Message ID | 25be4a7ca6f9af888b6a97f6ab03e2e3ae2caaf7.1649436566.git.h.goebel@crazy-compilers.com |
---|---|
State | Accepted |
Headers | show |
Series | Add importer for hex.pm and rebar3 build-system for Erlang | expand |
Hartmut Goebel schreef op vr 08-04-2022 om 19:03 [+0200]: > + (description "This Erlang library contains a CA bundle that you can > +reference in your Erlang application. This is useful for systems that do not > +have CA bundles that Erlang can find itself, or where a uniform set of CAs is > +valuable. > + > +This an Erlang specific port of certifi. The CA bundle is derived from Can this bundle be built from 'nss-certs', such that when nss-certs is updated (e.g. Mozilla revokes a root certificate due to reasons), erlang-certifi is up-to-date as well? Also, if Erlang supports some kind of static linking, then a package like this might be useful for people wanting to make static binaries to distribute to (non-Guix) systems. However, adding packages like nss-certs to the package inputs is avoided in favour of SSL_CERT_DIR/SSL_CERT_FILE / /etc/ssl/certs, to avoid rebuilds (*) when nss-certs is updated and because people might want to use a different set of root certificates (e.g., le-certs, none, or a list of (non-CA) certificates for a few individual sites). As such, can this package be avoided as dependency? Also see: * https://issues.guix.gnu.org/54434#8 (tzdata instead of nss-certs, but same principle) * https://lists.gnu.org/archive/html/guix-devel/2017-01/msg00516.html (about rebuilds) * https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00277.html (some security reasons for not including nss-certs in the inputs or even the user profile) (*) nowaday it is less of a concern because of grafting, but grafting can take a long time. Greetings, Maxime.
Am 09.04.22 um 13:39 schrieb Maxime Devos: > Can this bundle be built from 'nss-certs', such that when nss-certs is > updated (e.g. Mozilla revokes a root certificate due to reasons), > erlang-certifi is up-to-date as well? This package is a sibling of python-certifi [1] and go-github-com-certifi-gocertifi. All these contain a copy of the/a CA bundle — which is the idea of these packages: „useful for systems that do not have CA bundles“. So they intentionally do not honor SSL_CERT_DIR/…. They are meant to be used as fall-back for libraries/applications honoring SSL_CERT_DIR/…. Neither python-certifi nor gocertifi build on nss-cert. Addind some update mechanism into the Guix package is not a good idea IMO: This would make “erlang-certif@2.9.0“ contain different certificates than the release 2.9.0, making debugging a hell. > As such, can this package be avoided as dependency? As of now, rebar3 does not support SSL_CERT_DIR/…. Anyhow there is already an open ticket [3] for. Other libraries/application might still need erlang-certifi, like some need python-certifi or gocertif. So anyhow we should keep this package. [1] https://github.com/certifi/python-certifi [2] https://github.com/certifi/gocertifi [3] https://github.com/erlang/rebar3/issues/2696
diff --git a/gnu/packages/erlang.scm b/gnu/packages/erlang.scm index 0b9e89d134..95a18e6f18 100644 --- a/gnu/packages/erlang.scm +++ b/gnu/packages/erlang.scm @@ -206,6 +206,30 @@ built-in support for concurrency, distribution and fault tolerance.") files.") (license license:asl2.0))) +(define-public erlang-certifi + (package + (name "erlang-certifi") + (version "2.9.0") + (source + (origin + (method url-fetch) + (uri (hexpm-uri "certifi" version)) + (sha256 + (base32 "0ha6vmf5p3xlbf5w1msa89frhvfk535rnyfybz9wdmh6vdms8v96")))) + (build-system rebar3-build-system) + (arguments + `(#:tests? #f)) ;; have not been updated for latest cert bundle + (home-page "https://github.com/certifi/erlang-certifi/") + (synopsis "CA bundle adapted from Mozilla for Erlang") + (description "This Erlang library contains a CA bundle that you can +reference in your Erlang application. This is useful for systems that do not +have CA bundles that Erlang can find itself, or where a uniform set of CAs is +valuable. + +This an Erlang specific port of certifi. The CA bundle is derived from +Mozilla's canonical set.") + (license license:bsd-3))) + (define-public erlang-cf (package (name "erlang-cf")