[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GnuTLS and the “trust store”

From: Ludovic Courtès
Subject: GnuTLS and the “trust store”
Date: Wed, 04 Jan 2017 21:40:42 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)


Marius Bakke <address@hidden> skribis:

> Marius Bakke <address@hidden> writes:
>> ng0 <address@hidden> writes:
>>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" configure 
>>> flag.


> I realized shortly after posting why this wasn't done already. Curl has
> 1403 dependent packages, which would apply for "nss-certs" as well if
> that is added as input. Obviously we want to be able to update TLS
> certificates quickly without rebuilding ~1/4 of the tree.

Indeed.  It’s a situation where we do not want to have a static binding
between cURL and nss-certs; instead, they should be composed
dynamically, along the lines of what we already recommend at:

cURL depends on GnuTLS, and GnuTLS doesn’t honor an environment variable
like ‘SSL_CERT_DIR’.  Its recipe has this comment:

         ;; GnuTLS doesn't consult any environment variables to specify
         ;; the location of the system-wide trust store.  Instead it has a
         ;; configure-time option.  Unless specified, its configure script
         ;; attempts to auto-detect the location by looking for common
         ;; places in the file system, none of which are present in our
         ;; chroot build environment.  If not found, then no default trust
         ;; store is used, so each program has to provide its own
         ;; fallback, and users have to configure each program
         ;; independently.  This seems suboptimal.

Original discussion:


reply via email to

[Prev in Thread] Current Thread [Next in Thread]