GNU bug report logs -
#32530
[PATCH] gnu: octave: Fix CA certificate use.
Previous Next
Reported by: Kei Kebreau <kkebreau <at> posteo.net>
Date: Sun, 26 Aug 2018 00:43:02 UTC
Severity: normal
Tags: patch
Done: Kei Kebreau <kkebreau <at> posteo.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32530 in the body.
You can then email your comments to 32530 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Sun, 26 Aug 2018 00:43:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 26 Aug 2018 00:43:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
Octave with the path to system CA certificates.
---
gnu/packages/maths.scm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 3d571e8cc..b0caff0f5 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1417,7 +1417,13 @@ can solve two kinds of problems:
(string-append "Vmakeinfo_program = \""
(assoc-ref inputs "texinfo")
"/bin/makeinfo\"")))
- #t)))))
+ #t))
+ (add-after 'install 'wrap-program
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out")))
+ (wrap-program (string-append out "/bin/octave")
+ '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
+ #t))))))
(home-page "https://www.gnu.org/software/octave/")
(synopsis "High-level language for numerical computation")
(description "GNU Octave is a high-level interpreted language that is
--
2.18.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Thu, 13 Sep 2018 08:44:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 32530 <at> debbugs.gnu.org (full text, mbox):
Hi,
Kei Kebreau <kkebreau <at> posteo.net> skribis:
> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
> Octave with the path to system CA certificates.
[...]
> + (add-after 'install 'wrap-program
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let ((out (assoc-ref outputs "out")))
> + (wrap-program (string-append out "/bin/octave")
> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
Users might want to ignore /etc/ssl/certs altogether and instead only
use their own set of certificates, so I’m rather reluctant to such a
change.
Now, I agree that there’s a usability problem: we don’t want every
Octave user to stumble upon a certificate error message. I can think of
several solutions:
1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
assuming that variable is honored by libcurl itself. It won’t
solve this immediate issue, but it sounds like “the right way.”
2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
/etc/profile, like we already do for other variables.
3. We could document this variable under “X.509 Certificates” in the
manual.
#1 would have to go to ‘core-updates’. WDYT?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Thu, 13 Sep 2018 23:45:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 32530 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hi,
>
> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>
> [...]
>
>> + (add-after 'install 'wrap-program
>> + (lambda* (#:key outputs #:allow-other-keys)
>> + (let ((out (assoc-ref outputs "out")))
>> + (wrap-program (string-append out "/bin/octave")
>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>
> Users might want to ignore /etc/ssl/certs altogether and instead only
> use their own set of certificates, so I’m rather reluctant to such a
> change.
>
> Now, I agree that there’s a usability problem: we don’t want every
> Octave user to stumble upon a certificate error message. I can think of
> several solutions:
>
> 1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
> assuming that variable is honored by libcurl itself. It won’t
> solve this immediate issue, but it sounds like “the right way.”
>
> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
> /etc/profile, like we already do for other variables.
>
> 3. We could document this variable under “X.509 Certificates” in the
> manual.
>
> #1 would have to go to ‘core-updates’. WDYT?
>
> Thanks,
> Ludo’.
I don't mind putting #1 on 'core-updates' assuming it works. I will test
it locally first. Also, thanks for looking at this!
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Sat, 15 Sep 2018 01:55:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 32530 <at> debbugs.gnu.org (full text, mbox):
Kei Kebreau <kkebreau <at> posteo.net> writes:
> ludo <at> gnu.org (Ludovic Courtès) writes:
>
>> Hi,
>>
>> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program'
>>> phase to wrap
>>> Octave with the path to system CA certificates.
>>
>> [...]
>>
>>> + (add-after 'install 'wrap-program
>>> + (lambda* (#:key outputs #:allow-other-keys)
>>> + (let ((out (assoc-ref outputs "out")))
>>> + (wrap-program (string-append out "/bin/octave")
>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>
>> Users might want to ignore /etc/ssl/certs altogether and instead only
>> use their own set of certificates, so I’m rather reluctant to such a
>> change.
>>
>> Now, I agree that there’s a usability problem: we don’t want every
>> Octave user to stumble upon a certificate error message. I can think of
>> several solutions:
>>
>> 1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
>> assuming that variable is honored by libcurl itself. It won’t
>> solve this immediate issue, but it sounds like “the right way.”
>>
>> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
>> /etc/profile, like we already do for other variables.
>>
>> 3. We could document this variable under “X.509 Certificates” in the
>> manual.
>>
>> #1 would have to go to ‘core-updates’. WDYT?
>>
>> Thanks,
>> Ludo’.
>
> I don't mind putting #1 on 'core-updates' assuming it works. I will test
> it locally first. Also, thanks for looking at this!
It looks like solution #1 does not work as expected. In this case,
perhaps #3 would be preferable because the user can more easily control
the environment variable?
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Sat, 15 Sep 2018 08:38:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Kei Kebreau <kkebreau <at> posteo.net> writes:
> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
> Octave with the path to system CA certificates.
> ---
> gnu/packages/maths.scm | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index 3d571e8cc..b0caff0f5 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
> (string-append "Vmakeinfo_program = \""
> (assoc-ref inputs "texinfo")
> "/bin/makeinfo\"")))
> - #t)))))
> + #t))
> + (add-after 'install 'wrap-program
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let ((out (assoc-ref outputs "out")))
> + (wrap-program (string-append out "/bin/octave")
> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
> + #t))))))
Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
(as with CURL_CA_BUNDLE for `curl`). That way installing certificates
to the profile should be sufficient.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Sat, 15 Sep 2018 18:32:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> Kei Kebreau <kkebreau <at> posteo.net> writes:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>> ---
>> gnu/packages/maths.scm | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>> index 3d571e8cc..b0caff0f5 100644
>> --- a/gnu/packages/maths.scm
>> +++ b/gnu/packages/maths.scm
>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>> (string-append "Vmakeinfo_program = \""
>> (assoc-ref inputs "texinfo")
>> "/bin/makeinfo\"")))
>> - #t)))))
>> + #t))
>> + (add-after 'install 'wrap-program
>> + (lambda* (#:key outputs #:allow-other-keys)
>> + (let ((out (assoc-ref outputs "out")))
>> + (wrap-program (string-append out "/bin/octave")
>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>> + #t))))))
>
> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
> to the profile should be sufficient.
Ah! Yes, this works when I add curl to the profile. I didn't do this the
first time. I'll upload a patch here soon.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Mon, 17 Sep 2018 16:34:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Kei Kebreau <kkebreau <at> posteo.net> writes:
> Marius Bakke <mbakke <at> fastmail.com> writes:
>
>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>> Octave with the path to system CA certificates.
>>> ---
>>> gnu/packages/maths.scm | 8 +++++++-
>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>> index 3d571e8cc..b0caff0f5 100644
>>> --- a/gnu/packages/maths.scm
>>> +++ b/gnu/packages/maths.scm
>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>> (string-append "Vmakeinfo_program = \""
>>> (assoc-ref inputs "texinfo")
>>> "/bin/makeinfo\"")))
>>> - #t)))))
>>> + #t))
>>> + (add-after 'install 'wrap-program
>>> + (lambda* (#:key outputs #:allow-other-keys)
>>> + (let ((out (assoc-ref outputs "out")))
>>> + (wrap-program (string-append out "/bin/octave")
>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>> + #t))))))
>>
>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>> to the profile should be sufficient.
>
> Ah! Yes, this works when I add curl to the profile. I didn't do this the
> first time. I'll upload a patch here soon.
Here's the search path patch. With this, I needed both nss-certs and
cURL installed alongside Octave to get certificates working.
[0001-gnu-curl-Add-a-search-path-for-CURLOPT_CAPATH.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Mon, 17 Sep 2018 17:17:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Kei Kebreau <kkebreau <at> posteo.net> writes:
> Kei Kebreau <kkebreau <at> posteo.net> writes:
>
>> Marius Bakke <mbakke <at> fastmail.com> writes:
>>
>>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>>
>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>> Octave with the path to system CA certificates.
>>>> ---
>>>> gnu/packages/maths.scm | 8 +++++++-
>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>> index 3d571e8cc..b0caff0f5 100644
>>>> --- a/gnu/packages/maths.scm
>>>> +++ b/gnu/packages/maths.scm
>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>> (string-append "Vmakeinfo_program = \""
>>>> (assoc-ref inputs "texinfo")
>>>> "/bin/makeinfo\"")))
>>>> - #t)))))
>>>> + #t))
>>>> + (add-after 'install 'wrap-program
>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>> + (let ((out (assoc-ref outputs "out")))
>>>> + (wrap-program (string-append out "/bin/octave")
>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>> + #t))))))
>>>
>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>> to the profile should be sufficient.
>>
>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>> first time. I'll upload a patch here soon.
>
> Here's the search path patch. With this, I needed both nss-certs and
> cURL installed alongside Octave to get certificates working.
[...]
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 6d45dc0cc..8bdba8655 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -83,7 +83,10 @@
> (variable "CURL_CA_BUNDLE")
> (file-type 'regular)
> (separator #f) ;single entry
> - (files '("etc/ssl/certs/ca-certificates.crt")))))
> + (files '("etc/ssl/certs/ca-certificates.crt")))
> + (search-path-specification
> + (variable "CURLOPT_CAPATH")
> + (files '("etc/ssl/certs")))))
Adding this native-search-path to the "octave" package should be
sufficient. Then you won't need curl in the profile, nor do we need to
rebuild all the things that depend on curl. Can you try that?
Thanks for fixing this issue :-)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Tue, 18 Sep 2018 20:58:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> Kei Kebreau <kkebreau <at> posteo.net> writes:
>
>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>
>>> Marius Bakke <mbakke <at> fastmail.com> writes:
>>>
>>>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>>>
>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>> Octave with the path to system CA certificates.
>>>>> ---
>>>>> gnu/packages/maths.scm | 8 +++++++-
>>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>> --- a/gnu/packages/maths.scm
>>>>> +++ b/gnu/packages/maths.scm
>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>> (string-append "Vmakeinfo_program = \""
>>>>> (assoc-ref inputs "texinfo")
>>>>> "/bin/makeinfo\"")))
>>>>> - #t)))))
>>>>> + #t))
>>>>> + (add-after 'install 'wrap-program
>>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>>> + (let ((out (assoc-ref outputs "out")))
>>>>> + (wrap-program (string-append out "/bin/octave")
>>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>> + #t))))))
>>>>
>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>>> to the profile should be sufficient.
>>>
>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>> first time. I'll upload a patch here soon.
>>
>> Here's the search path patch. With this, I needed both nss-certs and
>> cURL installed alongside Octave to get certificates working.
>
> [...]
>
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>> (variable "CURL_CA_BUNDLE")
>> (file-type 'regular)
>> (separator #f) ;single entry
>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>> + (search-path-specification
>> + (variable "CURLOPT_CAPATH")
>> + (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient. Then you won't need curl in the profile, nor do we need to
> rebuild all the things that depend on curl. Can you try that?
Adding the native-search-path to the "octave" package works!
>
> Thanks for fixing this issue :-)
[0001-gnu-octave-Add-a-search-path-for-CURLOPT_CAPATH.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Wed, 19 Sep 2018 17:28:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Kei Kebreau <kkebreau <at> posteo.net> writes:
> Marius Bakke <mbakke <at> fastmail.com> writes:
>
>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>
>>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>>
>>>> Marius Bakke <mbakke <at> fastmail.com> writes:
>>>>
>>>>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>>>>>
>>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>>> Octave with the path to system CA certificates.
>>>>>> ---
>>>>>> gnu/packages/maths.scm | 8 +++++++-
>>>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>>> --- a/gnu/packages/maths.scm
>>>>>> +++ b/gnu/packages/maths.scm
>>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>>> (string-append "Vmakeinfo_program = \""
>>>>>> (assoc-ref inputs "texinfo")
>>>>>> "/bin/makeinfo\"")))
>>>>>> - #t)))))
>>>>>> + #t))
>>>>>> + (add-after 'install 'wrap-program
>>>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>>>> + (let ((out (assoc-ref outputs "out")))
>>>>>> + (wrap-program (string-append out "/bin/octave")
>>>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>>> + #t))))))
>>>>>
>>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>>>> to the profile should be sufficient.
>>>>
>>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>>> first time. I'll upload a patch here soon.
>>>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>>
>> [...]
>>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>> (variable "CURL_CA_BUNDLE")
>>> (file-type 'regular)
>>> (separator #f) ;single entry
>>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>>> + (search-path-specification
>>> + (variable "CURLOPT_CAPATH")
>>> + (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient. Then you won't need curl in the profile, nor do we need to
>> rebuild all the things that depend on curl. Can you try that?
>
> Adding the native-search-path to the "octave" package works!
Excellent! :-)
[...]
> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index d3e72128c..7389f972b 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1397,6 +1397,10 @@ can solve two kinds of problems:
> ("less" ,less)
> ("ghostscript" ,ghostscript)
> ("gnuplot" ,gnuplot)))
> + (native-search-paths
> + (list (search-path-specification
> + (variable "CURLOPT_CAPATH")
> + (files '("etc/ssl/certs")))))
LGTM.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Wed, 19 Sep 2018 19:53:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 32530 <at> debbugs.gnu.org (full text, mbox):
Hello,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> Kei Kebreau <kkebreau <at> posteo.net> writes:
[...]
>> Here's the search path patch. With this, I needed both nss-certs and
>> cURL installed alongside Octave to get certificates working.
This is expected (see <https://issues.guix.info/issue/22138>), which is
why I wrote it wouldn’t quite solve the issue; still, it’s a step in the
right direction. :-)
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>> (variable "CURL_CA_BUNDLE")
>> (file-type 'regular)
>> (separator #f) ;single entry
>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>> + (search-path-specification
>> + (variable "CURLOPT_CAPATH")
>> + (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient.
I think we should avoid doing this though, because conceptually
CURLOPT_CAPATH “belongs” to cURL, not to Octave.
> Then you won't need curl in the profile, nor do we need to rebuild all
> the things that depend on curl. Can you try that?
The patch above can go to the next ‘core-updates’ IMO.
Kei, what about the two other options we discussed? Namely:
> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
> /etc/profile, like we already do for other variables.
>
> 3. We could document this variable under “X.509 Certificates” in the
> manual.
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Wed, 19 Sep 2018 20:10:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 32530 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hello,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> Kei Kebreau <kkebreau <at> posteo.net> writes:
>
> [...]
>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>
> This is expected (see <https://issues.guix.info/issue/22138>), which is
> why I wrote it wouldn’t quite solve the issue; still, it’s a step in the
> right direction. :-)
>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>> (variable "CURL_CA_BUNDLE")
>>> (file-type 'regular)
>>> (separator #f) ;single entry
>>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>>> + (search-path-specification
>>> + (variable "CURLOPT_CAPATH")
>>> + (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient.
>
> I think we should avoid doing this though, because conceptually
> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
Conceptually maybe, but to my knowledge libcurl itself does not support
run-time search paths (due to thread safety concerns IIRC).
This search path does seem to be Octave specific. From the ChangeLog:
--8<---------------cut here---------------start------------->8---
2018-04-18 John W. Eaton <jwe <at> octave.org>
allow users to set path to CA certificates for cURL
* url-transfer.cc (curl_transfer::curl_transfer): Check for
CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
them to set the corresponding options for the cURL library.
Files: liboctave/util/url-transfer.cc
--8<---------------cut here---------------end--------------->8---
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Wed, 19 Sep 2018 20:19:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 32530 <at> debbugs.gnu.org (full text, mbox):
Marius Bakke <mbakke <at> fastmail.com> skribis:
> ludo <at> gnu.org (Ludovic Courtès) writes:
[...]
>>> Adding this native-search-path to the "octave" package should be
>>> sufficient.
>>
>> I think we should avoid doing this though, because conceptually
>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>
> Conceptually maybe, but to my knowledge libcurl itself does not support
> run-time search paths (due to thread safety concerns IIRC).
>
> This search path does seem to be Octave specific. From the ChangeLog:
>
> 2018-04-18 John W. Eaton <jwe <at> octave.org>
>
> allow users to set path to CA certificates for cURL
>
> * url-transfer.cc (curl_transfer::curl_transfer): Check for
> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
> them to set the corresponding options for the cURL library.
>
> Files: liboctave/util/url-transfer.cc
Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
that those variables are actually Octave-specific. :-)
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Thu, 20 Sep 2018 18:04:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 32530 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> ludo <at> gnu.org (Ludovic Courtès) writes:
>
> [...]
>
>>>> Adding this native-search-path to the "octave" package should be
>>>> sufficient.
>>>
>>> I think we should avoid doing this though, because conceptually
>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>
>> Conceptually maybe, but to my knowledge libcurl itself does not support
>> run-time search paths (due to thread safety concerns IIRC).
>>
>> This search path does seem to be Octave specific. From the ChangeLog:
>>
>> 2018-04-18 John W. Eaton <jwe <at> octave.org>
>>
>> allow users to set path to CA certificates for cURL
>>
>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
>> them to set the corresponding options for the cURL library.
>>
>> Files: liboctave/util/url-transfer.cc
>
> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
> that those variables are actually Octave-specific. :-)
>
> Thank you!
>
> Ludo’.
Is it really Octave-specific? It's defined in the libcurl API [0], so
other software could make use of the variable.
[0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
Information forwarded
to
guix-patches <at> gnu.org:
bug#32530; Package
guix-patches.
(Mon, 24 Sep 2018 09:03:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 32530 <at> debbugs.gnu.org (full text, mbox):
Hello Kei,
Kei Kebreau <kkebreau <at> posteo.net> skribis:
> ludo <at> gnu.org (Ludovic Courtès) writes:
>
>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>
>>> ludo <at> gnu.org (Ludovic Courtès) writes:
>>
>> [...]
>>
>>>>> Adding this native-search-path to the "octave" package should be
>>>>> sufficient.
>>>>
>>>> I think we should avoid doing this though, because conceptually
>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>
>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>> run-time search paths (due to thread safety concerns IIRC).
>>>
>>> This search path does seem to be Octave specific. From the ChangeLog:
>>>
>>> 2018-04-18 John W. Eaton <jwe <at> octave.org>
>>>
>>> allow users to set path to CA certificates for cURL
>>>
>>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
>>> them to set the corresponding options for the cURL library.
>>>
>>> Files: liboctave/util/url-transfer.cc
>>
>> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
>> that those variables are actually Octave-specific. :-)
>>
>> Thank you!
>>
>> Ludo’.
>
> Is it really Octave-specific? It's defined in the libcurl API [0], so
> other software could make use of the variable.
>
> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
I think you’re both right. :-)
The ‘url-transfer.cc’ file in Octave mentioned above does this:
std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");
if (! cainfo.empty ())
SETOPT (CURLOPT_CAINFO, cainfo.c_str ());
std::string capath = sys::env::getenv ("CURLOPT_CAPATH");
if (! capath.empty ())
SETOPT (CURLOPT_CAPATH, capath.c_str ());
Based on that, I think it’s perfectly fine to add these two variables in
the ‘native-search-paths’ of Octave itself, probably with a comment
explaining that Octave really honors these variables by itself.
Feel free to push such a change!
Thank you,
Ludo’.
Reply sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
You have taken responsibility.
(Tue, 25 Sep 2018 01:44:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Kei Kebreau <kkebreau <at> posteo.net>:
bug acknowledged by developer.
(Tue, 25 Sep 2018 01:44:02 GMT)
Full text and
rfc822 format available.
Message #52 received at 32530-done <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hello Kei,
>
> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>
>> ludo <at> gnu.org (Ludovic Courtès) writes:
>>
>>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>>
>>>> ludo <at> gnu.org (Ludovic Courtès) writes:
>>>
>>> [...]
>>>
>>>>>> Adding this native-search-path to the "octave" package should be
>>>>>> sufficient.
>>>>>
>>>>> I think we should avoid doing this though, because conceptually
>>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>>
>>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>>> run-time search paths (due to thread safety concerns IIRC).
>>>>
>>>> This search path does seem to be Octave specific. From the ChangeLog:
>>>>
>>>> 2018-04-18 John W. Eaton <jwe <at> octave.org>
>>>>
>>>> allow users to set path to CA certificates for cURL
>>>>
>>>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.
>>>> If set, use
>>>> them to set the corresponding options for the cURL library.
>>>>
>>>> Files: liboctave/util/url-transfer.cc
>>>
>>> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
>>> that those variables are actually Octave-specific. :-)
>>>
>>> Thank you!
>>>
>>> Ludo’.
>>
>> Is it really Octave-specific? It's defined in the libcurl API [0], so
>> other software could make use of the variable.
>>
>> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
>
> I think you’re both right. :-)
>
> The ‘url-transfer.cc’ file in Octave mentioned above does this:
>
> std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");
> if (! cainfo.empty ())
> SETOPT (CURLOPT_CAINFO, cainfo.c_str ());
>
> std::string capath = sys::env::getenv ("CURLOPT_CAPATH");
> if (! capath.empty ())
> SETOPT (CURLOPT_CAPATH, capath.c_str ());
>
> Based on that, I think it’s perfectly fine to add these two variables in
> the ‘native-search-paths’ of Octave itself, probably with a comment
> explaining that Octave really honors these variables by itself.
>
> Feel free to push such a change!
>
> Thank you,
> Ludo’.
Finally pushed to master! Thanks to both of you for reviewing this.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 23 Oct 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 180 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.