Re: Should we include nss-certs out of the box?

[Ludovic Courtès]

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> It's been Guix policy to let people choose whether to install or not TLS
> root certificates and which one to their machine.  While I applaud the
> idea to have the users make a conscious decision about it, in practice I
> suppose very few of us choose to *not* install any as that basically
> breaks using web browsers, especially ones like IceCat which (by
> default) ensures HTTPS is used on every page.

Right.

> It apparently even makes it impossible to run 'guix pull', if I am to
> believe bug#62026.

I don’t think that’s the case: see use of ‘le-certs’ in (guix scripts
pull).

> Should we do as in bug#62026 and have this package be part of the
> recommended basic installation?  It'd be in the basic set of an
> operating-system packages (via its default %base-packages set).  It
> could still be manipulated via the Guix API (filtered out/replaced with
> something else).
>
> Is anyone opposed to having nss-certs in %base-packages?

No objection from me.  I’m partly responsible for the initial choice to
not include nss-certs by default, but as you write, most likely everyone
installs it these days.

Note that we’ll also need to remove that choice from the installer in
(gnu installer services).

Thanks!

Ludo’.