From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id CAiTL9IwVWBrYAAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Mar 2021 23:16:34 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id COJdK9IwVWD4DQAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Mar 2021 23:16:34 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 1E61325647
	for <larch@yhetil.org>; Sat, 20 Mar 2021 00:16:33 +0100 (CET)
Received: from localhost ([::1]:49444 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lNOM2-0000bk-Sh
	for larch@yhetil.org; Fri, 19 Mar 2021 19:16:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52356)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lNOLb-0000aC-3p
 for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:39632)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lNOLa-0002du-S1
 for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lNOLa-0004ID-LM
 for bug-guix@gnu.org; Fri, 19 Mar 2021 19:16:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#46779: GnuTLS uses the hard-coded /etc/ssl/certs location for TLS
 certificates
Resent-From: Mark H Weaver <mhw@netris.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Fri, 19 Mar 2021 23:16:02 +0000
Resent-Message-ID: <handler.46779.B46779.161619572716456@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 46779
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>
Received: via spool by 46779-submit@debbugs.gnu.org id=B46779.161619572716456
 (code B ref 46779); Fri, 19 Mar 2021 23:16:02 +0000
Received: (at 46779) by debbugs.gnu.org; 19 Mar 2021 23:15:27 +0000
Received: from localhost ([127.0.0.1]:51178 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lNOL0-0004HM-Ll
 for submit@debbugs.gnu.org; Fri, 19 Mar 2021 19:15:26 -0400
Received: from world.peace.net ([64.112.178.59]:59252)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lNOKx-0004H7-4H
 for 46779@debbugs.gnu.org; Fri, 19 Mar 2021 19:15:25 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lNOKq-0005eW-8r; Fri, 19 Mar 2021 19:15:16 -0400
From: Mark H Weaver <mhw@netris.org>
In-Reply-To: <87y2f7td00.fsf@gnu.org>
References: <87im6f9aq2.fsf@gmail.com> <87y2f7td00.fsf@gnu.org>
Date: Fri, 19 Mar 2021 19:13:36 -0400
Message-ID: <87o8fen3d0.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 46779@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616195793;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=rNvKQeyIN+4hEryDFGAL8OQw8cAH1P6bGkAZFXJPcUY=;
	b=usWoom33+uJlYiiRlE1Ifpgk9vr92zxnfCtu03eyzTh+p+juEUMOTC3cMUdaYmSPsGvUdN
	IW+LGq1VYmSpvVi8js9KpU7eFCriIfV2ZREpb5AFrFP+DN+ToSZP0kmfY83Z57Q/bAhkgx
	B+RB1clBYZGy8zxNS8dhAcnze+hDWzx4n+6VSTDbz5eU3apDo2dsHYKWnMvdb0FI3eDJbY
	72GWXTaC6aQtEE5BnMUEMhcdxQ89vekCenmojI3vh4iaQt3RF+2uSP+n139Igbqbt33suJ
	yEU8G25w1AFbFbWeZfwJcP/hTDHLXG37hJAPrn6r7MUIR1+tmGt6I4PGiVxTKA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616195793; a=rsa-sha256; cv=none;
	b=YAcAaVQ8ux3N9cylhzy4gZrHvJSHs+QEpsiDocLfN30TJYozV77Wl3Pgctg7Xv50fLnuzz
	bu7xEZZSjsP47tyjX2d9hURvy+oNdobrtplb6ByRuu3xnbEFxqlpmueen6PTO6Hi+xRFaT
	pj/12qXZ9T7Qga09Gyw2Q1l9y0RdAArXsFn2fyce2Vcmqyr0PBhHd60nco8IFzQTWRLof/
	E4BfZxu8Gsk+h8FSUuZLPUHPGCqxBIX2pxnH4xbXpRqhXL3LeKejSZU3c06neFQIaumloO
	QntfuGsE1VNPX7zUT0vaO7aRzecAlK8237Snys+SNf6T77NNJHp1JmCw/HxlQw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -2.41
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 1E61325647
X-Spam-Score: -2.41
X-Migadu-Scanner: scn0.migadu.com
X-TUID: crBudwWQyF0k

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> We should patch GnuTLS so that it also honors the SSL_* environment
>> variables documented in the Guix manual.
>
> Note that (1) the SSL_* variables are originally from OpenSSL, and (2)
> GnuTLS developers made the conscious decision to not honor any
> environment variable, leaving it up to application developers to do
> that.
>
> That=E2=80=99s the reason we are in this situation.  See the thread at
> <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00237.html>.

That thread is worth reading, but for those who are short on time, I
want to call attention to a specific point I made:

  However, GnuTLS does not support an environment variable setting, so we
  would have to patch the code (add_system_trust in lib/system.c).  I
  strongly considered doing this, but I'm worried about the possible
  security implications.  For example, consider a setuid program that uses
  GnuTLS and assumes that the person who ran the program will not be
  capable of changing the trust store that GnuTLS uses.  This assumption
  would be correct for the upstream GnuTLS, but not for ours.

<https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html>

     Thanks,
       Mark