[bug#54796] [PATCH v3 03/22] gnu: Add erlang-certifi.

[Maxime Devos]

Hartmut Goebel schreef op vr 08-04-2022 om 19:03 [+0200]:
> +    (description "This Erlang library contains a CA bundle that you can
> +reference in your Erlang application.  This is useful for systems that do not
> +have CA bundles that Erlang can find itself, or where a uniform set of CAs is
> +valuable.
> +
> +This an Erlang specific port of certifi.  The CA bundle is derived from

Can this bundle be built from 'nss-certs', such that when nss-certs is
updated (e.g. Mozilla revokes a root certificate due to reasons),
erlang-certifi is up-to-date as well?

Also, if Erlang supports some kind of static linking, then a package
like this might be useful for people wanting to make static binaries to
distribute to (non-Guix) systems.

However, adding packages like nss-certs to the package inputs is
avoided in favour of SSL_CERT_DIR/SSL_CERT_FILE / /etc/ssl/certs, to
avoid rebuilds (*) when nss-certs is updated and because people might
want to use a different set of root certificates (e.g., le-certs, none,
or a list of (non-CA) certificates for a few individual sites).

As such, can this package be avoided as dependency?

Also see:

  * https://issues.guix.gnu.org/54434#8
    (tzdata instead of nss-certs, but same principle)
  * https://lists.gnu.org/archive/html/guix-devel/2017-01/msg00516.html
    (about rebuilds)
  * https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00277.html
    (some security reasons for not including nss-certs in the inputs
    or even the user profile)

(*) nowaday it is less of a concern because of grafting, but grafting
can take a long time.

Greetings,
Maxime.

signature.asc
Description: This is a digitally signed message part