| Message ID | 20160611205128.GA23445@khazad-dum |
|---|---|
| State | Dropped |
| Headers | show |
Hello,
On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
my impression is that this absolute path does not do what we would like
it to. Optimally, the user would decide, by installing a certificate bundle
into the profile, which certificates to use. And on a foreign distro, the
random certificate bundle in /etc/ssl/certs, which does not come from Guix,
would be used by the Guix gnurl, which would be surprising.
Andreas
On 2016-06-12(04:22:15+0200), Andreas Enge wrote: > Hello, > > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote: > > * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ > > my impression is that this absolute path does not do what we would like > it to. Optimally, the user would decide, by installing a certificate bundle > into the profile, which certificates to use. And on a foreign distro, the > random certificate bundle in /etc/ssl/certs, which does not come from Guix, > would be used by the Guix gnurl, which would be surprising. > > Andreas It is not entirely clear to me anymore why this was suggested to me in the past 4 months. I am aware of the differences, so maybe this could point to where ever the /ssl/certs/ are? When you know that gnurl does not need this, we're all good without this change. Gnurl so far is just curl with some project recommended build switches, so if guix' curl detects the ssl/certs/ dir, gnurl should too. -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion
Hi, Andreas Enge <andreas@enge.fr> skribis: > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote: >> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ > > my impression is that this absolute path does not do what we would like > it to. Optimally, the user would decide, by installing a certificate bundle > into the profile, which certificates to use. And on a foreign distro, the > random certificate bundle in /etc/ssl/certs, which does not come from Guix, > would be used by the Guix gnurl, which would be surprising. Besides, our cURL and Gnurl packages are linked against GnuTLS, which is itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’. Does ‘--with-ca-path’ change anything to that? Thanks, Ludo’.
On 2016-06-13(04:43:32+0200), Ludovic Courtès wrote: > Hi, > > Andreas Enge <andreas@enge.fr> skribis: > > > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote: > >> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ > > > > my impression is that this absolute path does not do what we would like > > it to. Optimally, the user would decide, by installing a certificate bundle > > into the profile, which certificates to use. And on a foreign distro, the > > random certificate bundle in /etc/ssl/certs, which does not come from Guix, > > would be used by the Guix gnurl, which would be surprising. > > Besides, our cURL and Gnurl packages are linked against GnuTLS, which is > itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’. > > Does ‘--with-ca-path’ change anything to that? > > Thanks, > Ludo’. > I strongly assume that with those set, --with-ca-path is unnecessary. This is something which Jookia came up with, I had it sitting in the work in progress patches. I know patches are now tracked in patchworks, can they be closed via Email, or do I have to sign up? Else someone who already is signed up can close this, as from my perspective this is done. -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion
ng0 <ng0@we.make.ritual.n0.is> skribis: > On 2016-06-13(04:43:32+0200), Ludovic Courtès wrote: >> Hi, >> >> Andreas Enge <andreas@enge.fr> skribis: >> >> > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote: >> >> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ >> > >> > my impression is that this absolute path does not do what we would like >> > it to. Optimally, the user would decide, by installing a certificate bundle >> > into the profile, which certificates to use. And on a foreign distro, the >> > random certificate bundle in /etc/ssl/certs, which does not come from Guix, >> > would be used by the Guix gnurl, which would be surprising. >> >> Besides, our cURL and Gnurl packages are linked against GnuTLS, which is >> itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’. >> >> Does ‘--with-ca-path’ change anything to that? >> >> Thanks, >> Ludo’. >> > > I strongly assume that with those set, --with-ca-path is unnecessary. Fine. :-) > I know patches are now tracked in patchworks, can they be closed via > Email, or do I have to sign up? Else someone who already is signed up > can close this, as from my perspective this is done. I think one has to login, which is quite inconvenient. Ludo’.
From 4d5661ac66940e2583c5bef07bc6a8832af92208 Mon Sep 17 00:00:00 2001 From: ng0 <ng0@we.make.ritual.n0.is> Date: Sat, 11 Jun 2016 20:44:31 +0000 Subject: [PATCH] gnu: gnurl: Add CA path. * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ --- gnu/packages/gnunet.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm index c4e2a37..6b7fb65 100644 --- a/gnu/packages/gnunet.scm +++ b/gnu/packages/gnunet.scm @@ -181,7 +181,8 @@ and support for SSL3 and TLS.") "--disable-ldap" "--disable-rtsp" "--disable-dict" "--disable-telnet" "--disable-tftp" "--disable-pop3" "--disable-imap" "--disable-smtp" "--disable-gopher" - "--disable-file" "--disable-ftp") + "--disable-file" "--disable-ftp" + "--with-ca-path=/etc/ssl/certs/") #:test-target "test" #:parallel-tests? #f ;; We have to patch runtests.pl in tests/ directory -- 2.7.3
From 4d5661ac66940e2583c5bef07bc6a8832af92208 Mon Sep 17 00:00:00 2001 From: ng0 <ng0@we.make.ritual.n0.is> Date: Sat, 11 Jun 2016 20:44:31 +0000 Subject: [PATCH] gnu: gnurl: Add CA path. * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/ --- gnu/packages/gnunet.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.3 -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion