[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates in pure and containerized environments

From: Konrad Hinsen
Subject: Re: Certificates in pure and containerized environments
Date: Mon, 04 Oct 2021 11:37:17 +0200

Hi Wiktór and Simon,

thanks for shedding some light on this strange behavior. After some more
exploration, the fundamental issue seems to be that many packages use
certificates but only a very small number declare a dependence on
nss-certs. In fact, nss-certs has only three direct dependents (icedtea,
ldns, and pypy) and 115 additional indirect dependents.  That includes
r-reqon from Simon's example, which depends on icedtea via r-rjava and

A radical fix would be to make openssl dependent on nss-certs. But
openssl really depends on the availability of some collection of
certificates, not on any specific one. Nor do icedtea, ldns, or pypy.

Some packages (e.g. openssl or curl) have a `native-search-paths`
declaration that also seems to have the desired effect. The following
environment contains SSL_CERT_DIR as well:

   guix environment --pure --ad-hoc python nss-certs openssl

Python actually lists openssl as a dependency, but that is apparently
not sufficient to propagate the environment variables.

Anyway, this looks like the best workaround for me for now: adding
openssl to my environment. It adds no software package to my
environment, only environment variables and an executable on $PATH.

Thanks again,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]