From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle Date: Tue, 03 Mar 2015 13:43:38 +0100 Message-ID: <87sidmmeth.fsf@gnu.org> References: <87r3u7di49.fsf@netris.org> <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> <87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian> <87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org> <87sidvhx0t.fsf@netris.org> <87zj7v2gmf.fsf_-_@gnu.org> <87fv9medxv.fsf_-_@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49680) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSmAr-0000x6-DT for guix-devel@gnu.org; Tue, 03 Mar 2015 07:43:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YSmAm-0005vq-Lv for guix-devel@gnu.org; Tue, 03 Mar 2015 07:43:45 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36827) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YSmAm-0005vl-J6 for guix-devel@gnu.org; Tue, 03 Mar 2015 07:43:40 -0500 In-Reply-To: <87fv9medxv.fsf_-_@netris.org> (Mark H. Weaver's message of "Tue, 03 Mar 2015 02:29:48 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> Mark H Weaver skribis: >> >>> In order to support multiple packages containing CA certs, it would be >>> good to handle creation of the single-file cert bundle in the profile >>> generation code, analogous to our handling of info "dir" files. This >>> would allow us to create additional cert packages (e.g. one for >>> CAcert.org). >>> >>> I think it belongs in the profile generation code for the benefit of >>> users running Guix packages on top of another distro, where they might >>> not have root access. They can simply set GIT_SSL_CAINFO and >>> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt >>> >>> What do you think? >> >> It=E2=80=99s a good but as of yet unimplemented idea. >> >> Although I now realize we could perhaps simple move the >> =E2=80=98certificate-bundle=E2=80=99 procedure to (guix profile), add th= e certificate >> package to the system profile, and make /etc/ssl a symlink to >> /run/current-system/profile/etc/ssl. > > I've attached patches that implement this. They assume that 993300f and > e979e6d are first reverted. Comments and suggestions welcome. Both look good to me. > It would also be good to add search-path-specifications for > SSL_CERT_FILE to 'openssl' and GIT_SSL_CAINFO to 'git' in core-updates, > but I'm not sure how best to do that. Would you be willing to do it, > Ludovic? I just checked the source and OpenSSL itself does not use SSL_CERT_FILE nor SSL_CERT_DIR at all. Lynx does use SSL_CERT_FILE, but that=E2=80=99s r= eally in Lynx, not in libssl. So I don=E2=80=99t think there should be a search = path specification for OpenSSL. This is unfortunate, but it looks like we can=E2=80=99t do much. We could add that variable to Lynx itself, but it=E2=80=99s not actually a search path but just a file name. Thoughts? > +# These variables are honored by OpenSSL (libssl) and Git. Replace =E2=80=9COpenSSL (libssl)=E2=80=9D by =E2=80=9Csome applications su= ch as Lynx=E2=80=9D. Thanks, Ludo=E2=80=99.