From: ludo@gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: CA certificates
Date: Thu, 12 Feb 2015 21:30:49 +0100 [thread overview]
Message-ID: <87zj8ioosm.fsf@gnu.org> (raw)
In-Reply-To: <20150210201452.GA15529@debian> (Andreas Enge's message of "Tue, 10 Feb 2015 21:14:52 +0100")
[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]
Andreas Enge <andreas@enge.fr> skribis:
> The attached patch series
> 1) adds a (private) python script to extract single certificates in .pem
> format from a big textfile in mozilla source format;
> 2) adds the package nss-certs, which contains the certificates thus extracted
> in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl;
> 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.
Cool. I agree with Mark’s suggestion regarding UTF-8 file name
handling. Other than that the patches LGTM.
All this X.509 stuff looks like a security quagmire but I suppose we’ll
have to live with it for some time more...
> So if you do a
> guix package -i openssl nss-certs youtube-dl
> and add SSL_CERT_DIR as stipulated by the text output after the installation,
> things work out of the box.
Nice! The (untested) patch below binds nss-certs to /etc/ssl/certs on
GuixSD, which should allow for more out-of-the-box goodness. :-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 883 bytes --]
diff --git a/gnu/system.scm b/gnu/system.scm
index 3fe7833..4b66e5d 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -41,6 +41,7 @@
#:use-module (gnu packages man)
#:use-module (gnu packages compression)
#:use-module (gnu packages firmware)
+ #:use-module (gnu packages certs)
#:autoload (gnu packages cryptsetup) (cryptsetup)
#:use-module (gnu services)
#:use-module (gnu services dmd)
@@ -470,6 +471,7 @@ export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\"
("shells" ,#~#$shells)
("profile" ,#~#$profile)
("hosts" ,#~#$hosts-file)
+ ("ssl" ,#~(string-append #$nss-certs "/etc/ssl"))
("localtime" ,#~(string-append #$tzdata "/share/zoneinfo/"
#$timezone))
("sudoers" ,#~#$sudoers)))))
[-- Attachment #3: Type: text/plain, Size: 41 bytes --]
Thanks for working on it!
Ludo’.
prev parent reply other threads:[~2015-02-12 20:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-10 20:14 CA certificates Andreas Enge
2015-02-12 16:44 ` Andreas Enge
2015-02-12 17:26 ` Mark H Weaver
2015-02-12 19:48 ` Andreas Enge
2015-02-12 20:20 ` Locale of build environments Ludovic Courtès
2015-02-12 20:28 ` Andreas Enge
2015-02-15 0:12 ` Mark H Weaver
2015-02-26 23:16 ` Ludovic Courtès
2015-02-26 23:45 ` Mark H Weaver
2015-02-27 10:36 ` Ludovic Courtès
2015-02-27 14:13 ` Ludovic Courtès
2015-03-01 16:48 ` Ludovic Courtès
2015-02-13 7:28 ` CA certificates Mark H Weaver
2015-02-13 10:23 ` Andreas Enge
2015-02-12 20:30 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zj8ioosm.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.