[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
From: |
Ludovic Courtès |
Subject: |
Re: [PATCHES] profiles: Produce a single-file CA certificate bundle |
Date: |
Tue, 03 Mar 2015 13:43:38 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) |
Mark H Weaver <address@hidden> skribis:
> address@hidden (Ludovic Courtès) writes:
>
>> Mark H Weaver <address@hidden> skribis:
>>
>>> In order to support multiple packages containing CA certs, it would be
>>> good to handle creation of the single-file cert bundle in the profile
>>> generation code, analogous to our handling of info "dir" files. This
>>> would allow us to create additional cert packages (e.g. one for
>>> CAcert.org).
>>>
>>> I think it belongs in the profile generation code for the benefit of
>>> users running Guix packages on top of another distro, where they might
>>> not have root access. They can simply set GIT_SSL_CAINFO and
>>> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt
>>>
>>> What do you think?
>>
>> It’s a good but as of yet unimplemented idea.
>>
>> Although I now realize we could perhaps simple move the
>> ‘certificate-bundle’ procedure to (guix profile), add the certificate
>> package to the system profile, and make /etc/ssl a symlink to
>> /run/current-system/profile/etc/ssl.
>
> I've attached patches that implement this. They assume that 993300f and
> e979e6d are first reverted. Comments and suggestions welcome.
Both look good to me.
> It would also be good to add search-path-specifications for
> SSL_CERT_FILE to 'openssl' and GIT_SSL_CAINFO to 'git' in core-updates,
> but I'm not sure how best to do that. Would you be willing to do it,
> Ludovic?
I just checked the source and OpenSSL itself does not use SSL_CERT_FILE
nor SSL_CERT_DIR at all. Lynx does use SSL_CERT_FILE, but that’s really
in Lynx, not in libssl. So I don’t think there should be a search path
specification for OpenSSL. This is unfortunate, but it looks like we
can’t do much.
We could add that variable to Lynx itself, but it’s not actually a
search path but just a file name.
Thoughts?
> +# These variables are honored by OpenSSL (libssl) and Git.
Replace “OpenSSL (libssl)” by “some applications such as Lynx”.
Thanks,
Ludo’.