guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store


From: Mark H Weaver
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Thu, 20 Feb 2014 13:01:56 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)

Andreas Enge <address@hidden> writes:

> The next question is, where do these certificates come from in our system?
> I think a reasonable solution would be to:
> - create a package with certificates (maybe inspired from those contained
>   in debian);
> - have gnutls depend on it, and use the gnutls configure flag to point to
>   /nix/store/xxx-our-certificates/etc/ssl/... .
>
> I think this would be more in line with our approach than pointing to /etc.
> Also, if a certificate gets compromised and is withdrawn from the certificate
> package, this would force gnutls and all its dependencies to be recompiled.
>
> What do you think?

I think you could make this argument for any program or library that
looks for things in /etc.  For example, glibc looks in
/etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd,
/etc/group, etc.

Should we put these configuration files in a package, make glibc depend
on that package, and then force the user to recompile the entire system
whenever one of these files needs to change?

While I sympathize with your concerns, I think that this is going too
far, even for your more limited suggestion of recompiling everything
that depends on gnutls.  If I discover that a CA certificate has been
compromised, I don't want to have to recompile a large number of
programs, and then make sure that I don't have old profiles lying around
that still refer to the old CA certificates.  I'd also essentially lose
roll-back functionality, because I wouldn't be able to roll back without
also enabling the compromised cert.

Furthermore, I think that users should be able to use substitutes from
Hydra even if they want to trust a different set of CA certs.

Here's the thing: what is the common case?  Nowadays, the common case is
that each of us has our own personal computer, where we have root and
can thus change /etc/ssl/certs/ as we wish.  In the uncommon case where
we don't have root, or are sharing a system with others, we can still
configure our own trust stores for individual programs that use gnutls.

However, one of the great things about Guix is that it's possible to
keep a local branch with your own changes.  So, if you want to make a
gnutls package with the trust store in a different location
(/home/andreas/.certs or /nix/store/* or whatever), you can do that
quite easily.  (I've started doing that myself, since my xterm changes
were blocked.)

What do you think?

    Regards,
      Mark



reply via email to

[Prev in Thread] Current Thread [Next in Thread]