which is what it should
> be.

I don=E2=80=99t think anything has changed, maybe it=E2=80=99s just that yo=
ur profile
now includes =E2=80=98ssl/certs=E2=80=99?

On my GuixSD machine, I still have:

  $ env |grep GIT_
  GIT_SSL_CAINFO=3D/etc/ssl/certs/ca-certificates.crt

but that=E2=80=99s because ~/.guix-profile does not contain certificates.

At any rate, you are right that GIT_SSL_CAINFO should be a single file.
There=E2=80=99s a note in the code:

   (native-search-paths
    ;; For HTTPS access, Git needs a single-file certificate bundle, specif=
ied
    ;; with $GIT_SSL_CAINFO.
    ;; FIXME: This variable designates a single file; it is not a search pa=
th.
    (list (search-path-specification
           (variable "GIT_SSL_CAINFO")
           (file-type 'regular)
           (files '("etc/ssl/certs/ca-certificates.crt")))))

So we=E2=80=99re abusing the search path mechanism here.

A proper fix might be to add an option in =E2=80=98search-path-specificatio=
n=E2=80=99 to
pick only the first match.

WDYT?

Thanks,
Ludo=E2=80=99.