From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Sun, 15 Feb 2015 11:59:19 -0500
Message-ID: <87sie79km0.fsf@netris.org>
References: <87r3u7di49.fsf@netris.org>
	<20150204123652.GA21908@debian.eduroam.u-bordeaux.fr>
	<87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51741)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YN2XN-0002Nb-Cq
	for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:22 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YN2XI-0004jF-NE
	for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:17 -0500
Received: from world.peace.net ([50.252.239.5]:50142)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YN2XI-0004j8-Id
	for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:12 -0500
In-Reply-To: <20150215091632.GA9692@debian> (Andreas Enge's message of "Sun,
	15 Feb 2015 10:16:32 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org

Andreas Enge <andreas@enge.fr> writes:

> Hello Mark,
>
> I am a bit lost with this explanation:
>
> On Sun, Feb 15, 2015 at 12:17:59AM -0500, Mark H Weaver wrote:
>> I've set GIT_SSL_CAINFO in my environment for a long time to make Git
>> check certificates properly on GuixSD, but without the single-file
>> certificate bundle, I've lost certificate checking in Git.
>
> Is this because upon installing nss-certs, you uninstalled your single file?

Yes.  Of course I could make it manually, put it somewhere else, and set
GIT_SSL_CAINFO to point to it, but I'd like to find a solution that
works out of the box for other GuixSD users.

> Since we had no certificates at all before, I fail to understand how the
> situation could be worse now than it was.

No, it's not worse than it was before.  Sorry if I gave that impression.
The only issue is that we might need to generate a single-file
certificate bundle for now, because I haven't found a way to get 'git'
to check certificates on GuixSD without a single-file cert bundle, at
least not when curl is build with GnuTLS.

> Would implementing the p11-kit suggestion for gnutls solve the problem?

Good question!  I don't know the answer.  It seems that when 'git' uses
libcurl built with GnuTLS, it doesn't ask GnuTLS to use the system-wide
trust store.  Maybe that's something we could fix somehow.

> Your further analysis might also imply that we need search path definitions
> for git and curl (although this does not seem to be enough at the moment).

I can't speak for the curl command-line tool, because I never use it,
but we might need one for 'git'.

     Mark