bug#33272: guix refresh/download backtrace error when missing nss-certs

bug#33272: guix refresh/download backtrace error when missing nss-certs

[swedebugia]

In a qemu VM based on the image for 0.15 and pulled once I get:

sdb@komputilo ~$ git clone https://git.savannah.gnu.org/git/guix.git test
Cloning into 'test'...
fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': 
Problem with the SSL CA cert (path? access rights?)

fails nicely in contrast to:

sdb@komputilo ~$ guix refresh artanis
Backtrace:
           13 (primitive-load "/home/sdb/.config/guix/current/bin/guix")
In guix/ui.scm:
   1578:12 12 (run-guix-command _ . _)
In ice-9/boot-9.scm:
     829:9 11 (catch srfi-34 #<procedure 28dd540 at guix/ui.scm:610:…> …)
     829:9 10 (catch system-error #<procedure 262fe10 at guix/script…> …)
In guix/scripts/refresh.scm:
    449:12  9 (_)
In srfi/srfi-1.scm:
     640:9  8 (for-each #<procedure 28e3f20 at guix/scripts/refresh.…> …)
In guix/scripts/refresh.scm:
     236:2  7 (check-for-package-update #<package artanis@0.2.1-3 gn…> …)
In guix/gnu-maintenance.scm:
    472:21  6 (latest-gnu-release _)
    457:16  5 (_)
In ice-9/boot-9.scm:
     829:9  4 (catch srfi-34 #<procedure 262fdc0 at guix/http-client…> …)
In guix/http-client.scm:
    182:20  3 (_)
     88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
     398:4  1 (open-connection-for-uri _ #:timeout _ # _)
     296:6  0 (tls-wrap #<closed: file 2641c40> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'ftp.gnu.org' could not be verified:
   signer-not-found
   invalid


I suggest we change it to fail nicely. I am willing to create a patch. 
Would somebody be willing to mentor me?

As a start:

How do I check if nss-certs is installed?

This is the first thing we should do when handling https-URIs

(define tls-wrap is a quite complicated procedure, maybe an extra (if at 
the body (of the let) will do?

something like

(if package-available? nss-certs

     true; continue

     false-> error nicely

-- 
Cheers
Swedebugia

bug#33272: guix refresh/download backtrace error when missing nss-certs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1264 bytes --]

On Mon, Nov 05, 2018 at 12:16:08PM +0100, swedebugia wrote:
> I suggest we change it to fail nicely. I am willing to create a patch. Would
> somebody be willing to mentor me?
> 
> As a start:
> 
> How do I check if nss-certs is installed?
> 
> This is the first thing we should do when handling https-URIs
> 
> (define tls-wrap is a quite complicated procedure, maybe an extra (if at the
> body (of the let) will do?
> 
> something like
> 
> (if package-available? nss-certs
> 
>     true; continue
> 
>     false-> error nicely

IMO a better solution is to catch the error and print an informative
message. Already, the error message at the end is coming from Guix, but
we should hide the backtrace and add a hint towards a solution.

I think handling the TLS error gracefully is orthogonal to whether or
not nss-certs is installed.

There are other X.509 certificate collections available on the systems
that Guix supports, and even some Guix packages use their own
collections. Also, programs that need to look up certificates tend to
find them via environment variables, so if one wanted to use nss-certs,
it's not enough just to install it.

https://www.gnu.org/software/guix/manual/en/html_node/X_002e509-Certificates.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#33272: guix refresh/download backtrace error when missing nss-certs

[swedebugia]

Hi

On 2018-11-05 21:26, Leo Famulari wrote:
> On Mon, Nov 05, 2018 at 12:16:08PM +0100, swedebugia wrote:
> IMO a better solution is to catch the error and print an informative
> message. Already, the error message at the end is coming from Guix, but
> we should hide the backtrace and add a hint towards a solution.
>
> I think handling the TLS error gracefully is orthogonal to whether or
> not nss-certs is installed.
Agreed.
>
> There are other X.509 certificate collections available on the systems
> that Guix supports, and even some Guix packages use their own
> collections. Also, programs that need to look up certificates tend to
> find them via environment variables, so if one wanted to use nss-certs,
> it's not enough just to install it.
>
> https://www.gnu.org/software/guix/manual/en/html_node/X_002e509-Certificates.html

Sounds like a good idea.

How do we catch the error?

-- 
Cheers
Swedebugia

bug#33272: guix refresh/download backtrace error when missing nss-certs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 702 bytes --]

On Mon, Nov 05, 2018 at 09:39:15PM +0100, swedebugia wrote:
> How do we catch the error?

I am basically a novice Schemer still, so you will have to figure out
most of this on your own, unless someone else brings more advice :)

In general, dealing with exceptions in Guile:

https://www.gnu.org/software/guile/manual/html_node/Exceptions.html

There are lots of examples of how to use those mechanisms in the Guix
source code — the error message in your original email comes from a
caught exception in (guix build download).

You'll need to find out what is crashing and generating the backtrace,
and then decide what counts as a failure mode that we want to catch in
that context.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#33272: guix refresh/download backtrace error when missing nss-certs

[swedebugia]

Hi

On 2018-11-05 21:48, Leo Famulari wrote:
> On Mon, Nov 05, 2018 at 09:39:15PM +0100, swedebugia wrote:
>> How do we catch the error?
> I am basically a novice Schemer still, so you will have to figure out
> most of this on your own, unless someone else brings more advice :)

Me too

> In general, dealing with exceptions in Guile:
>
> https://www.gnu.org/software/guile/manual/html_node/Exceptions.html
>
> There are lots of examples of how to use those mechanisms in the Guix
> source code — the error message in your original email comes from a
> caught exception in (guix build download).
>
> You'll need to find out what is crashing and generating the backtrace,
> and then decide what counts as a failure mode that we want to catch in
> that context.
Thank you for the tips. This sounds too complicated for me to bite at my 
current skill level.

-- 
Cheers
Swedebugia

bug#33272: guix refresh/download backtrace error when missing nss-certs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

On Tue, Nov 06, 2018 at 12:42:07PM +0100, swedebugia wrote:
> Thank you for the tips. This sounds too complicated for me to bite at my
> current skill level.

Perhaps, but you may be surprised what you can achieve with a few hours
of focused reading and trial-and-error experimentation. If you find the
time and motivation I recommend you give it a shot!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]