GNU bug report logs -
#54796
[PATCH v3 00/22] Add importer for hex.pm and rebar3 build-system for Erlang
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Hartmut Goebel schreef op vr 08-04-2022 om 19:03 [+0200]:
> + (description "This Erlang library contains a CA bundle that you can
> +reference in your Erlang application. This is useful for systems that do not
> +have CA bundles that Erlang can find itself, or where a uniform set of CAs is
> +valuable.
> +
> +This an Erlang specific port of certifi. The CA bundle is derived from
Can this bundle be built from 'nss-certs', such that when nss-certs is
updated (e.g. Mozilla revokes a root certificate due to reasons),
erlang-certifi is up-to-date as well?
Also, if Erlang supports some kind of static linking, then a package
like this might be useful for people wanting to make static binaries to
distribute to (non-Guix) systems.
However, adding packages like nss-certs to the package inputs is
avoided in favour of SSL_CERT_DIR/SSL_CERT_FILE / /etc/ssl/certs, to
avoid rebuilds (*) when nss-certs is updated and because people might
want to use a different set of root certificates (e.g., le-certs, none,
or a list of (non-CA) certificates for a few individual sites).
As such, can this package be avoided as dependency?
Also see:
* https://issues.guix.gnu.org/54434#8
(tzdata instead of nss-certs, but same principle)
* https://lists.gnu.org/archive/html/guix-devel/2017-01/msg00516.html
(about rebuilds)
* https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00277.html
(some security reasons for not including nss-certs in the inputs
or even the user profile)
(*) nowaday it is less of a concern because of grafting, but grafting
can take a long time.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 339 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.