Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

From:	ng0
Subject:	Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Date:	Wed, 18 Jan 2017 20:31:30 +0000

Ludovic Courtès <address@hidden> writes:

> ng0 <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>>
>>> Hello!
>>>
>>> ng0 <address@hidden> skribis:
>>>
>>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged 
>>>> user and group.
>>>> [arguments]: Build with the system provided certificates in a new phase.
>>>
>>> [...]
>>>
>>>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>>> +                           "--with-unpriv-group=tlsdate")
>>>
>>> Why?  I think the default is nobody/nogroup, which is fine no?
>
> s/I think//
>
>> I'm not sure if this is still fine when tlsdated is run. But I'll
>> figure out soon.
>
> Right.  The choice between “nobody” and “tlsdate” is purely cosmetic.
>
>>>> +       #:phases (modify-phases %standard-phases
>>>> +                  (add-after 'unpack 'set-cert-path
>>>> +                    ;; Use the system certificate store, not the
>>>> +                    ;; application bundled certificates.
>>>> +                    (lambda _
>>>> +                      (substitute* "Makefile.am"
>>>> +                        
>>>> (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>>>
>>> I sympathize with this but this may or may not work on foreign distros.
>>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>>> be a 4-year old copy from Mozilla’s NSS).
>>>
>>> WDYT?
>>>
>>> Thanks,
>>> Ludo’.
>>>
>>
>> I don't really like the current way to setenv everything, but is
>> this something we could do here to keep other distros happy? if
>> so, what's a good suggestion how to apply this?
>
> Actually there’s an even better option: add a dependency on ‘nss-certs’
> and change the above substitution to refer to it.  This would always
> work.
>
> Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
> so you’d have to create that, essentially by duplicating
> ‘ca-certificate-bundle’ from (guix profiles).
>
> Could you do that?

I agree this is a better approach. Is there an easy way (like import
ca-certificate-bundle from module guix profiles) or do I have to
really recreate it all in the ntp module in a phase of tlsdate
where it can only be used by tlsdate again?

> Thanks!
>
> Ludo’.
>

-- 
♥Ⓐ  ng0 -- https://www.inventati.org/patternsinthechaos/

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store., ng0 <=
- Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store., Ludovic Courtès, 2017/01/20

Prev by Date: [PATCH 09/10] gnu: Add ocaml-js-build-tools.
Next by Date: Re: [PATCH] gnu: Add kallisto.
Previous by thread: [PATCH 00/10] ocaml patches
Next by thread: Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.
Index(es):
- Date
- Thread