From: ng0 <ng0@libertad.pw>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Date: Wed, 07 Dec 2016 23:40:34 +0000 [thread overview]
Message-ID: <877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <87a8c7756a.fsf@gnu.org>
Ludovic Courtès <ludo@gnu.org> writes:
> Hello!
>
> ng0 <ng0@libertad.pw> skribis:
>
>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
>> [arguments]: Build with the system provided certificates in a new phase.
>
> [...]
>
>> + '(#:configure-flags '("--with-unpriv-user=tlsdate"
>> + "--with-unpriv-group=tlsdate")
>
> Why? I think the default is nobody/nogroup, which is fine no?
I'm not sure if this is still fine when tlsdated is run. But I'll
figure out soon.
>> + #:phases (modify-phases %standard-phases
>> + (add-after 'unpack 'set-cert-path
>> + ;; Use the system certificate store, not the
>> + ;; application bundled certificates.
>> + (lambda _
>> + (substitute* "Makefile.am"
>> + (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>> + "/etc/ssl/certs/ca-certificates.crt"))))
>
> I sympathize with this but this may or may not work on foreign distros.
> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
> be a 4-year old copy from Mozilla’s NSS).
>
> WDYT?
>
> Thanks,
> Ludo’.
>
I don't really like the current way to setenv everything, but is
this something we could do here to keep other distros happy? if
so, what's a good suggestion how to apply this?
--
♥Ⓐ ng0 | ng0.chaosnet.org
next prev parent reply other threads:[~2016-12-07 23:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 18:20 (unknown), ng0
2016-12-05 18:20 ` [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store ng0
2016-12-07 22:19 ` Ludovic Courtès
2016-12-07 23:40 ` ng0 [this message]
2016-12-08 9:35 ` Ludovic Courtès
2017-01-18 20:31 ` ng0
2017-01-20 13:31 ` Ludovic Courtès
2016-12-05 18:20 ` [PATCH 2/2] services: Add tlsdate-service ng0
2016-12-05 18:23 ` ng0
2016-12-05 18:30 ` v2 tlsdate-service ng0
2016-12-05 18:31 ` [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store ng0
2016-12-05 18:31 ` [PATCH 2/2] services: Add tlsdate-service ng0
2016-12-07 7:18 ` Chris Marusich
2016-12-07 12:04 ` ng0
2016-12-09 6:29 ` Chris Marusich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me \
--to=ng0@libertad.pw \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).