guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

From: Ludovic Courtès
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 14:40:42 +0100
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) 
Hello!

Thank you both for looking into this.

Andreas Enge <address@hidden> skribis:

> On Wed, Feb 19, 2014 at 05:13:26AM -0500, Mark H Weaver wrote:

[...]

>> So, in the end, I don't think we should mess around with the way GnuTLS
>> was designed.  I think we should provide a hard-coded system-wide
>> location to allow 'gnutls_certificate_set_x509_system_trust' to work as
>> it was intended, and instead we should make sure that each individual
>> program has a way to override that.
>
> I am still uneasy with this situation, even more so as long as we do not
> have the gnu system: Currently, the guix gnutls would point to the ssl
> certificates that debian installed (or did not install) in /etc; we will
> get behaviour that depends a lot on the outside system instead of being
> self-contained.

Agreed.  However, AIUI, these is just the location of the default
certificates; as Mark wrote, applications, such as wget, can in fact
specify the certificate location independently of that default value.

So, all in all, while this is not ideal, using this configure flag to
point to /etc/ssl/... sounds like a viable option to me.  It’s
consistent with what other distros do, and it’s what we want to do
eventually.

(Also, I think it’s time to really take the final system as the primary
use case.)

WDYT?

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]