diff mbox

[1/2] gnu: tlsdate: Use the system provided certificate store.

Message ID 20161205182014.5155-2-ng0@libertad.pw
State New
Headers show

Commit Message

ng0 Dec. 5, 2016, 6:20 p.m. UTC
* gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
[arguments]: Build with the system provided certificates in a new phase.
---
 gnu/packages/ntp.scm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comments

Ludovic Courtès Dec. 7, 2016, 10:19 p.m. UTC | #1
Hello!

ng0 <ng0@libertad.pw> skribis:

> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
> [arguments]: Build with the system provided certificates in a new phase.

[...]

> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
> +                           "--with-unpriv-group=tlsdate")

Why?  I think the default is nobody/nogroup, which is fine no?

> +       #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'set-cert-path
> +                    ;; Use the system certificate store, not the
> +                    ;; application bundled certificates.
> +                    (lambda _
> +                      (substitute* "Makefile.am"
> +                        (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
> +                         "/etc/ssl/certs/ca-certificates.crt"))))

I sympathize with this but this may or may not work on foreign distros.
Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
be a 4-year old copy from Mozilla’s NSS).

WDYT?

Thanks,
Ludo’.
ng0 Dec. 7, 2016, 11:40 p.m. UTC | #2
Ludovic Courtès <ludo@gnu.org> writes:

> Hello!
>
> ng0 <ng0@libertad.pw> skribis:
>
>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
>> [arguments]: Build with the system provided certificates in a new phase.
>
> [...]
>
>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>> +                           "--with-unpriv-group=tlsdate")
>
> Why?  I think the default is nobody/nogroup, which is fine no?

I'm not sure if this is still fine when tlsdated is run. But I'll
figure out soon.

>> +       #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'set-cert-path
>> +                    ;; Use the system certificate store, not the
>> +                    ;; application bundled certificates.
>> +                    (lambda _
>> +                      (substitute* "Makefile.am"
>> +                        (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>
> I sympathize with this but this may or may not work on foreign distros.
> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
> be a 4-year old copy from Mozilla’s NSS).
>
> WDYT?
>
> Thanks,
> Ludo’.
>

I don't really like the current way to setenv everything, but is
this something we could do here to keep other distros happy? if
so, what's a good suggestion how to apply this?
Ludovic Courtès Dec. 8, 2016, 9:35 a.m. UTC | #3
ng0 <ng0@libertad.pw> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello!
>>
>> ng0 <ng0@libertad.pw> skribis:
>>
>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged user and group.
>>> [arguments]: Build with the system provided certificates in a new phase.
>>
>> [...]
>>
>>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>> +                           "--with-unpriv-group=tlsdate")
>>
>> Why?  I think the default is nobody/nogroup, which is fine no?

s/I think//

> I'm not sure if this is still fine when tlsdated is run. But I'll
> figure out soon.

Right.  The choice between “nobody” and “tlsdate” is purely cosmetic.

>>> +       #:phases (modify-phases %standard-phases
>>> +                  (add-after 'unpack 'set-cert-path
>>> +                    ;; Use the system certificate store, not the
>>> +                    ;; application bundled certificates.
>>> +                    (lambda _
>>> +                      (substitute* "Makefile.am"
>>> +                        (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>>
>> I sympathize with this but this may or may not work on foreign distros.
>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>> be a 4-year old copy from Mozilla’s NSS).
>>
>> WDYT?
>>
>> Thanks,
>> Ludo’.
>>
>
> I don't really like the current way to setenv everything, but is
> this something we could do here to keep other distros happy? if
> so, what's a good suggestion how to apply this?

Actually there’s an even better option: add a dependency on ‘nss-certs’
and change the above substitution to refer to it.  This would always
work.

Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
so you’d have to create that, essentially by duplicating
‘ca-certificate-bundle’ from (guix profiles).

Could you do that?

Thanks!

Ludo’.
diff mbox

Patch

diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm
index 13781fbda..45f334b57 100644
--- a/gnu/packages/ntp.scm
+++ b/gnu/packages/ntp.scm
@@ -4,6 +4,7 @@ 
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 ng0 <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -134,8 +135,17 @@  minimalist than ntpd.")
               (file-name (string-append name "-" version "-checkout"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
-                  (add-after 'unpack 'autogen
+     '(#:configure-flags '("--with-unpriv-user=tlsdate"
+                           "--with-unpriv-group=tlsdate")
+       #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'set-cert-path
+                    ;; Use the system certificate store, not the
+                    ;; application bundled certificates.
+                    (lambda _
+                      (substitute* "Makefile.am"
+                        (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
+                         "/etc/ssl/certs/ca-certificates.crt"))))
+                  (add-after 'set-cert-path 'autogen
                     (lambda _
                       ;; The ancestor of 'SOURCE_DATE_EPOCH'; it contains the
                       ;; date that is recorded in binaries.  It must be a