From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 14:40:42 +0100
Message-ID: <877g8rnrtx.fsf@gnu.org>
References: <87ppmjn7ih.fsf@netris.org>
	<20140219092644.GA4694@debian.eduroam.u-bordeaux.fr>
	<87sirf8l6h.fsf@netris.org>
	<20140219121353.GA5707@debian.eduroam.u-bordeaux.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58491)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1WG7OO-0001xU-GX
	for guix-devel@gnu.org; Wed, 19 Feb 2014 08:40:58 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1WG7OI-0005BV-LJ
	for guix-devel@gnu.org; Wed, 19 Feb 2014 08:40:52 -0500
Received: from hera.aquilenet.fr ([2a01:474::1]:54196)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1WG7OI-0005AT-AZ
	for guix-devel@gnu.org; Wed, 19 Feb 2014 08:40:46 -0500
In-Reply-To: <20140219121353.GA5707@debian.eduroam.u-bordeaux.fr> (Andreas
	Enge's message of "Wed, 19 Feb 2014 13:13:53 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org

Hello!

Thank you both for looking into this.

Andreas Enge <andreas@enge.fr> skribis:

> On Wed, Feb 19, 2014 at 05:13:26AM -0500, Mark H Weaver wrote:

[...]

>> So, in the end, I don't think we should mess around with the way GnuTLS
>> was designed.  I think we should provide a hard-coded system-wide
>> location to allow 'gnutls_certificate_set_x509_system_trust' to work as
>> it was intended, and instead we should make sure that each individual
>> program has a way to override that.
>
> I am still uneasy with this situation, even more so as long as we do not
> have the gnu system: Currently, the guix gnutls would point to the ssl
> certificates that debian installed (or did not install) in /etc; we will
> get behaviour that depends a lot on the outside system instead of being
> self-contained.

Agreed.  However, AIUI, these is just the location of the default
certificates; as Mark wrote, applications, such as wget, can in fact
specify the certificate location independently of that default value.

So, all in all, while this is not ideal, using this configure flag to
point to /etc/ssl/... sounds like a viable option to me.  It=E2=80=99s
consistent with what other distros do, and it=E2=80=99s what we want to do
eventually.

(Also, I think it=E2=80=99s time to really take the final system as the pri=
mary
use case.)

WDYT?

Thanks,
Ludo=E2=80=99.