build: explain why we publish CA certificates this way

Alternatively, we could bundle the CA certificate path (at compile time) inside Akvorado binary and it would be pulled automatically. This seems like a hurdle.
2025-12-11 22:14:02 +01:00 · 2022-11-03 22:05:12 +01:00
parent 192844bdd6
commit 4514bde29b
1 changed files with 2 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -27,6 +27,8 @@
            export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
            export GOFLAGS=-trimpath
          '';
+          # We do not use a wrapper to set SSL_CERT_FILE because, either a
+          # binary or a shell wrapper, it would pull the libc (~30M).
          installPhase = ''
            mkdir -p $out/bin $out/share/ca-certificates
            cp bin/akvorado $out/bin/.