X-Debbugs-CC: Hartmut Goebel <email@example.com>
There are some packages bundling CA certificates:
* nss-certs / le-certs (this one is not a problem)
* erlang-certifi (not yet, see https://issues.guix.gnu.org/54796#3)
Worse, these packages have many dependencies!
$ guix refresh -l nss-certs le-certs python-certifi perl-mozilla-ca
Het bouwen van het volgende 534 pakketten zorgt ervoor dat 1575 afhankelijke pakketten opnieuw worden gebouwd: ...
Why is this a problem?
* I don't think that anybody is actually looking into keeping
python-certifi / perl-mozilla-ca / rust-webpki-roots / ...
up to date. Security problems!
* Even so, this seems a waste of time to me, why not just use
$SSL_CERT_DIR / $SSL_CERT_FILE instead?
* Lots of rebuilds to update things.
* (relatively minir) Allowing overriding the certificates trusted with
$SSL_CERT_DIR / $SSL_CERT_FILE would be nice.
Also relevant to the third point: some packages depend on nss-certs.
I've heard an argument in favour of just using the certifi packages
instead of using our own certificates:
Toggle quote (6 lines)
> (from Hartmut Goebel, at https://issues.guix.gnu.org/54796#52)
> Neither python-certifi nor gocertifi build on nss-cert. Addind some
> update mechanism into the Guix package is not a good idea IMO: This
> would make “firstname.lastname@example.org“ contain different certificates
> than the release 2.9.0, making debugging a hell.
... but I don't follow, it's just a different set of certificates, could
* eventually remove python-certifi, perl-mozilla-ca, ... because nobody
appears to be keeping them up-to-date and for security it is important
for them to be up to date.
* likewise, forbid new packages from being included as-is if they depend on
a certifi package or nss-certs.
* Look into removing the certifi packages from the inputs of packages,
submitting patches to upstream for using $SSL_CERT_... / /etc/ssl/certs ...
Upstream issues and patches I'm aware of:
* (python-requests, bug report): https://github.com/psf/requests/issues/2966
* (rebar3, bug report + patch): https://github.com/erlang/rebar3/issues/2696,