From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qD44CfrRWmGkUQEAgWs5BA (envelope-from ) for ; Mon, 04 Oct 2021 12:05:46 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YLn/BPrRWmGPfwAA1q6Kng (envelope-from ) for ; Mon, 04 Oct 2021 10:05:46 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D6E0C2CF82 for ; Mon, 4 Oct 2021 12:05:43 +0200 (CEST) Received: from localhost ([::1]:43518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mXKqs-0003dh-5f for larch@yhetil.org; Mon, 04 Oct 2021 06:05:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41194) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXKPU-0008H6-6T for help-guix@gnu.org; Mon, 04 Oct 2021 05:37:24 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55435) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXKPS-0007IB-BD for help-guix@gnu.org; Mon, 04 Oct 2021 05:37:23 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 3B1905C0121; Mon, 4 Oct 2021 05:37:20 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Mon, 04 Oct 2021 05:37:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.net; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type:content-transfer-encoding; s=fm1; bh= ZNM0TRJoIuvErS5gWrmoPhBinNIAJ83BnyPpyXrbPyQ=; b=pKVkRfQ+PFVLRE95 KpvVD2TiCSL0fgIVfxF+E/p03a1C4bdJhdT9n+Q8KNZRzsFQ1VOSPe+fQ6unCsll YG6siHefqCSCNa7Osr1sM9gJr4USeA+lyeiNQh7H08BPWhtxOCQhzu6LoaOlA+aQ lUboYHiWmIJU5fRS5RawHPLtNLXrdVe5j14hbq4WsB2+1yPklWBoceLC+tyDuhj3 obrcDRH8WjVMET0+GecZr1AymNGYdI8cK3CQZM4JSpx+KU8bbJy5Iup9gWuMLTSr 7AD8iA7PiapwmvSq2hn8MIvnPXxHkrIchSpsN87Th4bgj856G8cFbGkpdELo5FY0 Q0ErZQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ZNM0TRJoIuvErS5gWrmoPhBinNIAJ83BnyPpyXrbP yQ=; b=kO3QX2YMN06noqrxDpUvvrxe4tw7CszwRmd+qrg8fg3Qid7U2xxIe/nJH jF0JfPgEXrNOzLFNrjKtmiwnzjV1g4D1NW4KiBfH+AU5BCzXrpF7LWVoyfYcXN7s X9tXb6dAB+usSeSrUTHTKCTinvJ7u8jHOWsoTw7VG0QXhf568Koq18mghbZ1rk8b IUC8v+1laNNWKtjc2suLWKTyubUdJNfrV4z/VMtirIB9YErIM6FTpHaweDQgVpoP DLiHMZ2KYpgMGkQgyjxOGCDAuryGY8YRxPj3EikYP+gtdTqeGA5oVC8dWdVMcWf8 d49drF+xmh77GN9pv3yJC94hNN3SQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudelvddgudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhffkfggtgfgsehtqhertddttdejnecuhfhrohhmpefmohhnrhgr ugcujfhinhhsvghnuceokhhonhhrrggurdhhihhnshgvnhesfhgrshhtmhgrihhlrdhnvg htqeenucggtffrrghtthgvrhhnpeevheelveegjeduvdfgudeifeevteffvdetgeefkefg udeujeefgedvheegkefhjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehkohhnrhgrugdrhhhinhhsvghnsehfrghsthhmrghilhdrnhgvth X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 4 Oct 2021 05:37:19 -0400 (EDT) From: Konrad Hinsen To: zimoun , Wiktor =?utf-8?Q?=C5=BBelazny?= , help-guix@gnu.org Subject: Re: Certificates in pure and containerized environments In-Reply-To: <86v92ddzfq.fsf@gmail.com> References: <20211003164510.ebwlm6u24a2bgao4@wzguix> <86v92ddzfq.fsf@gmail.com> Date: Mon, 04 Oct 2021 11:37:17 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=66.111.4.26; envelope-from=konrad.hinsen@fastmail.net; helo=out2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633341945; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=ZNM0TRJoIuvErS5gWrmoPhBinNIAJ83BnyPpyXrbPyQ=; b=Nwv9q3dw/NjhrHAg/9zsYr6NC9pdoM9c3v/6VyViGNHYw+XeWjiuOTUV6wszHUzgerwwKo Uowgciw9/XgZ1K2A/v3FNGsNCPvQ0KYKw72d1J7/1FS3hFWld3YPz8ZN79Bz5s3mgTAQEB HJT3/32t1e94m/03iXK4Z3TNE7bban5thzMuPd7Ytw+fzjdlD3uoyiKJG20WOGLVYc6yGL wN/wboZiShqUYge3zl4f4ZFHcM7+wX5AWcn3DjPJenIrN4n8LggOxuDdh/bcjShX5RGHEt lvrXdyaMoOxGInC48+Rs/rcTltznoAGXrlDiYmT53UQ2QZ8y/4q3mIXKY6IlmQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633341945; a=rsa-sha256; cv=none; b=pNOX16qkKt/PWXc9z+FveAu5tjyTJo5Zfpxr0uo1HH+YCtTfE4vHuMgXfALc8jxej5UoZ8 dylVkPRXut1rCbyP5mRE6GK/x57VTqg3Ro1699ymGW37y/N/OIzkhHNm1b5AXc9p42bBBR +6fQbVM7KT4N9ufVNY3fBpWym6rR8cjq0LOphTdrB2VEbdekOCc5Q+CiO+4UeVjTajjYTh Bah2cuKmaIx8maO90AUuFoTuAgXoNgkiCcwqdyBvb+UROeuLRmxRw3oDrGSey5pbrCGtFG zYmM1/izVh0kRbnZXybeTtxLQXoE+0aa17bBVoHY5YvF00htf17pfNW+9RTSyQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm1 header.b=pKVkRfQ+; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=kO3QX2YM; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.11 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm1 header.b=pKVkRfQ+; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=kO3QX2YM; dmarc=pass (policy=none) header.from=fastmail.net; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: D6E0C2CF82 X-Spam-Score: -3.11 X-Migadu-Scanner: scn0.migadu.com X-TUID: aWieSgs5EY+x Hi Wikt=C3=B3r and Simon, thanks for shedding some light on this strange behavior. After some more exploration, the fundamental issue seems to be that many packages use certificates but only a very small number declare a dependence on nss-certs. In fact, nss-certs has only three direct dependents (icedtea, ldns, and pypy) and 115 additional indirect dependents. That includes r-reqon from Simon's example, which depends on icedtea via r-rjava and openjdk. A radical fix would be to make openssl dependent on nss-certs. But openssl really depends on the availability of some collection of certificates, not on any specific one. Nor do icedtea, ldns, or pypy. Some packages (e.g. openssl or curl) have a `native-search-paths` declaration that also seems to have the desired effect. The following environment contains SSL_CERT_DIR as well: guix environment --pure --ad-hoc python nss-certs openssl Python actually lists openssl as a dependency, but that is apparently not sufficient to propagate the environment variables. Anyway, this looks like the best workaround for me for now: adding openssl to my environment. It adds no software package to my environment, only environment variables and an executable on $PATH. Thanks again, Konrad