Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

[Ludovic Courtès]

ng0 <address@hidden> skribis:

> Ludovic Courtès <address@hidden> writes:
>
>> Hello!
>>
>> ng0 <address@hidden> skribis:
>>
>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged 
>>> user and group.
>>> [arguments]: Build with the system provided certificates in a new phase.
>>
>> [...]
>>
>>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>> +                           "--with-unpriv-group=tlsdate")
>>
>> Why?  I think the default is nobody/nogroup, which is fine no?

s/I think//

> I'm not sure if this is still fine when tlsdated is run. But I'll
> figure out soon.

Right.  The choice between “nobody” and “tlsdate” is purely cosmetic.

>>> +       #:phases (modify-phases %standard-phases
>>> +                  (add-after 'unpack 'set-cert-path
>>> +                    ;; Use the system certificate store, not the
>>> +                    ;; application bundled certificates.
>>> +                    (lambda _
>>> +                      (substitute* "Makefile.am"
>>> +                        
>>> (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>>
>> I sympathize with this but this may or may not work on foreign distros.
>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>> be a 4-year old copy from Mozilla’s NSS).
>>
>> WDYT?
>>
>> Thanks,
>> Ludo’.
>>
>
> I don't really like the current way to setenv everything, but is
> this something we could do here to keep other distros happy? if
> so, what's a good suggestion how to apply this?

Actually there’s an even better option: add a dependency on ‘nss-certs’
and change the above substitution to refer to it.  This would always
work.

Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
so you’d have to create that, essentially by duplicating
‘ca-certificate-bundle’ from (guix profiles).

Could you do that?

Thanks!

Ludo’.