Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

From:	Ludovic Courtès
Subject:	Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Date:	Fri, 20 Jan 2017 14:31:48 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

ng0 <address@hidden> skribis:

> Ludovic Courtès <address@hidden> writes:
>
>> ng0 <address@hidden> skribis:
>>
>>> Ludovic Courtès <address@hidden> writes:
>>>
>>>> Hello!
>>>>
>>>> ng0 <address@hidden> skribis:
>>>>
>>>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged 
>>>>> user and group.
>>>>> [arguments]: Build with the system provided certificates in a new phase.
>>>>
>>>> [...]
>>>>
>>>>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>>>> +                           "--with-unpriv-group=tlsdate")
>>>>
>>>> Why?  I think the default is nobody/nogroup, which is fine no?
>>
>> s/I think//
>>
>>> I'm not sure if this is still fine when tlsdated is run. But I'll
>>> figure out soon.
>>
>> Right.  The choice between “nobody” and “tlsdate” is purely cosmetic.
>>
>>>>> +       #:phases (modify-phases %standard-phases
>>>>> +                  (add-after 'unpack 'set-cert-path
>>>>> +                    ;; Use the system certificate store, not the
>>>>> +                    ;; application bundled certificates.
>>>>> +                    (lambda _
>>>>> +                      (substitute* "Makefile.am"
>>>>> +                        
>>>>> (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>>>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>>>>
>>>> I sympathize with this but this may or may not work on foreign distros.
>>>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>>>> be a 4-year old copy from Mozilla’s NSS).
>>>>
>>>> WDYT?
>>>>
>>>> Thanks,
>>>> Ludo’.
>>>>
>>>
>>> I don't really like the current way to setenv everything, but is
>>> this something we could do here to keep other distros happy? if
>>> so, what's a good suggestion how to apply this?
>>
>> Actually there’s an even better option: add a dependency on ‘nss-certs’
>> and change the above substitution to refer to it.  This would always
>> work.
>>
>> Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
>> so you’d have to create that, essentially by duplicating
>> ‘ca-certificate-bundle’ from (guix profiles).
>>
>> Could you do that?
>
> I agree this is a better approach. Is there an easy way (like import
> ca-certificate-bundle from module guix profiles) or do I have to
> really recreate it all in the ntp module in a phase of tlsdate
> where it can only be used by tlsdate again?

Hmm looks like there’s no easy way currently, sorry.  :-/
That will require a bit of fiddling.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store., ng0, 2017/01/18
- Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store., Ludovic Courtès <=

Prev by Date: Re: [PATCH 09/10] gnu: Add ocaml-js-build-tools.
Next by Date: Re: [PATCH] gnu: Add lsyncd.
Previous by thread: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Next by thread: Stagit: Update to 0.5
Index(es):
- Date
- Thread