[gnutls-help] "built-in" gnutls config, with optional-only config file on disk

[Dimitri John Ledkov]

In Ubuntu, gnutls default priority is set to "NORMAL", however, I kind
of like how on Fedora it is set to "@SYSTEM" and then a system config
file defines what that actually means. Allowing users to override that
system-wide.

However, there are a few issues with that. It creates a hard
dependency between libgnutls and config file on disk, and said config
file must always specify [priorities] SYSTEM=, as otherwise setting
default priorities fails. (and apparmor profile must allow reading
said config, etc.)
Prime example, gnutls testuite fails, as it uses a custom
tests/system.prio without SYSTEM= specified. And for example, one can
see in Fedora spec file that 'echo SYSTEM=NORMAL >> tests/system.prio'
is done to unbreak the testsuite.

It also means, that if one copies all the library dependencies of an
app, without the config file into chroot/initrd/container/etc one may
get non-working gnutls, or the one that behaves differently.

Is there a way to provide built-in compiled defaults that operate with
or without a config file on disk? I.e. something like use @SYSTEM if
exists, otherwise fallback to "NORMAL"? That way, with or without
config, default behaviour is the same, setting default-priority always
works and users can still override it.

What about for the other overrides? I.e. can one somehow compile-in
default [overrides] that is used, unless system config specifies one?
I.e. built-in config specifying [overrides] disabled-versions=tls1.0,
with users able to turn it back on by creating the config and
specifying like empty [overrides] paragraph, or like using
reenable-versions=tls1.0.

Maybe I am overthinking all of this, and what I really want is simply
support for
    [overrides]
    default-priority-string = NORMAL
Whilst the library itself is compiled with something stronger, i.e.
--with-default-priority-string='NORMAL:-VERS-TLS1.0'.

-- 
Regards,

Dimitri.