GNU bug report logs - #36817
Guix Download Fails When SSL_CERT_DIR is a Colon-Separated Path

Previous Next

Package: guix;

Reported by: Katherine Cox-Buday <cox.katherine.e <at> gmail.com>

Date: Fri, 26 Jul 2019 16:49:02 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 36817 in the body.
You can then email your comments to 36817 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#36817; Package guix. (Fri, 26 Jul 2019 16:49:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Katherine Cox-Buday <cox.katherine.e <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 26 Jul 2019 16:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Katherine Cox-Buday <cox.katherine.e <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Guix Download Fails When SSL_CERT_DIR is a Colon-Separated Path
Date: Fri, 26 Jul 2019 11:48:36 -0500

I was receiving X.509 certificate errors when attempting to run `guix
download`. After investigating, I found that it was because my
`SSL_CERT_DIR` environmental variable had two paths separated by a
colon. The two paths were actually the same. After removing the second
path, `guix download` began working again.

Wondering how the duplicate paths came to be, I discovered that
`${GUIX_PROFILE}/etc/profile` had two exports defined for
`SSL_CERT_DIR`. I discovered this was because I had both openssl and
libressl installed (if memory serves, I needed openssl for some
development task that relied on an idiosyncrasy of openssl). Removing
openssl removed the duplicate entry.

I think there may be two bugs:

1. `guix download` needs to respect colon-separated paths.
2. The profile mechanics in Guix should probably have some way to check
   if they're redefining the same thing before placing things in `etc/profile`.

Thank you to everyone for all of your hard work, and for Guix.

-- 
Katherine
Reply sent to Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility. (Sun, 10 Nov 2019 01:13:01 GMT) Full text and rfc822 format available.
Notification sent to Katherine Cox-Buday <cox.katherine.e <at> gmail.com>:
bug acknowledged by developer. (Sun, 10 Nov 2019 01:13:01 GMT) Full text and rfc822 format available.

Message #10 received at 36817-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Katherine Cox-Buday <cox.katherine.e <at> gmail.com>, 36817-done <at> debbugs.gnu.org
Subject: Re: bug#36817: Guix Download Fails When SSL_CERT_DIR is a
 Colon-Separated Path
Date: Sun, 10 Nov 2019 02:11:53 +0100

[Message part 1 (text/plain, inline)]
Katherine,

(...sorry for the sloooooow response...)

Katherine Cox-Buday <cox.katherine.e <at> gmail.com> writes:

> I was receiving X.509 certificate errors when attempting to run `guix
> download`. After investigating, I found that it was because my
> `SSL_CERT_DIR` environmental variable had two paths separated by a
> colon. The two paths were actually the same. After removing the second
> path, `guix download` began working again.
>
> Wondering how the duplicate paths came to be, I discovered that
> `${GUIX_PROFILE}/etc/profile` had two exports defined for
> `SSL_CERT_DIR`. I discovered this was because I had both openssl and
> libressl installed (if memory serves, I needed openssl for some
> development task that relied on an idiosyncrasy of openssl). Removing
> openssl removed the duplicate entry.

The duplicate exports was because the search path specifications of
OpenSSL and LibreSSL have slightly different "signatures": the former
has a "singly entry" search path, whereas LibreSSLs native-search-paths
have a TODO comment suggesting that they too should be single-entry.

I've fixed it by resolving the TODO: now including both packages in the
same profile will point SSL_CERT_DIR to the profile union.

> I think there may be two bugs:
>
> 1. `guix download` needs to respect colon-separated paths.

Adding support for multiple SSL_CERT_DIR paths could be useful, but I
think the real problem was that LibreSSL and OpenSSL caused inconsistent
entries.  Thus, I'm closing this issue, but feel free to reopen if you
disagree.  :-)

> 2. The profile mechanics in Guix should probably have some way to check
>    if they're redefining the same thing before placing things in `etc/profile`.

Let's open a separate bug report for this if it turns out to be a
recurring problem.

> Thank you to everyone for all of your hard work, and for Guix.

Thank you for the report, and the kind words!  :-)

Fixed in 04cfe91efd41a89d7d01d2cd7b736213059dde5a.

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 08 Dec 2019 12:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 139 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.