Hello! Marius Bakke <mba...@fastmail.com> skribis:
> Marius Bakke <mba...@fastmail.com> writes: > >> ng0 <n...@libertad.pw> writes: >> >>> * gnu/packages/curl.scm (curl)[arguments]: Add "--with-ca-bundle" configure >>> flag. [...] > I realized shortly after posting why this wasn't done already. Curl has > 1403 dependent packages, which would apply for "nss-certs" as well if > that is added as input. Obviously we want to be able to update TLS > certificates quickly without rebuilding ~1/4 of the tree. Indeed. It’s a situation where we do not want to have a static binding between cURL and nss-certs; instead, they should be composed dynamically, along the lines of what we already recommend at: https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates.html cURL depends on GnuTLS, and GnuTLS doesn’t honor an environment variable like ‘SSL_CERT_DIR’. Its recipe has this comment: ;; GnuTLS doesn't consult any environment variables to specify ;; the location of the system-wide trust store. Instead it has a ;; configure-time option. Unless specified, its configure script ;; attempts to auto-detect the location by looking for common ;; places in the file system, none of which are present in our ;; chroot build environment. If not found, then no default trust ;; store is used, so each program has to provide its own ;; fallback, and users have to configure each program ;; independently. This seems suboptimal. "--with-default-trust-store-dir=/etc/ssl/certs" Original discussion: https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00245.html Ludo’.