From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: CA certificates Date: Thu, 12 Feb 2015 21:30:49 +0100 Message-ID: <87zj8ioosm.fsf@gnu.org> References: <20150210201452.GA15529@debian> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56081) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YM0PY-0005g1-EQ for guix-devel@gnu.org; Thu, 12 Feb 2015 15:30:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YM0PU-0001rL-74 for guix-devel@gnu.org; Thu, 12 Feb 2015 15:30:56 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57533) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YM0PU-0001rH-4f for guix-devel@gnu.org; Thu, 12 Feb 2015 15:30:52 -0500 In-Reply-To: <20150210201452.GA15529@debian> (Andreas Enge's message of "Tue, 10 Feb 2015 21:14:52 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Andreas Enge skribis: > The attached patch series > 1) adds a (private) python script to extract single certificates in .pem= =20 > format from a big textfile in mozilla source format; > 2) adds the package nss-certs, which contains the certificates thus extra= cted > in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl; > 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to opens= sl. Cool. I agree with Mark=E2=80=99s suggestion regarding UTF-8 file name handling. Other than that the patches LGTM. All this X.509 stuff looks like a security quagmire but I suppose we=E2=80= =99ll have to live with it for some time more... > So if you do a > guix package -i openssl nss-certs youtube-dl > and add SSL_CERT_DIR as stipulated by the text output after the installat= ion, > things work out of the box. Nice! The (untested) patch below binds nss-certs to /etc/ssl/certs on GuixSD, which should allow for more out-of-the-box goodness. :-) --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/system.scm b/gnu/system.scm index 3fe7833..4b66e5d 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -41,6 +41,7 @@ #:use-module (gnu packages man) #:use-module (gnu packages compression) #:use-module (gnu packages firmware) + #:use-module (gnu packages certs) #:autoload (gnu packages cryptsetup) (cryptsetup) #:use-module (gnu services) #:use-module (gnu services dmd) @@ -470,6 +471,7 @@ export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\" ("shells" ,#~#$shells) ("profile" ,#~#$profile) ("hosts" ,#~#$hosts-file) + ("ssl" ,#~(string-append #$nss-certs "/etc/ssl")) ("localtime" ,#~(string-append #$tzdata "/share/zoneinfo/" #$timezone)) ("sudoers" ,#~#$sudoers))))) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thanks for working on it! Ludo=E2=80=99. --=-=-=--