From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: GnuTLS and the =?utf-8?Q?=E2=80=9Ctrust_store=E2=80=9D?= Date: Wed, 04 Jan 2017 21:40:42 +0100 Message-ID: <87vatuimnp.fsf_-_@gnu.org> References: <20170104144655.12321-1-ng0@libertad.pw> <20170104144655.12321-2-ng0@libertad.pw> <874m1ezugu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57574) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOsMb-0003ZH-4W for guix-devel@gnu.org; Wed, 04 Jan 2017 15:40:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOsMY-0002nw-22 for guix-devel@gnu.org; Wed, 04 Jan 2017 15:40:49 -0500 In-Reply-To: <871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Wed, 04 Jan 2017 17:37:12 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org Hello! Marius Bakke skribis: > Marius Bakke writes: > >> ng0 writes: >> >>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" confi= gure flag. [...] > I realized shortly after posting why this wasn't done already. Curl has > 1403 dependent packages, which would apply for "nss-certs" as well if > that is added as input. Obviously we want to be able to update TLS > certificates quickly without rebuilding ~1/4 of the tree. Indeed. It=E2=80=99s a situation where we do not want to have a static bin= ding between cURL and nss-certs; instead, they should be composed dynamically, along the lines of what we already recommend at: https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates= .html cURL depends on GnuTLS, and GnuTLS doesn=E2=80=99t honor an environment var= iable like =E2=80=98SSL_CERT_DIR=E2=80=99. Its recipe has this comment: ;; GnuTLS doesn't consult any environment variables to specify ;; the location of the system-wide trust store. Instead it has a ;; configure-time option. Unless specified, its configure script ;; attempts to auto-detect the location by looking for common ;; places in the file system, none of which are present in our ;; chroot build environment. If not found, then no default trust ;; store is used, so each program has to provide its own ;; fallback, and users have to configure each program ;; independently. This seems suboptimal. "--with-default-trust-store-dir=3D/etc/ssl/certs" Original discussion: https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html Ludo=E2=80=99.