From bc041b3e264380bd49025515d3c5d11319aa3f50 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludovic.courtes@inria.fr>
Date: Fri, 8 Feb 2019 10:31:23 +0100
Subject: git: Always use the system certificates by default.

'guix pull' was always doing it, and now '--with-branch' & co. will do
it as well.

* guix/git.scm (honor-system-x509-certificates!): New procedure.
(%certificates-initialized?): New variable.
(with-libgit2): Add call to 'honor-system-x509-certificates!'.
* guix/scripts/pull.scm (honor-x509-certificates): Call
'honor-system-x509-certificates!' and fall back to
'honor-lets-encrypt-certificates!'.
---
 guix/scripts/pull.scm | 26 ++------------------------
 1 file changed, 2 insertions(+), 24 deletions(-)

(limited to 'guix/scripts/pull.scm')

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index 683ab3f059..3320200c07 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -216,30 +216,8 @@ true, display what would be built without actually building it."
 
 (define (honor-x509-certificates store)
   "Use the right X.509 certificates for Git checkouts over HTTPS."
-  ;; On distros such as CentOS 7, /etc/ssl/certs contains only a couple of
-  ;; files (instead of all the certificates) among which "ca-bundle.crt".  On
-  ;; other distros /etc/ssl/certs usually contains the whole set of
-  ;; certificates along with "ca-certificates.crt".  Try to choose the right
-  ;; one.
-  (let ((file      (letrec-syntax ((choose
-                                    (syntax-rules ()
-                                      ((_ file rest ...)
-                                       (let ((f file))
-                                         (if (and f (file-exists? f))
-                                             f
-                                             (choose rest ...))))
-                                      ((_)
-                                       #f))))
-                     (choose (getenv "SSL_CERT_FILE")
-                             "/etc/ssl/certs/ca-certificates.crt"
-                             "/etc/ssl/certs/ca-bundle.crt")))
-        (directory (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs")))
-    (if (or file
-            (and=> (stat directory #f)
-                   (lambda (st)
-                     (> (stat:nlink st) 2))))
-        (set-tls-certificate-locations! directory file)
-        (honor-lets-encrypt-certificates! store))))
+  (unless (honor-system-x509-certificates!)
+    (honor-lets-encrypt-certificates! store)))
 
 (define (report-git-error error)
   "Report the given Guile-Git error."
-- 
cgit v1.2.3