From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate
	store.
Date: Wed, 07 Dec 2016 23:19:57 +0100
Message-ID: <87a8c7756a.fsf@gnu.org>
References: <20161205182014.5155-1-ng0@libertad.pw>
	<20161205182014.5155-2-ng0@libertad.pw>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37703)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cEkZH-0002HP-Ob
	for guix-devel@gnu.org; Wed, 07 Dec 2016 17:20:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cEkZE-0000l5-K6
	for guix-devel@gnu.org; Wed, 07 Dec 2016 17:20:03 -0500
In-Reply-To: <20161205182014.5155-2-ng0@libertad.pw> (ng0@libertad.pw's
	message of "Mon, 5 Dec 2016 18:20:13 +0000")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: ng0 <ng0@libertad.pw>
Cc: guix-devel@gnu.org

Hello!

ng0 <ng0@libertad.pw> skribis:

> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged =
user and group.
> [arguments]: Build with the system provided certificates in a new phase.

[...]

> +     '(#:configure-flags '("--with-unpriv-user=3Dtlsdate"
> +                           "--with-unpriv-group=3Dtlsdate")

Why?  I think the default is nobody/nogroup, which is fine no?

> +       #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'set-cert-path
> +                    ;; Use the system certificate store, not the
> +                    ;; application bundled certificates.
> +                    (lambda _
> +                      (substitute* "Makefile.am"
> +                        (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roo=
ts.conf")
> +                         "/etc/ssl/certs/ca-certificates.crt"))))

I sympathize with this but this may or may not work on foreign distros.
Still, it=E2=80=99s probably better (this =E2=80=98tlsdata-ca-roots.conf=E2=
=80=99 file seems to
be a 4-year old copy from Mozilla=E2=80=99s NSS).

WDYT?

Thanks,
Ludo=E2=80=99.