[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificates in pure and containerized environments
|
From: |
Konrad Hinsen |
|
Subject: |
Re: Certificates in pure and containerized environments |
|
Date: |
Mon, 04 Oct 2021 11:37:17 +0200 |
Hi Wiktór and Simon,
thanks for shedding some light on this strange behavior. After some more
exploration, the fundamental issue seems to be that many packages use
certificates but only a very small number declare a dependence on
nss-certs. In fact, nss-certs has only three direct dependents (icedtea,
ldns, and pypy) and 115 additional indirect dependents. That includes
r-reqon from Simon's example, which depends on icedtea via r-rjava and
openjdk.
A radical fix would be to make openssl dependent on nss-certs. But
openssl really depends on the availability of some collection of
certificates, not on any specific one. Nor do icedtea, ldns, or pypy.
Some packages (e.g. openssl or curl) have a `native-search-paths`
declaration that also seems to have the desired effect. The following
environment contains SSL_CERT_DIR as well:
guix environment --pure --ad-hoc python nss-certs openssl
Python actually lists openssl as a dependency, but that is apparently
not sufficient to propagate the environment variables.
Anyway, this looks like the best workaround for me for now: adding
openssl to my environment. It adds no software package to my
environment, only environment variables and an executable on $PATH.
Thanks again,
Konrad