From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store. Date: Thu, 08 Dec 2016 10:35:46 +0100 Message-ID: <8737hyoj9p.fsf@gnu.org> References: <20161205182014.5155-1-ng0@libertad.pw> <20161205182014.5155-2-ng0@libertad.pw> <87a8c7756a.fsf@gnu.org> <877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60600) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cEv7J-0006TB-KB for guix-devel@gnu.org; Thu, 08 Dec 2016 04:35:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cEv7F-0003ca-LI for guix-devel@gnu.org; Thu, 08 Dec 2016 04:35:53 -0500 In-Reply-To: <877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> (ng0@libertad.pw's message of "Wed, 07 Dec 2016 23:40:34 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ng0 Cc: guix-devel@gnu.org ng0 skribis: > Ludovic Court=C3=A8s writes: > >> Hello! >> >> ng0 skribis: >> >>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivilege= d user and group. >>> [arguments]: Build with the system provided certificates in a new phase. >> >> [...] >> >>> + '(#:configure-flags '("--with-unpriv-user=3Dtlsdate" >>> + "--with-unpriv-group=3Dtlsdate") >> >> Why? I think the default is nobody/nogroup, which is fine no? s/I think// > I'm not sure if this is still fine when tlsdated is run. But I'll > figure out soon. Right. The choice between =E2=80=9Cnobody=E2=80=9D and =E2=80=9Ctlsdate=E2= =80=9D is purely cosmetic. >>> + #:phases (modify-phases %standard-phases >>> + (add-after 'unpack 'set-cert-path >>> + ;; Use the system certificate store, not the >>> + ;; application bundled certificates. >>> + (lambda _ >>> + (substitute* "Makefile.am" >>> + (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-r= oots.conf") >>> + "/etc/ssl/certs/ca-certificates.crt")))) >> >> I sympathize with this but this may or may not work on foreign distros. >> Still, it=E2=80=99s probably better (this =E2=80=98tlsdata-ca-roots.conf= =E2=80=99 file seems to >> be a 4-year old copy from Mozilla=E2=80=99s NSS). >> >> WDYT? >> >> Thanks, >> Ludo=E2=80=99. >> > > I don't really like the current way to setenv everything, but is > this something we could do here to keep other distros happy? if > so, what's a good suggestion how to apply this? Actually there=E2=80=99s an even better option: add a dependency on =E2=80= =98nss-certs=E2=80=99 and change the above substitution to refer to it. This would always work. Problem is =E2=80=98nss-certs=E2=80=99 doesn=E2=80=99t have the single-file= certificate bundle so you=E2=80=99d have to create that, essentially by duplicating =E2=80=98ca-certificate-bundle=E2=80=99 from (guix profiles). Could you do that? Thanks! Ludo=E2=80=99.