From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: GnuTLS and the =?utf-8?Q?=E2=80=9Ctrust_store=E2=80=9D?= Date: Wed, 04 Jan 2017 22:09:06 +0000 Message-ID: <87h95escjh.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> References: <20170104144655.12321-1-ng0@libertad.pw> <20170104144655.12321-2-ng0@libertad.pw> <874m1ezugu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87vatuimnp.fsf_-_@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49455) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOtk3-0005rF-BY for guix-devel@gnu.org; Wed, 04 Jan 2017 17:09:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOtk2-0000Kj-8V for guix-devel@gnu.org; Wed, 04 Jan 2017 17:09:07 -0500 In-Reply-To: <87vatuimnp.fsf_-_@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org Ludovic Courtès writes: > Hello! > > Marius Bakke skribis: > >> Marius Bakke writes: >> >>> ng0 writes: >>> >>>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" configure flag. > > [...] > >> I realized shortly after posting why this wasn't done already. Curl has >> 1403 dependent packages, which would apply for "nss-certs" as well if >> that is added as input. Obviously we want to be able to update TLS >> certificates quickly without rebuilding ~1/4 of the tree. > > Indeed. It’s a situation where we do not want to have a static binding > between cURL and nss-certs; instead, they should be composed > dynamically, along the lines of what we already recommend at: Okay, so my proposed gnURL patch should not be applied at all. Reading the old threads I'm starting to understand the situation, but not completely. > https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates.html > > cURL depends on GnuTLS, and GnuTLS doesn’t honor an environment variable > like ‘SSL_CERT_DIR’. Its recipe has this comment: The 3rd option in 2015, subject: [PATCH] gnu: gnutls: Configure location of system-wide trust store, was to use openssl. Now we have libressl, so why not try and give that a try in the future when we (that is, the people with commit access) have rebuild everything with libressl and it turns out alright? I'm trying to understand the problem here, the problem why packages like darcs, pbpst, and others are just sitting, waiting for months because of issues with cURL. There's a problem, and I'd like to fix (and understand) it. Do I have to fix the curl dependent applications? Doesn't sound like a solution for me which would scale. > ;; GnuTLS doesn't consult any environment variables to specify > ;; the location of the system-wide trust store. Instead it has a > ;; configure-time option. Unless specified, its configure script > ;; attempts to auto-detect the location by looking for common > ;; places in the file system, none of which are present in our > ;; chroot build environment. If not found, then no default trust > ;; store is used, so each program has to provide its own > ;; fallback, and users have to configure each program > ;; independently. This seems suboptimal. > "--with-default-trust-store-dir=/etc/ssl/certs" > > Original discussion: > > https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html I've read some of the threads connected to this one after I learned about the subject. It usually helps when the subject is added so I can search locally. What happened to the p11-kit Andreas mentioned back in 2014 or 2015? > Ludo’. > -- ♥Ⓐ ng0 PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org