From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store Date: Sun, 15 Feb 2015 11:59:19 -0500 Message-ID: <87sie79km0.fsf@netris.org> References: <87r3u7di49.fsf@netris.org> <20150204123652.GA21908@debian.eduroam.u-bordeaux.fr> <87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51741) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YN2XN-0002Nb-Cq for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YN2XI-0004jF-NE for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:17 -0500 Received: from world.peace.net ([50.252.239.5]:50142) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YN2XI-0004j8-Id for guix-devel@gnu.org; Sun, 15 Feb 2015 11:59:12 -0500 In-Reply-To: <20150215091632.GA9692@debian> (Andreas Enge's message of "Sun, 15 Feb 2015 10:16:32 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org Andreas Enge writes: > Hello Mark, > > I am a bit lost with this explanation: > > On Sun, Feb 15, 2015 at 12:17:59AM -0500, Mark H Weaver wrote: >> I've set GIT_SSL_CAINFO in my environment for a long time to make Git >> check certificates properly on GuixSD, but without the single-file >> certificate bundle, I've lost certificate checking in Git. > > Is this because upon installing nss-certs, you uninstalled your single file? Yes. Of course I could make it manually, put it somewhere else, and set GIT_SSL_CAINFO to point to it, but I'd like to find a solution that works out of the box for other GuixSD users. > Since we had no certificates at all before, I fail to understand how the > situation could be worse now than it was. No, it's not worse than it was before. Sorry if I gave that impression. The only issue is that we might need to generate a single-file certificate bundle for now, because I haven't found a way to get 'git' to check certificates on GuixSD without a single-file cert bundle, at least not when curl is build with GnuTLS. > Would implementing the p11-kit suggestion for gnutls solve the problem? Good question! I don't know the answer. It seems that when 'git' uses libcurl built with GnuTLS, it doesn't ask GnuTLS to use the system-wide trust store. Maybe that's something we could fix somehow. > Your further analysis might also imply that we need search path definitions > for git and curl (although this does not seem to be enough at the moment). I can't speak for the curl command-line tool, because I never use it, but we might need one for 'git'. Mark