From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: GnuTLS and the =?utf-8?Q?=E2=80=9Ctrust_store=E2=80=9D?=
Date: Sat, 07 Jan 2017 22:12:03 +0100
Message-ID: <871swe1snw.fsf@gnu.org>
References: <20170104144655.12321-1-ng0@libertad.pw>
	<20170104144655.12321-2-ng0@libertad.pw>
	<874m1ezugu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87vatuimnp.fsf_-_@gnu.org>
	<87inpty4tw.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<idjlgupsfwq.fsf@bimsb-sys02.mdc-berlin.net> <87zij52jd2.fsf@gnu.org>
	<idjk2a88e3w.fsf@bimsb-sys02.mdc-berlin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42320)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cPyHa-0007DB-Ay
	for guix-devel@gnu.org; Sat, 07 Jan 2017 16:12:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cPyHX-0002gd-46
	for guix-devel@gnu.org; Sat, 07 Jan 2017 16:12:10 -0500
In-Reply-To: <idjk2a88e3w.fsf@bimsb-sys02.mdc-berlin.net> (Ricardo Wurmus's
	message of "Fri, 6 Jan 2017 15:20:03 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
Cc: guix-devel@gnu.org

Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:

> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>
>> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>>
>>> Marius Bakke <mbakke@fastmail.com> writes:
>>>
>>>> Curl respects the variable "CURL_CA_BUNDLE". I think we could add a
>>>> "native-search-path" for that, similar to how it's done for "git".
>>>
>>> =E2=80=9Ccurl=E2=80=9D does but libcurl does not.
>>
>> But that=E2=80=99s probably on purpose.  What do the cURL developers rec=
ommend
>> for their users?
>>
>> If they recommend that users roll their own mechanism to designate the
>> trust store, then they probably do (?), and I think we should avoid
>> interfering with that.
>
> I don=E2=80=99t know what they recommend but on an FHS-compliant system l=
ibcurl
> would be configured to default to a well-known path for the default CA
> bundle.  This allows users of libcurl to just not care about
> implementing a mechanism to override the default CA bundle, because it
> would fall back to the well-known system-wide path.

That=E2=80=99s also the case with Guix: GnuTLS looks for things in
/etc/ssl/certs by default, doesn=E2=80=99t it?

> One of these packages is =E2=80=9Cr-curl=E2=80=9D, which just assumes tha=
t the libcurl
> defaults are fine.  We patch it to enable CURL_CA_BUNDLE lookup (a
> feature that was intended only for Windows).

So r-curl doesn=E2=80=99t try /etc/ssl/certs?  That makes me wonder if the
--with-default-trust-store-dir option of GnuTLS works as expected.

> Since GuixSD does not offer this path and Guix can be used on different
> systems I think we need to provide an alternative.  One alternative is
> to replace the well-known path with a call to getenv("CURL_CA_BUNDLE").

OK.

Ludo=E2=80=99.