Hello, Ludovic Courtès <[email protected]> writes:
> Hello, > > Maxim Cournoyer <[email protected]> skribis: > >> I guess we could rename NIX_SSL_CERT_FILE to just SSL_CERT_FILE in the >> above patch and add the $SSL_CERT_FILE search path to bring us closer to >> what OpenSSL supports? > > As a rule of thumb, I would avoid diverging from upstream, especially > for touchy points like this one: it quickly gets problematic when a > same-named package behaves differently across distros. > > In this case, because GnuTLS does not honor any environment variables, > applications/libraries linked against it have to provide their own > mechanism for users to specify the certificate search path. Normally, > they already do that. I'm closing this; GnuTLS now uses p11-kit with a default trust store that includes the nss-certs certificates on the gnome-team branch, which will should soon be in a state to be merged to master. -- Thanks, Maxim
