From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iEpTAtIFYGGOtgAAgWs5BA (envelope-from ) for ; Fri, 08 Oct 2021 10:48:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 8Lm9ONEFYGEmHgAA1q6Kng (envelope-from ) for ; Fri, 08 Oct 2021 08:48:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AA25B1C7F6 for ; Fri, 8 Oct 2021 10:48:15 +0200 (CEST) Received: from localhost ([::1]:44114 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mYlY6-0001iG-Dm for larch@yhetil.org; Fri, 08 Oct 2021 04:48:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37558) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mYlXj-0001dH-RP for help-guix@gnu.org; Fri, 08 Oct 2021 04:47:51 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42201) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mYlXX-0004Wg-2H for help-guix@gnu.org; Fri, 08 Oct 2021 04:47:51 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 514C45C0158; Fri, 8 Oct 2021 04:47:35 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 08 Oct 2021 04:47:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.net; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm1; bh=KaL6goiRKmTWHYcj7/t1Vu787C Wclu/FQlTZ/jkhnsU=; b=BuTKpT3rrVuYZzQc4z2Osc5ByzlFjPT/tfOu2yTEll V3CO8pREhJM/zl70qgLUCrqZeqTpbNN/V7fqpg7/TEIt9jCHmZoAJPtotPFSbINP Rz4WEhrI1L1nBCo7NytN5gA6eVlZ0ynXMLr251XQHyLUwwNKvX5KVyHfUshdQDBb c+FY1ATs51adOl8z+PPvTwBWIlZ+B5CeOoN0Dmw0tW8I1W+0jcVGnDJEwisDr7o7 WMdcaSlFOM1F77bA/njGtQjBtxN/MncwsUCqMNx7jK1vJtaGKwjKjF0Xz3MEfJLb WtvK2jKRQVm914vg8EqF7tKJZGCcAoJUTIFv6HAj4k3Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=KaL6go iRKmTWHYcj7/t1Vu787CWclu/FQlTZ/jkhnsU=; b=gvXsNIqGhxk565VJygncDm dOzjtkD4TDEaA6BEe9uVhjDwIaN4jcm9CoJlLs5DfO76dD7JzPdL7E5d06aN1J19 3ctNEAqOkH332oDFH3YGKKGdK6ffU6WDnOKR1XD2lcyYNi4Gjr82O8gnokUEfB4V b6HKRcYRIIn2ECedkyasY446kPQJgasIeogz58B8/czSoUrb9t+fwXQ5MTYgtN5E 5fy7F3xlXFssk329BUcuIgcWko3PmDwNO+6bjuYk2pP6cGOSypztqCyMcNMJQgJZ FQJr4uG36REBxQoBgdE+iDpsxZN8Ut0uLWMrHMj8itAuqHKoxECMoo7l5YY1CyWA == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddttddgtdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhffkfggtgesthdtredttddttdenucfhrhhomhepmfhonhhrrggu ucfjihhnshgvnhcuoehkohhnrhgrugdrhhhinhhsvghnsehfrghsthhmrghilhdrnhgvth eqnecuggftrfgrthhtvghrnhepieekjeejveeuieefjeehtdegtefhudetgfevfffhueeh jeevieeigedvhfdtieefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepkhhonhhrrggurdhhihhnshgvnhesfhgrshhtmhgrihhlrdhnvght X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 8 Oct 2021 04:47:34 -0400 (EDT) From: Konrad Hinsen To: Maxim Cournoyer , help-guix@gnu.org Subject: Re: Certificates in pure and containerized environments In-Reply-To: <87ilyb4bcn.fsf@gmail.com> References: <20211003164510.ebwlm6u24a2bgao4@wzguix> <87ilyb4bcn.fsf@gmail.com> Date: Fri, 08 Oct 2021 10:47:33 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=66.111.4.29; envelope-from=konrad.hinsen@fastmail.net; helo=out5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633682897; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=KaL6goiRKmTWHYcj7/t1Vu787CWclu/FQlTZ/jkhnsU=; b=XEQ8D9pKWhG1l2C/wFRC7UhpnQ+kDsrCbgtTK5VJZIH/8KFIiHZda5nVdVPTwUT30KFnwj HnUJgQ5y9iwFcpM8MZY2IlU1XsM5mU1rHJlGoAWc2KzAEf2YQcgCBkogg52umpQH1a4e2k +kRf4UdAxsQM3eSFHzKs6yOU8fiZZp+UAHXeW0KIzLEv2rTD1YYxtJVSCoIgdYRm+cByN9 SEepxOOuhwemc6ippQ86JlZvd32jiwdeJld0caHDBIYOoq2KhYxZ/n4OF3880dUFL3OA3k gJa4v36n0ADDb36uOfvc0acq81Dtf+Me29hh7cyd1TzRKN8aeBiUVYyNvSYzIg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633682897; a=rsa-sha256; cv=none; b=ORzBUH7XjTifvgeT+skYnF++MfgBAInDFs3AZU8ftQ1H+FRSO2otYiTfytsSQRljWuDqLe L03vSom2+cQDluw9fBA8TlO5sRWSaw2lohkdPjKRJOVMZiuWoyM9e8/NSctRePLhEONtKR Lu7fodLzBzBbv2tkdDkJoeiO/Q7whw5Em7gdlK8wlEGYBAA9gCf3GJGPmdzKMIW5ohcoTx mG8B0JVCwRqZ47xwwr/6eMmiO0FB4EoMgnvnj1Ro4JJdeI4tAOnTpzPJ9ljEW2mijV5iz0 Zdt6+gDn1tR14//JfZc55hO7aKeBZelpej78RgEvCzeL/E5z6VcAyNOraMSqpg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm1 header.b=BuTKpT3r; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=gvXsNIqG; dmarc=pass (policy=none) header.from=fastmail.net; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.61 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm1 header.b=BuTKpT3r; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=gvXsNIqG; dmarc=pass (policy=none) header.from=fastmail.net; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: AA25B1C7F6 X-Spam-Score: -1.61 X-Migadu-Scanner: scn0.migadu.com X-TUID: vWT5BZ2swHF3 Hi Maxim, > The key thing here is whether the certs are required by OpenSSL vs > GnuTLS. The former honors SSL_CERT_DIR, while the later does not (I ... > I hope that helps! Thanks, that certainly helps to understand the issues. My preferred approach would be to manage all certificates as Guix packages, and not have any environment variables. That would be the opposite of your proposal to make GnuTLS honor SSL_CERT_DIRS. It's always a mess to have multiple uncoordinated environment managers. I do see the difficulty for those who need personal certificates and don't know how to package them in Guix, but that could be solved by a dedicated tool. Cheers, Konrad