GnuTLS and the “trust store”

[Ludovic Courtès]

Hello!

Marius Bakke <address@hidden> skribis:

> Marius Bakke <address@hidden> writes:
>
>> ng0 <address@hidden> writes:
>>
>>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" configure 
>>> flag.

[...]

> I realized shortly after posting why this wasn't done already. Curl has
> 1403 dependent packages, which would apply for "nss-certs" as well if
> that is added as input. Obviously we want to be able to update TLS
> certificates quickly without rebuilding ~1/4 of the tree.

Indeed.  It’s a situation where we do not want to have a static binding
between cURL and nss-certs; instead, they should be composed
dynamically, along the lines of what we already recommend at:

  https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates.html

cURL depends on GnuTLS, and GnuTLS doesn’t honor an environment variable
like ‘SSL_CERT_DIR’.  Its recipe has this comment:

         ;; GnuTLS doesn't consult any environment variables to specify
         ;; the location of the system-wide trust store.  Instead it has a
         ;; configure-time option.  Unless specified, its configure script
         ;; attempts to auto-detect the location by looking for common
         ;; places in the file system, none of which are present in our
         ;; chroot build environment.  If not found, then no default trust
         ;; store is used, so each program has to provide its own
         ;; fallback, and users have to configure each program
         ;; independently.  This seems suboptimal.
         "--with-default-trust-store-dir=/etc/ssl/certs"

Original discussion:

  https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html

Ludo’.