From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store. Date: Fri, 20 Jan 2017 14:31:48 +0100 Message-ID: <87wpdpc0xn.fsf@gnu.org> References: <20161205182014.5155-1-ng0@libertad.pw> <20161205182014.5155-2-ng0@libertad.pw> <87a8c7756a.fsf@gnu.org> <877f7bwbnx.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <8737hyoj9p.fsf@gnu.org> <87o9z4glel.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53215) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cUZII-0003tt-V9 for guix-devel@gnu.org; Fri, 20 Jan 2017 08:31:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cUZIF-00065O-0z for guix-devel@gnu.org; Fri, 20 Jan 2017 08:31:54 -0500 In-Reply-To: <87o9z4glel.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> (ng0's message of "Wed, 18 Jan 2017 20:31:30 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ng0 Cc: guix-devel@gnu.org ng0 skribis: > Ludovic Court=C3=A8s writes: > >> ng0 skribis: >> >>> Ludovic Court=C3=A8s writes: >>> >>>> Hello! >>>> >>>> ng0 skribis: >>>> >>>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivile= ged user and group. >>>>> [arguments]: Build with the system provided certificates in a new pha= se. >>>> >>>> [...] >>>> >>>>> + '(#:configure-flags '("--with-unpriv-user=3Dtlsdate" >>>>> + "--with-unpriv-group=3Dtlsdate") >>>> >>>> Why? I think the default is nobody/nogroup, which is fine no? >> >> s/I think// >> >>> I'm not sure if this is still fine when tlsdated is run. But I'll >>> figure out soon. >> >> Right. The choice between =E2=80=9Cnobody=E2=80=9D and =E2=80=9Ctlsdate= =E2=80=9D is purely cosmetic. >> >>>>> + #:phases (modify-phases %standard-phases >>>>> + (add-after 'unpack 'set-cert-path >>>>> + ;; Use the system certificate store, not the >>>>> + ;; application bundled certificates. >>>>> + (lambda _ >>>>> + (substitute* "Makefile.am" >>>>> + (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca= -roots.conf") >>>>> + "/etc/ssl/certs/ca-certificates.crt")))) >>>> >>>> I sympathize with this but this may or may not work on foreign distros. >>>> Still, it=E2=80=99s probably better (this =E2=80=98tlsdata-ca-roots.co= nf=E2=80=99 file seems to >>>> be a 4-year old copy from Mozilla=E2=80=99s NSS). >>>> >>>> WDYT? >>>> >>>> Thanks, >>>> Ludo=E2=80=99. >>>> >>> >>> I don't really like the current way to setenv everything, but is >>> this something we could do here to keep other distros happy? if >>> so, what's a good suggestion how to apply this? >> >> Actually there=E2=80=99s an even better option: add a dependency on =E2= =80=98nss-certs=E2=80=99 >> and change the above substitution to refer to it. This would always >> work. >> >> Problem is =E2=80=98nss-certs=E2=80=99 doesn=E2=80=99t have the single-f= ile certificate bundle >> so you=E2=80=99d have to create that, essentially by duplicating >> =E2=80=98ca-certificate-bundle=E2=80=99 from (guix profiles). >> >> Could you do that? > > I agree this is a better approach. Is there an easy way (like import > ca-certificate-bundle from module guix profiles) or do I have to > really recreate it all in the ntp module in a phase of tlsdate > where it can only be used by tlsdate again? Hmm looks like there=E2=80=99s no easy way currently, sorry. :-/ That will require a bit of fiddling. Ludo=E2=80=99.