diff mbox

gnurl: add CA path to configure-flags

Message ID 20160611205128.GA23445@khazad-dum
State Dropped
Headers show

Commit Message

non such June 11, 2016, 8:51 p.m. UTC
From 4d5661ac66940e2583c5bef07bc6a8832af92208 Mon Sep 17 00:00:00 2001
From: ng0 <ng0@we.make.ritual.n0.is>
Date: Sat, 11 Jun 2016 20:44:31 +0000
Subject: [PATCH] gnu: gnurl: Add CA path.

* gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
---
 gnu/packages/gnunet.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--
2.7.3



--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

Comments

Andreas Enge June 12, 2016, 2:22 p.m. UTC | #1
Hello,

On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/

my impression is that this absolute path does not do what we would like
it to. Optimally, the user would decide, by installing a certificate bundle
into the profile, which certificates to use. And on a foreign distro, the
random certificate bundle in /etc/ssl/certs, which does not come from Guix,
would be used by the Guix gnurl, which would be surprising.

Andreas
non such June 12, 2016, 3:56 p.m. UTC | #2
On 2016-06-12(04:22:15+0200), Andreas Enge wrote:
> Hello,
>
> On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
> > * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
>
> my impression is that this absolute path does not do what we would like
> it to. Optimally, the user would decide, by installing a certificate bundle
> into the profile, which certificates to use. And on a foreign distro, the
> random certificate bundle in /etc/ssl/certs, which does not come from Guix,
> would be used by the Guix gnurl, which would be surprising.
>
> Andreas

It is not entirely clear to me anymore why this was suggested to me
in the past 4 months.
I am aware of the differences, so maybe this could point to where
ever the /ssl/certs/ are?

When you know that gnurl does not need this, we're all good without
this change.
Gnurl so far is just curl with some project recommended build switches,
so if guix' curl detects the ssl/certs/ dir, gnurl should too.

--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
Ludovic Courtès June 13, 2016, 2:43 p.m. UTC | #3
Hi,

Andreas Enge <andreas@enge.fr> skribis:

> On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
>> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
>
> my impression is that this absolute path does not do what we would like
> it to. Optimally, the user would decide, by installing a certificate bundle
> into the profile, which certificates to use. And on a foreign distro, the
> random certificate bundle in /etc/ssl/certs, which does not come from Guix,
> would be used by the Guix gnurl, which would be surprising.

Besides, our cURL and Gnurl packages are linked against GnuTLS, which is
itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’.

Does ‘--with-ca-path’ change anything to that?

Thanks,
Ludo’.
non such June 13, 2016, 3:38 p.m. UTC | #4
On 2016-06-13(04:43:32+0200), Ludovic Courtès wrote:
> Hi,
>
> Andreas Enge <andreas@enge.fr> skribis:
>
> > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
> >> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
> >
> > my impression is that this absolute path does not do what we would like
> > it to. Optimally, the user would decide, by installing a certificate bundle
> > into the profile, which certificates to use. And on a foreign distro, the
> > random certificate bundle in /etc/ssl/certs, which does not come from Guix,
> > would be used by the Guix gnurl, which would be surprising.
>
> Besides, our cURL and Gnurl packages are linked against GnuTLS, which is
> itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’.
>
> Does ‘--with-ca-path’ change anything to that?
>
> Thanks,
> Ludo’.
>

I strongly assume that with those set, --with-ca-path is unnecessary.

This is something which Jookia came up with, I had it sitting in the
work in progress patches.


I know patches are now tracked in patchworks, can they be closed via
Email, or do I have to sign up? Else someone who already is signed up
can close this, as from my perspective this is done.

--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
Ludovic Courtès June 14, 2016, 10:12 a.m. UTC | #5
ng0 <ng0@we.make.ritual.n0.is> skribis:

> On 2016-06-13(04:43:32+0200), Ludovic Courtès wrote:
>> Hi,
>>
>> Andreas Enge <andreas@enge.fr> skribis:
>>
>> > On Sat, Jun 11, 2016 at 08:51:28PM +0000, ng0 wrote:
>> >> * gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
>> >
>> > my impression is that this absolute path does not do what we would like
>> > it to. Optimally, the user would decide, by installing a certificate bundle
>> > into the profile, which certificates to use. And on a foreign distro, the
>> > random certificate bundle in /etc/ssl/certs, which does not come from Guix,
>> > would be used by the Guix gnurl, which would be surprising.
>>
>> Besides, our cURL and Gnurl packages are linked against GnuTLS, which is
>> itself configured with ‘--with-default-trust-store-dir=/etc/ssl/certs’.
>>
>> Does ‘--with-ca-path’ change anything to that?
>>
>> Thanks,
>> Ludo’.
>>
>
> I strongly assume that with those set, --with-ca-path is unnecessary.

Fine.  :-)

> I know patches are now tracked in patchworks, can they be closed via
> Email, or do I have to sign up? Else someone who already is signed up
> can close this, as from my perspective this is done.

I think one has to login, which is quite inconvenient.

Ludo’.
diff mbox

Patch

From 4d5661ac66940e2583c5bef07bc6a8832af92208 Mon Sep 17 00:00:00 2001
From: ng0 <ng0@we.make.ritual.n0.is>
Date: Sat, 11 Jun 2016 20:44:31 +0000
Subject: [PATCH] gnu: gnurl: Add CA path.

* gnurl(configure-flags): --with-ca-path=/etc/ssl/certs/
---
 gnu/packages/gnunet.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index c4e2a37..6b7fb65 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -181,7 +181,8 @@  and support for SSL3 and TLS.")
                           "--disable-ldap" "--disable-rtsp" "--disable-dict"
                           "--disable-telnet" "--disable-tftp" "--disable-pop3"
                           "--disable-imap" "--disable-smtp" "--disable-gopher"
-                          "--disable-file" "--disable-ftp")
+                          "--disable-file" "--disable-ftp"
+                          "--with-ca-path=/etc/ssl/certs/")
      #:test-target "test"
      #:parallel-tests? #f
      ;; We have to patch runtests.pl in tests/ directory
-- 
2.7.3