From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Thu, 20 Feb 2014 20:39:02 +0100 Message-ID: <20140220193902.GA4889@debian> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> <87sirf8l6h.fsf@netris.org> <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> <877g8rnrtx.fsf@gnu.org> <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> <87fvne6a97.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38879) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGZTB-00026K-Ky for guix-devel@gnu.org; Thu, 20 Feb 2014 14:39:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGZT4-00029q-BF for guix-devel@gnu.org; Thu, 20 Feb 2014 14:39:41 -0500 Content-Disposition: inline In-Reply-To: <87fvne6a97.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?iso-8859-15?Q?Court=E8s?= Cc: guix-devel@gnu.org Concerning yours and Mark's suggestions, I think the best solution would be if GnutTLS looked in the user profile for certificates. As it does not, I still think that my suggestion of considering the certificates as an input is more in style: Admittedly, they are only data, but the functioning of GnuTLS depends on them, as much as texlive carries its own data (not in a separate package, as no other package needs to depend on it). On Wed, Feb 19, 2014 at 10:52:20PM +0100, Ludovic Courtès wrote: > One way to address that would be to have /etc/ssl/... be a Guix-managed > symlink to /nix/store/...-certificates (this is +/- what NixOS does.) > How does that sound? That is certainly a possibility. On Thu, Feb 20, 2014 at 01:01:56PM -0500, Mark H Weaver wrote: > I think you could make this argument for any program or library that > looks for things in /etc. For example, glibc looks in > /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd, > /etc/group, etc. I did not think about these cases, but I think there are limits... Moreover, these files need to be dynamically changed (adapted to the machine etc.), while certificates are just static data. So the analogy does not hold. > However, one of the great things about Guix is that it's possible to > keep a local branch with your own changes. So, if you want to make a > gnutls package with the trust store in a different location > (/home/andreas/.certs or /nix/store/* or whatever), you can do that > quite easily. (I've started doing that myself, since my xterm changes > were blocked.) Well, it is not that I could not live with one or the other decision; I am just taking part in the discussion and voicing my opinion. Andreas