From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Thu, 20 Feb 2014 23:08:51 +0100 Message-ID: <871tyxmo7g.fsf@gnu.org> References: <87ppmjn7ih.fsf@netris.org> <20140219092644.GA4694@debian.eduroam.u-bordeaux.fr> <87sirf8l6h.fsf@netris.org> <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> <877g8rnrtx.fsf@gnu.org> <20140219140838.GA8796@debian.eduroam.u-bordeaux.fr> <87fvne6a97.fsf@gnu.org> <20140220193902.GA4889@debian> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42895) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGbng-0005KV-57 for guix-devel@gnu.org; Thu, 20 Feb 2014 17:09:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGbna-0005KX-Ai for guix-devel@gnu.org; Thu, 20 Feb 2014 17:09:00 -0500 Received: from hera.aquilenet.fr ([2a01:474::1]:56767) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGbna-0005KI-3R for guix-devel@gnu.org; Thu, 20 Feb 2014 17:08:54 -0500 In-Reply-To: <20140220193902.GA4889@debian> (Andreas Enge's message of "Thu, 20 Feb 2014 20:39:02 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Andreas Enge skribis: > Concerning yours and Mark's suggestions, I think the best solution would > be if GnutTLS looked in the user profile for certificates. Sounds like a plan, but my understanding is that this would require patching GnuTLS since it currently only accepts a fixed file name. What about raising this issue on the GnuTLS mailing list? > On Wed, Feb 19, 2014 at 10:52:20PM +0100, Ludovic Court=C3=A8s wrote: >> One way to address that would be to have /etc/ssl/... be a Guix-managed >> symlink to /nix/store/...-certificates (this is +/- what NixOS does.) >> How does that sound? > > That is certainly a possibility. > > On Thu, Feb 20, 2014 at 01:01:56PM -0500, Mark H Weaver wrote: >> I think you could make this argument for any program or library that >> looks for things in /etc. For example, glibc looks in >> /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd, >> /etc/group, etc. > > I did not think about these cases, but I think there are limits... Moreov= er, > these files need to be dynamically changed (adapted to the machine etc.), > while certificates are just static data. So the analogy does not hold. So I think the insight here is that certificates, libc config, etc. are all dynamic parts of the systems, and it seems we agree that we should be able to handle them dynamically. The most flexible approach would be for GnuTLS to honor an environment variable. Using /etc/ssl satisfies the dynamicity requirement but is obviously less flexible. I guess we should just submit a getenv patch to GnuTLS. Any volunteers? :-) Until it=E2=80=99s accepted, I think we should go with the /etc/ssl approac= h. Thanks, Ludo=E2=80=99.