From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andreas Enge <andreas@enge.fr>
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Thu, 20 Feb 2014 20:39:02 +0100
Message-ID: <20140220193902.GA4889@debian>
References: <87ppmjn7ih.fsf@netris.org>
	<20140219092644.GA4694@debian.eduroam.u-bordeaux.fr>
	<87sirf8l6h.fsf@netris.org>
	<20140219121353.GA5707@debian.eduroam.u-bordeaux.fr>
	<877g8rnrtx.fsf@gnu.org>
	<20140219140838.GA8796@debian.eduroam.u-bordeaux.fr>
	<87fvne6a97.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38879)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1WGZTB-00026K-Ky
	for guix-devel@gnu.org; Thu, 20 Feb 2014 14:39:49 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1WGZT4-00029q-BF
	for guix-devel@gnu.org; Thu, 20 Feb 2014 14:39:41 -0500
Content-Disposition: inline
In-Reply-To: <87fvne6a97.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?iso-8859-15?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Concerning yours and Mark's suggestions, I think the best solution would
be if GnutTLS looked in the user profile for certificates. As it does not,
I still think that my suggestion of considering the certificates as an
input is more in style: Admittedly, they are only data, but the functioning
of GnuTLS depends on them, as much as texlive carries its own data (not
in a separate package, as no other package needs to depend on it).

On Wed, Feb 19, 2014 at 10:52:20PM +0100, Ludovic Courtès wrote:
> One way to address that would be to have /etc/ssl/... be a Guix-managed
> symlink to /nix/store/...-certificates (this is +/- what NixOS does.)
> How does that sound?

That is certainly a possibility.

On Thu, Feb 20, 2014 at 01:01:56PM -0500, Mark H Weaver wrote:
> I think you could make this argument for any program or library that
> looks for things in /etc.  For example, glibc looks in
> /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd,
> /etc/group, etc.

I did not think about these cases, but I think there are limits... Moreover,
these files need to be dynamically changed (adapted to the machine etc.),
while certificates are just static data. So the analogy does not hold.

> However, one of the great things about Guix is that it's possible to
> keep a local branch with your own changes.  So, if you want to make a
> gnutls package with the trust store in a different location
> (/home/andreas/.certs or /nix/store/* or whatever), you can do that
> quite easily.  (I've started doing that myself, since my xterm changes
> were blocked.)

Well, it is not that I could not live with one or the other decision; I am
just taking part in the discussion and voicing my opinion.

Andreas