GNU bug report logs -
#48985
[PATCH] gnu: libressl: Remove search paths.
Previous Next
Reported by: Brice Waegeneire <brice <at> waegenei.re>
Date: Sat, 12 Jun 2021 21:25:03 UTC
Severity: normal
Tags: patch
Done: Brice Waegeneire <brice <at> waegenei.re>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48985 in the body.
You can then email your comments to 48985 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48985; Package
guix-patches.
(Sat, 12 Jun 2021 21:25:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Brice Waegeneire <brice <at> waegenei.re>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 12 Jun 2021 21:25:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Unlike OpenSSL, LibreSSL hardcode it's certificate bundle and doesn't
allow to specify it through a environment variable.
* gnu/packages/tls.scm (libressl)[configure-flags]: Specify OpenSSL
configuration directory.
[native-search-paths]: Remove it.
* gnu/packages/ntp.scm (openntpd)[configure-flags]: Adjust CAcert
location.
---
gnu/packages/ntp.scm | 13 ++++++++-----
gnu/packages/tls.scm | 29 ++++++++++++++---------------
2 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm
index b86def1929..edfcdf4dec 100644
--- a/gnu/packages/ntp.scm
+++ b/gnu/packages/ntp.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2018–2021 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2019 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2021 Marius Bakke <marius <at> gnu.org>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -187,11 +188,13 @@ computers over a network.")
"0ijsylc7a4jlpxsqa0jq1w1c7333id8pcakzl7a5749ria1xp0l5"))))
(build-system gnu-build-system)
(arguments
- '(#:configure-flags `( "--with-privsep-user=ntpd"
- "--localstatedir=/var"
- ,(string-append "--with-cacert="
- (assoc-ref %build-inputs "libressl")
- "/etc/ssl/cert.pem"))
+ `(#:configure-flags (list "--with-privsep-user=ntpd"
+ "--localstatedir=/var"
+ (string-append "--with-cacert="
+ (assoc-ref %build-inputs "libressl")
+ "/share/libressl-"
+ ,(package-version libressl)
+ "/cert.pem"))
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'modify-install-locations
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6a47b4a26e..28fe820aa3 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2019 Mathieu Othacehe <m.othacehe <at> gmail.com>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
;;; Copyright © 2021 Solene Rapenne <solene <at> perso.pw>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -612,21 +613,19 @@ required structures.")
"0rihprcgxsydsbcqgd1952k2cfn4jmp7rlyp1c6sglfc6rdmcwd4"))))
(build-system gnu-build-system)
(arguments
- ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
- ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
- ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
- '(#:configure-flags '("ac_cv_func_getentropy=no"
- ;; Provide a TLS-enabled netcat.
- "--enable-nc")))
- (native-search-paths
- (list (search-path-specification
- (variable "SSL_CERT_DIR")
- (separator #f) ;single entry
- (files '("etc/ssl/certs")))
- (search-path-specification
- (variable "SSL_CERT_FILE")
- (separator #f) ;single entry
- (files '("etc/ssl/certs/ca-certificates.crt")))))
+ `(#:configure-flags
+ (list
+ ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
+ ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
+ ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
+ "ac_cv_func_getentropy=no"
+ ;; FIXME It's using it's own bundled certificate, instead it should
+ ;; behave like OpenSSL by using environment variables.
+ (string-append "--with-openssldir=" %output
+ "/share/libressl-"
+ ,(package-version this-package))
+ ;; Provide a TLS-enabled netcat.
+ "--enable-nc")))
(home-page "https://www.libressl.org/")
(synopsis "SSL/TLS implementation")
(description "LibreSSL is a version of the TLS/crypto stack, forked from
--
2.31.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#48985; Package
guix-patches.
(Wed, 16 Jun 2021 20:58:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 48985 <at> debbugs.gnu.org (full text, mbox):
Brice Waegeneire <brice <at> waegenei.re> skribis:
> Unlike OpenSSL, LibreSSL hardcode it's certificate bundle and doesn't
> allow to specify it through a environment variable.
>
> * gnu/packages/tls.scm (libressl)[configure-flags]: Specify OpenSSL
> configuration directory.
> [native-search-paths]: Remove it.
> * gnu/packages/ntp.scm (openntpd)[configure-flags]: Adjust CAcert
> location.
[...]
> - ,(string-append "--with-cacert="
> - (assoc-ref %build-inputs "libressl")
> - "/etc/ssl/cert.pem"))
> + `(#:configure-flags (list "--with-privsep-user=ntpd"
> + "--localstatedir=/var"
> + (string-append "--with-cacert="
> + (assoc-ref %build-inputs "libressl")
> + "/share/libressl-"
> + ,(package-version libressl)
> + "/cert.pem"))
So the etc/ssl/cert.pm file name was wrong for a while?
Note: instead of (package-version libressl), we should look at the
libressl input of ‘this-package’, though it’s probably not big deal
here.
Otherwise LGTM, thanks!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#48985; Package
guix-patches.
(Thu, 17 Jun 2021 06:50:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 48985 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Brice Waegeneire <brice <at> waegenei.re> skribis:
>> - ,(string-append "--with-cacert="
>> - (assoc-ref %build-inputs "libressl")
>> - "/etc/ssl/cert.pem"))
>> + `(#:configure-flags (list "--with-privsep-user=ntpd"
>> + "--localstatedir=/var"
>> + (string-append "--with-cacert="
>> + (assoc-ref %build-inputs "libressl")
>> + "/share/libressl-"
>> + ,(package-version libressl)
>> + "/cert.pem"))
>
> So the etc/ssl/cert.pm file name was wrong for a while?
No, the file existed and was used properly. I forgot to mention
explicitly that libressl used to put it's SSL configuration in etc/ssl,
I moved it to share/libressl-$version/ as does openssl.
> Note: instead of (package-version libressl), we should look at the
> libressl input of ‘this-package’, though it’s probably not big deal
> here.
I tired to correct it, missed. But I have fixed it in the second commit.
:/
> Otherwise LGTM, thanks!
Pushed as 76a9bad380111493b5a1422485f941de799c6c90 and
d65bd74411ab4820318311062b0f327b139a5784.
Cheers,
- Brice
bug closed, send any further explanations to
48985 <at> debbugs.gnu.org and Brice Waegeneire <brice <at> waegenei.re>
Request was from
Brice Waegeneire <brice <at> waegenei.re>
to
control <at> debbugs.gnu.org.
(Thu, 17 Jun 2021 06:51:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 15 Jul 2021 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 280 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.