Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

[ng0]

Ludovic Courtès <address@hidden> writes:

> Hello!
>
> ng0 <address@hidden> skribis:
>
>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged 
>> user and group.
>> [arguments]: Build with the system provided certificates in a new phase.
>
> [...]
>
>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>> +                           "--with-unpriv-group=tlsdate")
>
> Why?  I think the default is nobody/nogroup, which is fine no?

I'm not sure if this is still fine when tlsdated is run. But I'll
figure out soon.

>> +       #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'set-cert-path
>> +                    ;; Use the system certificate store, not the
>> +                    ;; application bundled certificates.
>> +                    (lambda _
>> +                      (substitute* "Makefile.am"
>> +                        
>> (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>
> I sympathize with this but this may or may not work on foreign distros.
> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
> be a 4-year old copy from Mozilla’s NSS).
>
> WDYT?
>
> Thanks,
> Ludo’.
>

I don't really like the current way to setenv everything, but is
this something we could do here to keep other distros happy? if
so, what's a good suggestion how to apply this?

-- 
♥Ⓐ  ng0  | ng0.chaosnet.org