From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Wed, 19 Feb 2014 22:52:20 +0100 Message-ID: <87fvne6a97.fsf@gnu.org> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> <87sirf8l6h.fsf@netris.org> <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> <877g8rnrtx.fsf@gnu.org> <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43286) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGF49-0008Pf-AV for guix-devel@gnu.org; Wed, 19 Feb 2014 16:52:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGF43-00024n-BD for guix-devel@gnu.org; Wed, 19 Feb 2014 16:52:29 -0500 Received: from hera.aquilenet.fr ([2a01:474::1]:55183) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGF43-00024d-4O for guix-devel@gnu.org; Wed, 19 Feb 2014 16:52:23 -0500 In-Reply-To: <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 19 Feb 2014 15:08:38 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Andreas Enge skribis: > On Wed, Feb 19, 2014 at 02:40:42PM +0100, Ludovic Court=C3=A8s wrote: >> So, all in all, while this is not ideal, using this configure flag to >> point to /etc/ssl/... sounds like a viable option to me. It=E2=80=99s >> consistent with what other distros do, and it=E2=80=99s what we want to = do >> eventually. >>=20 >> (Also, I think it=E2=80=99s time to really take the final system as the = primary >> use case.) > > The next question is, where do these certificates come from in our system? > I think a reasonable solution would be to: > - create a package with certificates (maybe inspired from those contained > in debian); Definitely. > - have gnutls depend on it, and use the gnutls configure flag to point to > /nix/store/xxx-our-certificates/etc/ssl/... . > > I think this would be more in line with our approach than pointing to /et= c. > Also, if a certificate gets compromised and is withdrawn from the certifi= cate > package, this would force gnutls and all its dependencies to be recompile= d. > > What do you think? That=E2=80=99s the solution I would prefer in many cases. However, the last point you mention (having to rebuild GnuTLS et al. when a certificate changes) seems to me like a drawback, because it makes it unnecessarily costly (storage, bandwidth, time) to deploy a new certificate bundle. One way to address that would be to have /etc/ssl/... be a Guix-managed symlink to /nix/store/...-certificates (this is +/- what NixOS does.) How does that sound? Thanks, Ludo=E2=80=99.