From: ludo@gnu.org (Ludovic Courtès)
To: ng0 <ng0@libertad.pw>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Date: Thu, 08 Dec 2016 10:35:46 +0100 [thread overview]
Message-ID: <8737hyoj9p.fsf@gnu.org> (raw)
In-Reply-To: <877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> (ng0@libertad.pw's message of "Wed, 07 Dec 2016 23:40:34 +0000")
ng0 <ng0@libertad.pw> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello!
>>
>> ng0 <ng0@libertad.pw> skribis:
>>
>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
>>> [arguments]: Build with the system provided certificates in a new phase.
>>
>> [...]
>>
>>> + '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>> + "--with-unpriv-group=tlsdate")
>>
>> Why? I think the default is nobody/nogroup, which is fine no?
s/I think//
> I'm not sure if this is still fine when tlsdated is run. But I'll
> figure out soon.
Right. The choice between “nobody” and “tlsdate” is purely cosmetic.
>>> + #:phases (modify-phases %standard-phases
>>> + (add-after 'unpack 'set-cert-path
>>> + ;; Use the system certificate store, not the
>>> + ;; application bundled certificates.
>>> + (lambda _
>>> + (substitute* "Makefile.am"
>>> + (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>> + "/etc/ssl/certs/ca-certificates.crt"))))
>>
>> I sympathize with this but this may or may not work on foreign distros.
>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>> be a 4-year old copy from Mozilla’s NSS).
>>
>> WDYT?
>>
>> Thanks,
>> Ludo’.
>>
>
> I don't really like the current way to setenv everything, but is
> this something we could do here to keep other distros happy? if
> so, what's a good suggestion how to apply this?
Actually there’s an even better option: add a dependency on ‘nss-certs’
and change the above substitution to refer to it. This would always
work.
Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
so you’d have to create that, essentially by duplicating
‘ca-certificate-bundle’ from (guix profiles).
Could you do that?
Thanks!
Ludo’.
next prev parent reply other threads:[~2016-12-08 9:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 18:20 (unknown), ng0
2016-12-05 18:20 ` [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store ng0
2016-12-07 22:19 ` Ludovic Courtès
2016-12-07 23:40 ` ng0
2016-12-08 9:35 ` Ludovic Courtès [this message]
2017-01-18 20:31 ` ng0
2017-01-20 13:31 ` Ludovic Courtès
2016-12-05 18:20 ` [PATCH 2/2] services: Add tlsdate-service ng0
2016-12-05 18:23 ` ng0
2016-12-05 18:30 ` v2 tlsdate-service ng0
2016-12-05 18:31 ` [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store ng0
2016-12-05 18:31 ` [PATCH 2/2] services: Add tlsdate-service ng0
2016-12-07 7:18 ` Chris Marusich
2016-12-07 12:04 ` ng0
2016-12-09 6:29 ` Chris Marusich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737hyoj9p.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=ng0@libertad.pw \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.