From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: GnuTLS and the =?utf-8?Q?=E2=80=9Ctrust_store=E2=80=9D?=
Date: Wed, 04 Jan 2017 21:40:42 +0100
Message-ID: <87vatuimnp.fsf_-_@gnu.org>
References: <20170104144655.12321-1-ng0@libertad.pw>
	<20170104144655.12321-2-ng0@libertad.pw>
	<874m1ezugu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57574)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cOsMb-0003ZH-4W
	for guix-devel@gnu.org; Wed, 04 Jan 2017 15:40:50 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cOsMY-0002nw-22
	for guix-devel@gnu.org; Wed, 04 Jan 2017 15:40:49 -0500
In-Reply-To: <871swizsqv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	(Marius Bakke's message of "Wed, 04 Jan 2017 17:37:12 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org

Hello!

Marius Bakke <mbakke@fastmail.com> skribis:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> ng0 <ng0@libertad.pw> writes:
>>
>>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" confi=
gure flag.

[...]

> I realized shortly after posting why this wasn't done already. Curl has
> 1403 dependent packages, which would apply for "nss-certs" as well if
> that is added as input. Obviously we want to be able to update TLS
> certificates quickly without rebuilding ~1/4 of the tree.

Indeed.  It=E2=80=99s a situation where we do not want to have a static bin=
ding
between cURL and nss-certs; instead, they should be composed
dynamically, along the lines of what we already recommend at:

  https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates=
.html

cURL depends on GnuTLS, and GnuTLS doesn=E2=80=99t honor an environment var=
iable
like =E2=80=98SSL_CERT_DIR=E2=80=99.  Its recipe has this comment:

         ;; GnuTLS doesn't consult any environment variables to specify
         ;; the location of the system-wide trust store.  Instead it has a
         ;; configure-time option.  Unless specified, its configure script
         ;; attempts to auto-detect the location by looking for common
         ;; places in the file system, none of which are present in our
         ;; chroot build environment.  If not found, then no default trust
         ;; store is used, so each program has to provide its own
         ;; fallback, and users have to configure each program
         ;; independently.  This seems suboptimal.
         "--with-default-trust-store-dir=3D/etc/ssl/certs"

Original discussion:

  https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html

Ludo=E2=80=99.