Hi everybody,
complete newbie here. I'm looking for some info on how Cargo determines what the paths to look for the CA store are. Information on that matter seems to be a little scarce in the Cargo book. It simply mentions that if http.cainfo is not set, "Cargo attempts to use the system certificates".
What I need help with may be a bit of an unusual question, so here's a little background on why I'm asking in the first place:
I'm on a team that is concerned about the general trend of de facto monopolization in the IT world. For example it's a well-known fact that there are very few viable browser engines left. While the situation is a little better regarding operating systems, the "big three" still get most of the attention. We believe that platform diversity is very important for various reasons like the resiliency of modern tech (e.g. because more exotic platforms are known to help exposing bugs and other issues early before they strike much harder later).
Well, we happen to also like the ideas and values of Rust - and while we did some work on better supporting *BSD in the os_info crate, it's of course even more important to make Rust easily available on various non-mainstream platforms first. One project that we are contributing to is a cross-platform packaging framework for Unix-like systems. Together with a lot of other software it provides Rust in packaged form on DragonFly BSD, FreeBSD, Linux (glibc-based) and NetBSD currently. It is designed in a way so that it doesn't interfere with whatever the system's main package manager is; to do that, it uses a custom prefix (think installing software to /opt). Since this means that libraries, headers and such are all installed in a non-standard location, some software needs to be patched to work.
Cargo currently requires to set the CARGO_HTTP_CAINFO environment variable or it will error out with a "SSL certificate problem" as it cannot find the certificate bundle. While setting this does work, it's rather inconvenient and not the most pleasant experience for the end user. For that reason I would like to teach cargo to find the certs by default by applying a downstream patch when we build it. Unfortunately I have no idea on where to look for that (my attempts at grepping through the source did not yield much). Any hints or pointers would be most welcome.