Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

[ludo@gnu.org (Ludovic Courtès)]

Andreas Enge <andreas@enge.fr> skribis:

> Concerning yours and Mark's suggestions, I think the best solution would
> be if GnutTLS looked in the user profile for certificates.

Sounds like a plan, but my understanding is that this would require
patching GnuTLS since it currently only accepts a fixed file name.

What about raising this issue on the GnuTLS mailing list?

> On Wed, Feb 19, 2014 at 10:52:20PM +0100, Ludovic Courtès wrote:
>> One way to address that would be to have /etc/ssl/... be a Guix-managed
>> symlink to /nix/store/...-certificates (this is +/- what NixOS does.)
>> How does that sound?
>
> That is certainly a possibility.
>
> On Thu, Feb 20, 2014 at 01:01:56PM -0500, Mark H Weaver wrote:
>> I think you could make this argument for any program or library that
>> looks for things in /etc.  For example, glibc looks in
>> /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd,
>> /etc/group, etc.
>
> I did not think about these cases, but I think there are limits... Moreover,
> these files need to be dynamically changed (adapted to the machine etc.),
> while certificates are just static data. So the analogy does not hold.

So I think the insight here is that certificates, libc config, etc. are
all dynamic parts of the systems, and it seems we agree that we should
be able to handle them dynamically.

The most flexible approach would be for GnuTLS to honor an environment
variable.  Using /etc/ssl satisfies the dynamicity requirement but is
obviously less flexible.

I guess we should just submit a getenv patch to GnuTLS.  Any volunteers?
:-)

Until it’s accepted, I think we should go with the /etc/ssl approach.

Thanks,
Ludo’.