Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

[Andreas Enge]

Concerning yours and Mark's suggestions, I think the best solution would
be if GnutTLS looked in the user profile for certificates. As it does not,
I still think that my suggestion of considering the certificates as an
input is more in style: Admittedly, they are only data, but the functioning
of GnuTLS depends on them, as much as texlive carries its own data (not
in a separate package, as no other package needs to depend on it).

On Wed, Feb 19, 2014 at 10:52:20PM +0100, Ludovic Courtès wrote:
> One way to address that would be to have /etc/ssl/... be a Guix-managed
> symlink to /nix/store/...-certificates (this is +/- what NixOS does.)
> How does that sound?

That is certainly a possibility.

On Thu, Feb 20, 2014 at 01:01:56PM -0500, Mark H Weaver wrote:
> I think you could make this argument for any program or library that
> looks for things in /etc.  For example, glibc looks in
> /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/passwd,
> /etc/group, etc.

I did not think about these cases, but I think there are limits... Moreover,
these files need to be dynamically changed (adapted to the machine etc.),
while certificates are just static data. So the analogy does not hold.

> However, one of the great things about Guix is that it's possible to
> keep a local branch with your own changes.  So, if you want to make a
> gnutls package with the trust store in a different location
> (/home/andreas/.certs or /nix/store/* or whatever), you can do that
> quite easily.  (I've started doing that myself, since my xterm changes
> were blocked.)

Well, it is not that I could not live with one or the other decision; I am
just taking part in the discussion and voicing my opinion.

Andreas