From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: TLS certificates for web browsers in guix environment --container
Date: Tue, 21 Apr 2020 12:36:25 -0400
Message-ID: <20200421163625.GB20354@jasmine.lan>
References: <874ktdrnww.fsf@ambrevar.xyz>
 <94FBCA48-A4AC-4340-B9E3-DA6CEB333545@asu.edu>
 <87o8rkq0cp.fsf@ambrevar.xyz>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:56988)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <leo@famulari.name>) id 1jQvss-0007MA-1p
 for guix-devel@gnu.org; Tue, 21 Apr 2020 12:36:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1)
 (envelope-from <leo@famulari.name>) id 1jQvsq-00019U-Qw
 for guix-devel@gnu.org; Tue, 21 Apr 2020 12:36:29 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:37683)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1jQvsq-00019K-Cb
 for guix-devel@gnu.org; Tue, 21 Apr 2020 12:36:28 -0400
Content-Disposition: inline
In-Reply-To: <87o8rkq0cp.fsf@ambrevar.xyz>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Pierre Neidhardt <mail@ambrevar.xyz>
Cc: guix-devel@gnu.org


--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 21, 2020 at 06:17:58PM +0200, Pierre Neidhardt wrote:
> Note that the "--expose=3D/etc/ssl/certs/" is important.
>=20
> Should we consider this a bug?  If not, then should we document
> it?

No, it's not a bug.

TLS X.509 certificates need to be looked up dynamically at run-time,
because their validity depends on the current time. We need to be able
to change the certificates without requiring the packages that use them
to rebuild. Otherwise built packages would become obsolete just because
some time has passed.

--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAl6fIQYACgkQJkb6MLrK
fwiA3w//QEGvkFrCTjkIvh8qnCrJqaMN/HxyHCxlTIbOrensfp4vHzjpTHf4w31J
Xny+mVge5qJrl5A5gl3yEhxFeD+nGXEkMhJ1O0fgDWyhEBoea6oaVqKtvwqQuJM/
I9ivxONsGK16Q2Fs9z2fHC1+0IP4SdQ1SyMiXp3LNehLmef7DIj433tcxTc39RE+
PDUEHM0clg0v5sHkSkB3ggC56rlruc3coyq9UtExWIJjTBTYouaN3TmtSG1sKALw
NczZmWQ/M/i2OqIkfmUYG1wCrTKnw0E6+zw2yXefPgYRnk6JnFtAm+yoH468g62A
85E+fgcS+jY9/F5VK0Afr2H+KbYUR38vhhpcInErCOA/ZNRwoeRnhODxCwcOpibY
VQv9Bhkz/BqLyqhUsh/QWgn5pOuYagwCaY/tzMHS67v9CFqttSSLpF3BFliY1AJy
LCZo2Xe1d/oDBPvlMjzarVjLIlMAJHVw9vEPCMRy/Dt7Jc/fxQTpD8j9qGPUr9cA
bPK4JysXKCgo5usLjDdVBaOmpDG0FgRQXQ+6ag0qrmZCxr+NcHTH+JaPYBV8NjFD
sDu5VxahKbeE7NxP2QK4dktbsgyxLN6GlVlIw5OIPogLue6Vt4vXEKV6d/hBo9g1
/ovQY6wbTsq66jkdcDtek830Glz4QziGciHoPzTca0GAKESz/3M=
=w1+Z
-----END PGP SIGNATURE-----

--vkogqOf2sHV7VnPd--