From mboxrd@z Thu Jan  1 00:00:00 1970
From: Sree Harsha Totakura <sreeharsha@totakura.in>
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 15:37:45 +0100
Message-ID: <5304C1B9.7060309@totakura.in>
References: <87ppmjn7ih.fsf@netris.org>
	<20140219092644.GA4694@debian.eduroam.u-bordeaux.fr>
	<87sirf8l6h.fsf@netris.org>
	<20140219121353.GA5707@debian.eduroam.u-bordeaux.fr>
	<877g8rnrtx.fsf@gnu.org>
	<20140219140838.GA8796@debian.eduroam.u-bordeaux.fr>
Reply-To: sreeharsha@totakura.in
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44840)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sreeharsha@totakura.in>) id 1WG8ID-0002aO-Fw
	for guix-devel@gnu.org; Wed, 19 Feb 2014 09:38:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sreeharsha@totakura.in>) id 1WG8I7-000722-He
	for guix-devel@gnu.org; Wed, 19 Feb 2014 09:38:33 -0500
Received: from mail-out1.informatik.tu-muenchen.de ([131.159.0.8]:35425
	helo=smtp1.informatik.tu-muenchen.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sreeharsha@totakura.in>) id 1WG8I7-00071w-Aw
	for guix-devel@gnu.org; Wed, 19 Feb 2014 09:38:27 -0500
Received: (Authenticated sender: totakura)
	by mail.in.tum.de (Postfix) with ESMTPSA id 7ECA7240137
	for <guix-devel@gnu.org>; Wed, 19 Feb 2014 15:38:19 +0100 (CET)
In-Reply-To: <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

On 02/19/2014 03:08 PM, Andreas Enge wrote:
> The next question is, where do these certificates come from in our system?
> I think a reasonable solution would be to:
> - create a package with certificates (maybe inspired from those contained
>   in debian);
> - have gnutls depend on it, and use the gnutls configure flag to point to
>   /nix/store/xxx-our-certificates/etc/ssl/... .
> 
> I think this would be more in line with our approach than pointing to /etc.
> Also, if a certificate gets compromised and is withdrawn from the certificate
> package, this would force gnutls and all its dependencies to be recompiled.
> 
> What do you think?

I like this solution.

Sree