From: Efraim Flashner <efraim@flashner.co.il>
To: Simon Tournier <zimon.toutoune@gmail.com>
Cc: 61121@debbugs.gnu.org, Theodore Ehrenborg <theodore.ehrenborg@gmail.com>
Subject: bug#61121: Cannot import IJulia in Julia
Date: Thu, 9 Feb 2023 11:29:53 +0200 [thread overview]
Message-ID: <Y+S9Ed+J3eJNsGGQ@3900XT> (raw)
In-Reply-To: <86o7qfuedj.fsf@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4198 bytes --]
On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote:
> Hi,
>
> On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg <theodore.ehrenborg@gmail.com> wrote:
>
> > Gentoo appears to have fixed this bug by linking julia/cert.pem to the
> > system's ca-certificates.crt.
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168
>
> This trick is not possible, IIUC.
>
> > Is there a way I could rebuild my own slightly modified Julia with a link
> > like that?
>
> Maybe, by adding the package nss-certs as propagated-inputs in the
> definition of julia.
By itself I don't think this would do anything.
> > I understand that there's probably a good reason that Guix's Julia doesn't
> > by default have cert.pem, but I would be pleased with a hacky custom
> > solution if it made Jupyter notebooks work.
>
> The reason is security. ;-) It’s Julia that does poorly here.
>
> As pointed with the upstream package MbedTLS.jl, the fix should come
> from Julia itself; therefore, it could be worth to open an issue, if it
> is not already the case. ;-)
>
> From my understanding, the culprit is this [1]:
>
> --8<---------------cut here---------------start------------->8---
> function __init__()
> global artifact_dir = dirname(Sys.BINDIR)
> global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem")
> end
> --8<---------------cut here---------------end--------------->8---
>
> And it is not clear for me if NetworkOptions.jl [2] provides the option
> of not, and I am missing why Julia itself does not depend on it.
>
> 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20
> 2: https://github.com/JuliaLang/NetworkOptions.jl
>
>
> Efraim, do you think it would be possible to patch Julia to point to
> some certificates via bundled_ca_roots or ca_roots_path?
In the initial patch for julia-1.8.1 I think there was a substitution to
hardcode /etc/ssl/something instead for 'global cacert' but I took that
out since we don't like hardcoding that.
GIT_SSL_CAINFO=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs
CURL_CA_BUNDLE=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/run/current-system/profile/etc/ssl/certs/ca-certificates.crt
I think it would be fine to tell Julia to look at SSL_CERT_FILE as the
cacert so it can be overridden as desired, and then we can add a
(native-?)search-path to Julia for SSL_CERT_FILE.
Does anyone know offhand how to get the environment variable? If not
I'll grep the sources and then look online.
> Well, somehow turn back these tests:
>
> --8<---------------cut here---------------start------------->8---
> ;; julia embeds a certificate, we are not doing that
> (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl"
> (("@test isfile\\(MozillaCACerts_jll.cacert\\)")
> "@test_broken isfile(MozillaCACerts_jll.cacert)"))
> ;; since certificate is not present some tests are failing in network option
> (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl"
> (("@test isfile\\(bundled_ca_roots\\(\\)\\)")
> "@test_broken isfile(bundled_ca_roots())")
> (("@test ispath\\(ca_roots_path\\(\\)\\)")
> "@test_broken ispath(ca_roots_path())")
> (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)")
> "@test_broken ca_roots_path() != bundled_ca_roots()"))
> --8<---------------cut here---------------end--------------->8---
That one might be a little harder, I'd rather not add nss-certs to the
build just for the test suite, but I'll see how it goes. Or at least
update the comment afterward.
>
> Cheers,
> simon
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-02-09 9:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-28 13:45 bug#61121: Cannot import IJulia in Julia Theodore Ehrenborg
2023-01-30 12:27 ` Simon Tournier
2023-01-30 21:55 ` Theodore Ehrenborg
2023-01-31 11:34 ` Simon Tournier
2023-02-09 9:29 ` Efraim Flashner [this message]
2023-02-09 14:53 ` Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+S9Ed+J3eJNsGGQ@3900XT \
--to=efraim@flashner.co.il \
--cc=61121@debbugs.gnu.org \
--cc=theodore.ehrenborg@gmail.com \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).