On Wed, Feb 19, 2014 at 02:40:42PM +0100, Ludovic Courtès wrote: > So, all in all, while this is not ideal, using this configure flag to > point to /etc/ssl/... sounds like a viable option to me. It’s > consistent with what other distros do, and it’s what we want to do > eventually. > > (Also, I think it’s time to really take the final system as the primary > use case.)
The next question is, where do these certificates come from in our system? I think a reasonable solution would be to: - create a package with certificates (maybe inspired from those contained in debian); - have gnutls depend on it, and use the gnutls configure flag to point to /nix/store/xxx-our-certificates/etc/ssl/... . I think this would be more in line with our approach than pointing to /etc. Also, if a certificate gets compromised and is withdrawn from the certificate package, this would force gnutls and all its dependencies to be recompiled. What do you think? Andreas
