From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Tue, 24 Feb 2015 15:31:14 -0500
Message-ID: <87sidvhx0t.fsf@netris.org>
References: <87r3u7di49.fsf@netris.org>
	<20150204123652.GA21908@debian.eduroam.u-bordeaux.fr>
	<87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian>
	<87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60656)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YQM8I-0005YK-W5
	for guix-devel@gnu.org; Tue, 24 Feb 2015 15:31:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YQM8E-0002fi-Ge
	for guix-devel@gnu.org; Tue, 24 Feb 2015 15:31:06 -0500
In-Reply-To: <87mw441fdp.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Mon, 23 Feb 2015 22:34:26 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> No, it's not worse than it was before.  Sorry if I gave that impression.
>> The only issue is that we might need to generate a single-file
>> certificate bundle for now, because I haven't found a way to get 'git'
>> to check certificates on GuixSD without a single-file cert bundle, at
>> least not when curl is build with GnuTLS.
>
> It seems like adding this single-file bundle would be the simplest
> short-term option.  How would we create that file exactly?

The single-file bundle is just a concatenation of all the individual PEM
data, starting with "-----BEGIN CERTIFICATE-----" and ending with
"-----END CERTIFICATE-----", including those delimiters.

The only caveat is that the individual PEM files are not required to
have a newline after the "-----END CERTIFICATE-----", but in the
single-file cert bundle, we must ensure that the newline is present.
See <https://bugs.debian.org/635570>.

> Would it be OK to keep it in the nss-certs package?

In order to support multiple packages containing CA certs, it would be
good to handle creation of the single-file cert bundle in the profile
generation code, analogous to our handling of info "dir" files.  This
would allow us to create additional cert packages (e.g. one for
CAcert.org).

I think it belongs in the profile generation code for the benefit of
users running Guix packages on top of another distro, where they might
not have root access.  They can simply set GIT_SSL_CAINFO and
SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt

What do you think?

      Mark