From 8a5c4384e059b83edb5869748706bad17ae5f8ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@member.fsf.org>
Date: Wed, 22 Jan 2020 20:06:41 +0800
Subject: gnu: knot-resolver: Install but disable the default managed root TA.

* gnu/packages/dns.scm (knot-resolver)[arguments]: Enable 'managed_ta', so
'icann-ca.pem' get installed.  Add 'disable-default-ta' phase.
---
 gnu/packages/dns.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index e5148d5bc9..3091444ed6 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -680,11 +680,16 @@ synthesis, and on-the-fly re-configuration.")
                 "09ffmqx79lv5psr433x4n946njgsn071b9b7161pcb9bmrqz380c"))))
     (build-system meson-build-system)
     (arguments
-     '(#:configure-flags
-       '("-Dmanaged_ta=disabled"      ; we'll manage the DNS root data ourself
-         "-Ddoc=enabled")
+     '(#:configure-flags '("-Ddoc=enabled")
        #:phases
        (modify-phases %standard-phases
+         (add-before 'configure 'disable-default-ta
+           (lambda _
+             ;;  Disable the default managed root TA, since we don't have
+             ;;  write access to the keyfile and its directory in store.
+             (substitute* "daemon/lua/sandbox.lua.in"
+               (("^trust_anchors\\.add_file.*") ""))
+             #t))
          (add-after 'build 'build-doc
            (lambda _
              (invoke "ninja" "doc")))
-- 
cgit v1.2.3