GNU bug report logs - #52690
Remove direct dependencies on the nss-certs certificate store

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Tue, 21 Dec 2021 00:37:02 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: 52690 <at> debbugs.gnu.org
Subject: [bug#52690] Remove direct dependencies on the nss-certs certificate store
Date: Mon, 20 Dec 2021 19:36:31 -0500

[Message part 1 (text/plain, inline)]
Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6.

This is a problem because certificates expire. When that happens, the
features of these programs that use X.509 certificates will stop
working. Instead, packages should look up certificates at run-time in
unversioned and well-known locations such as /etc/ssl/certs or via
environment variables like $SSL_CERT_DIR.

I'll send a patch removing the dependency from ldns.

pypy3 does not build anyways because its runpath cannot be successfully
validated, but I will investigate anyways after disabling the runpath
validator.

Icedtea6 is a very complex package. I assume it depends on the
certificates directly for a good reason, but I would still appreciate
some feedback on it.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 169 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.