Andreas Enge <andr...@enge.fr> writes:
> Hello Mark,
>
> I am a bit lost with this explanation:
>
> On Sun, Feb 15, 2015 at 12:17:59AM -0500, Mark H Weaver wrote:
>> I've set GIT_SSL_CAINFO in my environment for a long time to make Git
>> check certificates properly on GuixSD, but without the single-file
>> certificate bundle, I've lost certificate checking in Git.
>
> Is this because upon installing nss-certs, you uninstalled your single file?
Yes. Of course I could make it manually, put it somewhere else, and set
GIT_SSL_CAINFO to point to it, but I'd like to find a solution that
works out of the box for other GuixSD users.
> Since we had no certificates at all before, I fail to understand how the
> situation could be worse now than it was.
No, it's not worse than it was before. Sorry if I gave that impression.
The only issue is that we might need to generate a single-file
certificate bundle for now, because I haven't found a way to get 'git'
to check certificates on GuixSD without a single-file cert bundle, at
least not when curl is build with GnuTLS.
> Would implementing the p11-kit suggestion for gnutls solve the problem?
Good question! I don't know the answer. It seems that when 'git' uses
libcurl built with GnuTLS, it doesn't ask GnuTLS to use the system-wide
trust store. Maybe that's something we could fix somehow.
> Your further analysis might also imply that we need search path definitions
> for git and curl (although this does not seem to be enough at the moment).
I can't speak for the curl command-line tool, because I never use it,
but we might need one for 'git'.
Mark
