GNU bug report logs - #52690
Remove direct dependencies on the nss-certs certificate store

Previous Next

To reply to this bug, email your comments to 52690 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: Remove direct dependencies on the nss-certs certificate store
Date: Mon, 20 Dec 2021 19:36:31 -0500

[Message part 1 (text/plain, inline)]

Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6.

This is a problem because certificates expire. When that happens, the
features of these programs that use X.509 certificates will stop
working. Instead, packages should look up certificates at run-time in
unversioned and well-known locations such as /etc/ssl/certs or via
environment variables like $SSL_CERT_DIR.

I'll send a patch removing the dependency from ldns.

pypy3 does not build anyways because its runpath cannot be successfully
validated, but I will investigate anyways after disabling the runpath
validator.

Icedtea6 is a very complex package. I assume it depends on the
certificates directly for a good reason, but I would still appreciate
some feedback on it.

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 52690 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 52690 <at> debbugs.gnu.org
Subject: [PATCH] gnu: ldns: Do not depend directly on nss-certs.
Date: Mon, 20 Dec 2021 19:37:41 -0500

If ldns depends on a particular version of nss-certs, the features that use the
certificates will eventually stop working as the certificates expire. Instead,
the certificates should be found at run-time.

* gnu/packages/dns.scm (ldns)[inputs]: Remove nss-certs.
[arguments]: Adjust the value of "--with-ca-path" in #:configure-flags.
---
 gnu/packages/dns.scm | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 5c5f95537b..269d312487 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -40,7 +40,6 @@ (define-module (gnu packages dns)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
-  #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages databases)
@@ -178,9 +177,7 @@ (define-public ldns
         ;; "--with-p5-dns-ldns"
         (string-append "--with-ssl="
                        (assoc-ref %build-inputs "openssl"))
-        (string-append "--with-ca-path="
-                       (assoc-ref %build-inputs "nss-certs")
-                       "/etc/ssl/certs"))
+        (string-append "--with-ca-path=/etc/ssl/certs"))
        #:make-flags
        (list
         (string-append "drillbindir="
@@ -210,7 +207,7 @@ (define-public ldns
        ("python" ,python-wrapper)
        ("swig" ,swig)))
     (inputs
-     (list libpcap nss-certs openssl))
+     (list libpcap openssl))
     (synopsis "DNS library that facilitates DNS tool programming")
     (description "LDNS aims to simplify DNS programming, it supports recent
 RFCs like the DNSSEC documents, and allows developers to easily create
-- 
2.34.0

Message #11 received at 52690 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 52690 <at> debbugs.gnu.org
Subject: [PATCH] gnu: pypy3: Prohibit references to nss-certs.
Date: Mon, 20 Dec 2021 21:48:19 -0500

Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/python.scm (pypy3)[arguments]: Add nss-certs
to #:disallowed-references.
---
 gnu/packages/python.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index f0d2fd6eb8..23f188c6f9 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -780,6 +780,7 @@ (define-public pypy3
      `(#:tests? #f                     ;FIXME: 43 out of 364 tests are failing
        #:modules ((ice-9 ftw) (ice-9 match)
                   (guix build utils) (guix build gnu-build-system))
+       #:disallowed-references (,nss-certs)
        #:phases (modify-phases %standard-phases
                   (delete 'configure)
                   (add-after 'unpack 'patch-source
-- 
2.34.0

Message #14 received at 52690 <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 52690 <at> debbugs.gnu.org
Subject: Re: bug#52690: Remove direct dependencies on the nss-certs
 certificate store
Date: Sun, 26 Dec 2021 18:37:52 +0100

Hello Leo,

> I'll send a patch removing the dependency from ldns.
>
> pypy3 does not build anyways because its runpath cannot be successfully
> validated, but I will investigate anyways after disabling the runpath
> validator.

The ldns and pypy3 patches make sense to me.

Thanks,

Mathieu

Message #17 received at 52690 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 52690 <at> debbugs.gnu.org
Subject: [PATCH] gnu: IcedTea: Prohibit references to nss-certs.
Date: Sun, 26 Dec 2021 16:32:33 -0500

I checked, and neither of these packages keep references to nss-certs.
So, although this change will cause rebuilds, it shouldn't cause any
functional changes.

However, my understanding is that the IcedTea packages actually copy the
NSS certificate store, so there wouldn't be a reference anyways, but we
would have the problem of "software that expires".

Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/java.scm (icedtea-7, icedtea-8)[arguments]: Add nss-certs
to #:disallowed-references.
---
 gnu/packages/java.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 0a757b2391..91a16bb53d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -812,6 +812,8 @@ (define-public icedtea-7
          ;; gremlin) doesn't support it yet, so skip this phase.
          #:validate-runpath? #f
 
+         #:disallowed-references (,nss-certs)
+
          #:modules ((guix build utils)
                     (guix build gnu-build-system)
                     (ice-9 match)
@@ -1376,7 +1378,8 @@ (define-public icedtea-8
           (guix build syscalls)
           ,@%gnu-build-system-modules)
 
-         #:disallowed-references ,(list (gexp-input icedtea-7 "jdk"))
+         #:disallowed-references ,(list (gexp-input icedtea-7 "jdk")
+                                         nss-certs)
 
          ,@(substitute-keyword-arguments (package-arguments icedtea-7)
              ((#:modules modules)
-- 
2.34.0

Message #20 received at 52690 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Mathieu Othacehe <othacehe <at> gnu.org>
Cc: 52690 <at> debbugs.gnu.org
Subject: Re: bug#52690: Remove direct dependencies on the nss-certs
 certificate store
Date: Sun, 26 Dec 2021 15:55:19 -0500

On Sun, Dec 26, 2021 at 06:37:52PM +0100, Mathieu Othacehe wrote:
> 
> Hello Leo,
> 
> > I'll send a patch removing the dependency from ldns.
> >
> > pypy3 does not build anyways because its runpath cannot be successfully
> > validated, but I will investigate anyways after disabling the runpath
> > validator.
> 
> The ldns and pypy3 patches make sense to me.

Thanks, pushed.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.