guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store

From: Ludovic Courtès
Subject: Re: [PATCH] gnu: gnutls: Configure location of system-wide trust store
Date: Wed, 19 Feb 2014 22:52:20 +0100
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) 
Andreas Enge <address@hidden> skribis:

> On Wed, Feb 19, 2014 at 02:40:42PM +0100, Ludovic Courtès wrote:
>> So, all in all, while this is not ideal, using this configure flag to
>> point to /etc/ssl/... sounds like a viable option to me.  It’s
>> consistent with what other distros do, and it’s what we want to do
>> eventually.
>> 
>> (Also, I think it’s time to really take the final system as the primary
>> use case.)
>
> The next question is, where do these certificates come from in our system?
> I think a reasonable solution would be to:
> - create a package with certificates (maybe inspired from those contained
>   in debian);

Definitely.

> - have gnutls depend on it, and use the gnutls configure flag to point to
>   /nix/store/xxx-our-certificates/etc/ssl/... .
>
> I think this would be more in line with our approach than pointing to /etc.
> Also, if a certificate gets compromised and is withdrawn from the certificate
> package, this would force gnutls and all its dependencies to be recompiled.
>
> What do you think?

That’s the solution I would prefer in many cases.

However, the last point you mention (having to rebuild GnuTLS et
al. when a certificate changes) seems to me like a drawback, because it
makes it unnecessarily costly (storage, bandwidth, time) to deploy a new
certificate bundle.

One way to address that would be to have /etc/ssl/... be a Guix-managed
symlink to /nix/store/...-certificates (this is +/- what NixOS does.)

How does that sound?

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]