bug#61121: Cannot import IJulia in Julia

[Simon Tournier <zimon.toutoune@gmail.com>]

Hi,

On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg <theodore.ehrenborg@gmail.com> wrote:

> Gentoo appears to have fixed this bug by linking julia/cert.pem to the
> system's ca-certificates.crt.
> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168

This trick is not possible, IIUC.

> Is there a way I could rebuild my own slightly modified Julia with a link
> like that?

Maybe, by adding the package nss-certs as propagated-inputs in the
definition of julia.

> I understand that there's probably a good reason that Guix's Julia doesn't
> by default have cert.pem, but I would be pleased with a hacky custom
> solution if it made Jupyter notebooks work.

The reason is security. ;-)  It’s Julia that does poorly here.

As pointed with the upstream package MbedTLS.jl, the fix should come
from Julia itself; therefore, it could be worth to open an issue, if it
is not already the case. ;-)

From my understanding, the culprit is this [1]:

--8<---------------cut here---------------start------------->8---
function __init__()
    global artifact_dir = dirname(Sys.BINDIR)
    global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem")
end
--8<---------------cut here---------------end--------------->8---

And it is not clear for me if NetworkOptions.jl [2] provides the option
of not, and I am missing why Julia itself does not depend on it.

1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20
2: https://github.com/JuliaLang/NetworkOptions.jl


Efraim, do you think it would be possible to patch Julia to point to
some certificates via bundled_ca_roots or ca_roots_path?

Well, somehow turn back these tests:

--8<---------------cut here---------------start------------->8---
             ;; julia embeds a certificate, we are not doing that
             (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl"
               (("@test isfile\\(MozillaCACerts_jll.cacert\\)")
                "@test_broken isfile(MozillaCACerts_jll.cacert)"))
             ;; since certificate is not present some tests are failing in network option
             (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl"
               (("@test isfile\\(bundled_ca_roots\\(\\)\\)")
                "@test_broken isfile(bundled_ca_roots())")
               (("@test ispath\\(ca_roots_path\\(\\)\\)")
                "@test_broken ispath(ca_roots_path())")
               (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)")
                "@test_broken ca_roots_path() != bundled_ca_roots()"))
--8<---------------cut here---------------end--------------->8---


Cheers,
simon