From: ludo@gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 14:40:42 +0100 [thread overview]
Message-ID: <877g8rnrtx.fsf@gnu.org> (raw)
In-Reply-To: <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> (Andreas Enge's message of "Wed, 19 Feb 2014 13:13:53 +0100")
Hello!
Thank you both for looking into this.
Andreas Enge <andreas@enge.fr> skribis:
> On Wed, Feb 19, 2014 at 05:13:26AM -0500, Mark H Weaver wrote:
[...]
>> So, in the end, I don't think we should mess around with the way GnuTLS
>> was designed. I think we should provide a hard-coded system-wide
>> location to allow 'gnutls_certificate_set_x509_system_trust' to work as
>> it was intended, and instead we should make sure that each individual
>> program has a way to override that.
>
> I am still uneasy with this situation, even more so as long as we do not
> have the gnu system: Currently, the guix gnutls would point to the ssl
> certificates that debian installed (or did not install) in /etc; we will
> get behaviour that depends a lot on the outside system instead of being
> self-contained.
Agreed. However, AIUI, these is just the location of the default
certificates; as Mark wrote, applications, such as wget, can in fact
specify the certificate location independently of that default value.
So, all in all, while this is not ideal, using this configure flag to
point to /etc/ssl/... sounds like a viable option to me. It’s
consistent with what other distros do, and it’s what we want to do
eventually.
(Also, I think it’s time to really take the final system as the primary
use case.)
WDYT?
Thanks,
Ludo’.
next prev parent reply other threads:[~2014-02-19 13:40 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-19 2:47 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2014-02-19 9:26 ` Andreas Enge
2014-02-19 10:13 ` Mark H Weaver
2014-02-19 12:13 ` Andreas Enge
2014-02-19 13:40 ` Ludovic Courtès [this message]
2014-02-19 14:08 ` Andreas Enge
2014-02-19 14:37 ` Sree Harsha Totakura
2014-02-19 21:52 ` Ludovic Courtès
2014-02-20 19:39 ` Andreas Enge
2014-02-20 22:08 ` Ludovic Courtès
2014-02-20 18:01 ` Mark H Weaver
-- strict thread matches above, loose matches on Subject: below --
2015-02-02 23:11 Mark H Weaver
2015-02-03 0:01 ` David Thompson
2015-02-03 20:53 ` Ludovic Courtès
2015-02-03 20:57 ` Marek Benc
2015-02-04 12:36 ` Andreas Enge
2015-02-04 12:42 ` Andreas Enge
2015-02-04 15:35 ` Mark H Weaver
2015-02-05 9:59 ` Andreas Enge
2015-02-08 13:36 ` Andreas Enge
2015-02-08 14:29 ` Andreas Enge
2015-02-08 15:24 ` Andreas Enge
2015-02-08 15:59 ` Mark H Weaver
2015-02-15 5:17 ` Mark H Weaver
2015-02-15 9:16 ` Andreas Enge
2015-02-15 16:59 ` Mark H Weaver
2015-02-23 21:34 ` Ludovic Courtès
2015-02-24 20:31 ` Mark H Weaver
2015-02-25 0:25 ` Andreas Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877g8rnrtx.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.