From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Thu, 20 Feb 2014 13:01:56 -0500 Message-ID: <87zjll7je3.fsf@netris.org> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> <87sirf8l6h.fsf@netris.org> <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> <877g8rnrtx.fsf@gnu.org> <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43853) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGXxd-0006r2-Kt for guix-devel@gnu.org; Thu, 20 Feb 2014 13:03:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGXxX-0005BY-Ef for guix-devel@gnu.org; Thu, 20 Feb 2014 13:03:01 -0500 In-Reply-To: <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 19 Feb 2014 15:08:38 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Andreas Enge writes: > The next question is, where do these certificates come from in our system? > I think a reasonable solution would be to: > - create a package with certificates (maybe inspired from those contained > in debian); > - have gnutls depend on it, and use the gnutls configure flag to point to > /nix/store/xxx-our-certificates/etc/ssl/... . > > I think this would be more in line with our approach than pointing to /etc. > Also, if a certificate gets compromised and is withdrawn from the certificate > package, this would force gnutls and all its dependencies to be recompiled. > > What do you think? I think you could make this argument for any program or library that looks for things in /etc. For example, glibc looks in /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd, /etc/group, etc. Should we put these configuration files in a package, make glibc depend on that package, and then force the user to recompile the entire system whenever one of these files needs to change? While I sympathize with your concerns, I think that this is going too far, even for your more limited suggestion of recompiling everything that depends on gnutls. If I discover that a CA certificate has been compromised, I don't want to have to recompile a large number of programs, and then make sure that I don't have old profiles lying around that still refer to the old CA certificates. I'd also essentially lose roll-back functionality, because I wouldn't be able to roll back without also enabling the compromised cert. Furthermore, I think that users should be able to use substitutes from Hydra even if they want to trust a different set of CA certs. Here's the thing: what is the common case? Nowadays, the common case is that each of us has our own personal computer, where we have root and can thus change /etc/ssl/certs/ as we wish. In the uncommon case where we don't have root, or are sharing a system with others, we can still configure our own trust stores for individual programs that use gnutls. However, one of the great things about Guix is that it's possible to keep a local branch with your own changes. So, if you want to make a gnutls package with the trust store in a different location (/home/andreas/.certs or /nix/store/* or whatever), you can do that quite easily. (I've started doing that myself, since my xterm changes were blocked.) What do you think? Regards, Mark