Liliana Marie Prikler schreef op do 05-05-2022 om 20:24 [+0200]:
> > This doesn't work for SSL_CERT_DIR/SSL_CERT_FILE
> nss-certs can be installed to their own profile and referenced from
> there

No, if it is installed in its own profile, then
SSL_CERT_DIR/SSL_CERT_FILE won't be set:

* Put nss-certs its own 'certificates' profile.
* Put curl in a 'applications' profile.

'curl' has a SSL_CERT_FILE search path.  However, its profile does not
have the etc/ssl/certs/ca-certificates.crt, so the SSL_CERT_FILE
environment variable will not be defined for 'applications'

nss-certs does not have any search paths, so the 'certificates' profile
doesn't have any either.

> [...], but are typically part of the OS config.  No glaring issue
> here.

If I install a certificate package, then I expect my certificates to be
actually used, instead of the system's certificates (except for the
GNUtls just-use-/etc/ssl/certs limitation for which there's a WIP patch
to be integrated, and certifi packages for which there's a separate
Guix issue).

Especially since ‘Guix Home’ is about _home_, not _system_ (so no
having to rely on the system administrator), and since ‘Guix Home’ is
about declarativity so I expect it to respect the certificates I
declared.  And especially since the limitation ‘nss-certs won't work
when using separated Guix Home profiles’ isn't documented.

More generally, not having to rely on the OS config is almost in the
(guix)Introduction:

> Guix makes it easy for _unprivileged_ users to install, upgrade,
> or remove software packages, to roll back to a previous package set,
> to build packages from source, and generally assists with the
> creation and maintenance of software environments.

(emphasis mine).

Greetings,
Maxime.