Re: [PATCH 1/2] gnu: tlsdate: Use the system provided certificate store.

Fri, 20 Jan 2017 05:56:07 -0800 

ng0 <contact....@cryptolab.net> skribis:

> Ludovic Courtès <l...@gnu.org> writes:
>
>> ng0 <n...@libertad.pw> skribis:
>>
>>> Ludovic Courtès <l...@gnu.org> writes:
>>>
>>>> Hello!
>>>>
>>>> ng0 <n...@libertad.pw> skribis:
>>>>
>>>>> * gnu/packages/ntp.scm (tlsdate)[arguments]: Configure with unprivileged 
>>>>> user and group.
>>>>> [arguments]: Build with the system provided certificates in a new phase.
>>>>
>>>> [...]
>>>>
>>>>> +     '(#:configure-flags '("--with-unpriv-user=tlsdate"
>>>>> +                           "--with-unpriv-group=tlsdate")
>>>>
>>>> Why?  I think the default is nobody/nogroup, which is fine no?
>>
>> s/I think//
>>
>>> I'm not sure if this is still fine when tlsdated is run. But I'll
>>> figure out soon.
>>
>> Right.  The choice between “nobody” and “tlsdate” is purely cosmetic.
>>
>>>>> +       #:phases (modify-phases %standard-phases
>>>>> +                  (add-after 'unpack 'set-cert-path
>>>>> +                    ;; Use the system certificate store, not the
>>>>> +                    ;; application bundled certificates.
>>>>> +                    (lambda _
>>>>> +                      (substitute* "Makefile.am"
>>>>> +                        
>>>>> (("$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf")
>>>>> +                         "/etc/ssl/certs/ca-certificates.crt"))))
>>>>
>>>> I sympathize with this but this may or may not work on foreign distros.
>>>> Still, it’s probably better (this ‘tlsdata-ca-roots.conf’ file seems to
>>>> be a 4-year old copy from Mozilla’s NSS).
>>>>
>>>> WDYT?
>>>>
>>>> Thanks,
>>>> Ludo’.
>>>>
>>>
>>> I don't really like the current way to setenv everything, but is
>>> this something we could do here to keep other distros happy? if
>>> so, what's a good suggestion how to apply this?
>>
>> Actually there’s an even better option: add a dependency on ‘nss-certs’
>> and change the above substitution to refer to it.  This would always
>> work.
>>
>> Problem is ‘nss-certs’ doesn’t have the single-file certificate bundle
>> so you’d have to create that, essentially by duplicating
>> ‘ca-certificate-bundle’ from (guix profiles).
>>
>> Could you do that?
>
> I agree this is a better approach. Is there an easy way (like import
> ca-certificate-bundle from module guix profiles) or do I have to
> really recreate it all in the ntp module in a phase of tlsdate
> where it can only be used by tlsdate again?

Hmm looks like there’s no easy way currently, sorry.  :-/
That will require a bit of fiddling.

Ludo’.

Reply via email to