Ludovic Courtès <l...@gnu.org> writes:
> Ricardo Wurmus <ricardo.wur...@mdc-berlin.de> skribis:
>
>> Marius Bakke <mba...@fastmail.com> writes:
>>
>>> Curl respects the variable "CURL_CA_BUNDLE". I think we could add a
>>> "native-search-path" for that, similar to how it's done for "git".
>>
>> “curl” does but libcurl does not.
>
> But that’s probably on purpose. What do the cURL developers recommend
> for their users?
>
> If they recommend that users roll their own mechanism to designate the
> trust store, then they probably do (?), and I think we should avoid
> interfering with that.
I don’t know what they recommend but on an FHS-compliant system libcurl
would be configured to default to a well-known path for the default CA
bundle. This allows users of libcurl to just not care about
implementing a mechanism to override the default CA bundle, because it
would fall back to the well-known system-wide path.
One of these packages is “r-curl”, which just assumes that the libcurl
defaults are fine. We patch it to enable CURL_CA_BUNDLE lookup (a
feature that was intended only for Windows).
Since GuixSD does not offer this path and Guix can be used on different
systems I think we need to provide an alternative. One alternative is
to replace the well-known path with a call to getenv("CURL_CA_BUNDLE").
~~ Ricardo
