[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GnuTLS and the “trust store”
From: |
Ludovic Courtès |
Subject: |
GnuTLS and the “trust store” |
Date: |
Wed, 04 Jan 2017 21:40:42 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hello!
Marius Bakke <address@hidden> skribis:
> Marius Bakke <address@hidden> writes:
>
>> ng0 <address@hidden> writes:
>>
>>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" configure
>>> flag.
[...]
> I realized shortly after posting why this wasn't done already. Curl has
> 1403 dependent packages, which would apply for "nss-certs" as well if
> that is added as input. Obviously we want to be able to update TLS
> certificates quickly without rebuilding ~1/4 of the tree.
Indeed. It’s a situation where we do not want to have a static binding
between cURL and nss-certs; instead, they should be composed
dynamically, along the lines of what we already recommend at:
https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates.html
cURL depends on GnuTLS, and GnuTLS doesn’t honor an environment variable
like ‘SSL_CERT_DIR’. Its recipe has this comment:
;; GnuTLS doesn't consult any environment variables to specify
;; the location of the system-wide trust store. Instead it has a
;; configure-time option. Unless specified, its configure script
;; attempts to auto-detect the location by looking for common
;; places in the file system, none of which are present in our
;; chroot build environment. If not found, then no default trust
;; store is used, so each program has to provide its own
;; fallback, and users have to configure each program
;; independently. This seems suboptimal.
"--with-default-trust-store-dir=/etc/ssl/certs"
Original discussion:
https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html
Ludo’.
- PATCH as first attempt to fix the sad curl situation, ng0, 2017/01/04
- [PATCH] gnu: curl: Add ca-bundle to config., ng0, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., Marius Bakke, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., Marius Bakke, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., ng0, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., ng0, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., ng0, 2017/01/04
- Re: [PATCH] gnu: curl: Add ca-bundle to config., Ricardo Wurmus, 2017/01/05
- GnuTLS and the “trust store”,
Ludovic Courtès <=
- Re: GnuTLS and the “trust store”, ng0, 2017/01/04
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/05
- Re: GnuTLS and the “trust store”, Ricardo Wurmus, 2017/01/05
- Re: GnuTLS and the “trust store”, Marius Bakke, 2017/01/05
- Re: GnuTLS and the “trust store”, Ricardo Wurmus, 2017/01/05
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/05
- Re: GnuTLS and the “trust store”, Ricardo Wurmus, 2017/01/06
- Re: GnuTLS and the “trust store”, Ludovic Courtès, 2017/01/07
Re: PATCH as first attempt to fix the sad curl situation, ng0, 2017/01/04