From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id MDZHKl695GN9QwAAbAwnHQ (envelope-from ) for ; Thu, 09 Feb 2023 10:31:10 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 0O0rKl695GOQuwAAauVa8A (envelope-from ) for ; Thu, 09 Feb 2023 10:31:10 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 554832CFE5 for ; Thu, 9 Feb 2023 10:31:10 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pQ3Gi-0004vG-Vp; Thu, 09 Feb 2023 04:31:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pQ3Gh-0004v1-9A for bug-guix@gnu.org; Thu, 09 Feb 2023 04:31:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pQ3Gg-0006Pl-SV for bug-guix@gnu.org; Thu, 09 Feb 2023 04:31:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pQ3Gg-0001Qw-HD for bug-guix@gnu.org; Thu, 09 Feb 2023 04:31:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#61121: Cannot import IJulia in Julia Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 09 Feb 2023 09:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61121 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Simon Tournier Cc: 61121@debbugs.gnu.org, Theodore Ehrenborg Received: via spool by 61121-submit@debbugs.gnu.org id=B61121.16759350055377 (code B ref 61121); Thu, 09 Feb 2023 09:31:02 +0000 Received: (at 61121) by debbugs.gnu.org; 9 Feb 2023 09:30:05 +0000 Received: from localhost ([127.0.0.1]:57527 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pQ3Fl-0001Of-8e for submit@debbugs.gnu.org; Thu, 09 Feb 2023 04:30:05 -0500 Received: from mail-ej1-f45.google.com ([209.85.218.45]:35460) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pQ3Fh-0001NZ-Jh for 61121@debbugs.gnu.org; Thu, 09 Feb 2023 04:30:04 -0500 Received: by mail-ej1-f45.google.com with SMTP id qw12so4544452ejc.2 for <61121@debbugs.gnu.org>; Thu, 09 Feb 2023 01:30:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=RqS55gX8pcgaIJhPLaoht6meGLemvcgRO5FiOzV89D8=; b=ncuE5Ebc4oYyNl68QrFzhX1TCQN6bE7Ip4P0D269caJHCBpErATfxrSNp+fCWmyYnp nBx2dwy44HlwMrS8Qmcng11NGmwUNn4SMx3lElXtwc4nOhSp+DyltLnARbwjeyxzbhM9 WiGbnkYkne4PvkRmVxCFUSaXNj+4t8tTsi1TP3BwouDLT1oD7whfzKzZbbhR8h7ZuSO2 GgENJ4zl2ANUnPQuYutmAQdszsKYQUedtlBkJYcgPpFNp6mc7u4dTdNSf5ytV9mYAIwG QgS2SspBUfxTU8lQAr41czBR83tGxdamYlPn1lyqhUePfyylQGHtXOZFJ1cFaKXj0UMY fDeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RqS55gX8pcgaIJhPLaoht6meGLemvcgRO5FiOzV89D8=; b=UpRT/T0mBMXdIE+7yyCxEAhu0HPFw9Zoh/fR8zQrXhqdV2accDE7Wa+1QvXf1DrZmm XB/60xPhMtyWtZA9b7G7/WdQBABTGS7XHFd+4BAhqZPhHaRfdyOrfUY1RoFQZGE22HYG KRsm9SHYl4arCz6eN3NI16OsZIhyqxMMne+mBF6OzXPBGJPd83GFTy71X5K6WpE44spg t3a4KPY9pMTpIjnyldzpAJekNooj+IocjxwQsdp1yVeP1RtJPiWOmTZ3yoxvUK+KlZtg 3gnro++fZ4QUn9e7zt+s8bN9kDsPOcNxARHIuuvagj2MD9JIN5eaLX61bXCF6oPNmBSB nQZA== X-Gm-Message-State: AO0yUKWpg/ONNGitLruHTk617LHLjTElZ7G8JOiicQAxBbCIF8DqMTaG RsFnWXEVEG6sLpfWooVql10= X-Google-Smtp-Source: AK7set+Q28CIhvlibxjphBys6XT3Q+GEeAEd5qZA4CVzNe2ppO9Ip7Tux1ro2gcTGAhByZSoeMo5fw== X-Received: by 2002:a17:906:b2cc:b0:878:5917:601 with SMTP id cf12-20020a170906b2cc00b0087859170601mr11504718ejb.58.1675934995577; Thu, 09 Feb 2023 01:29:55 -0800 (PST) Received: from localhost ([2a02:ed3:911:6200:b62e:99ff:fef0:7bc0]) by smtp.gmail.com with ESMTPSA id kg12-20020a17090776ec00b008710789d85fsm623947ejc.156.2023.02.09.01.29.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Feb 2023 01:29:54 -0800 (PST) Date: Thu, 9 Feb 2023 11:29:53 +0200 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , Simon Tournier , Theodore Ehrenborg , 61121@debbugs.gnu.org References: <87bkmgky0p.fsf@gmail.com> <86o7qfuedj.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="W5mt5F0TvO9kpALK" Content-Disposition: inline In-Reply-To: <86o7qfuedj.fsf@gmail.com> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1675935070; a=rsa-sha256; cv=none; b=WSt/MXaFxkdokaJbdafcv+1ROrS3jkPVL1pFPROoILqMAo7FNPHTiY5IsmZWmXWXNORWqp N9Jbjy4ey9vdgAeYiIGtl/gaw5FokmEF7x73m/URC8G9xFxx3/316eIuPadOP8CcE4p2NK SoDt3olkHx6902GL6ppM+6YADZvGns0K0tMawz+soTyeOELucieH0O3G/bgp/SL72caqUR uQNLaTjGzsDGPU69sPfs9QHW4q+X9NuJw2klaPAbDBwhVoyRco/EyYHtuCfE0anU1HEBw8 YRRa9n2CYzEFHXjm0AqGuyIfHnsDPlnzj4wqgyUpTZW+UhXZkqD/HCpslTfm0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=ncuE5Ebc; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1675935070; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=RqS55gX8pcgaIJhPLaoht6meGLemvcgRO5FiOzV89D8=; b=CH/GyiuIAnWloVaRRR8AlwlHkFIk9qPKoOxoBlxzD/Q2+yhgtCfFS7rTi/W0tA2WvkYmKc HVAe8aJt3iD4/PGv4tpUmro0XV/SWDLi+BuhnqzRV1blJtrHOHze2wH1QogRvZQPX+i2v6 nIBcoRtl6yiuhMaKoJH5PRsYeRALQCY9Y4Xxh8GzmNwQkjHQBrcig3E0egHGaSIWcvKOkb RDj5w+TZ56pFKYZPPDoVWG6XBeCnjccJowQX3pUPwXakHN06vsH6uRrX2fSsGoQx0DQ4Ij WuefnCJnBUytmREJfEHoMTuTMsFjJUJUKjCmgeYs4fvPBLHRORE71QRhVO/KrQ== X-Spam-Score: -2.70 X-Migadu-Queue-Id: 554832CFE5 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=ncuE5Ebc; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.70 X-TUID: mohuGSs2n6ll --W5mt5F0TvO9kpALK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote: > Hi, >=20 > On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg wrote: >=20 > > Gentoo appears to have fixed this bug by linking julia/cert.pem to the > > system's ca-certificates.crt. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3D26b59330b5222996= defa4536237e62404bf21168 >=20 > This trick is not possible, IIUC. >=20 > > Is there a way I could rebuild my own slightly modified Julia with a li= nk > > like that? >=20 > Maybe, by adding the package nss-certs as propagated-inputs in the > definition of julia. By itself I don't think this would do anything. > > I understand that there's probably a good reason that Guix's Julia does= n't > > by default have cert.pem, but I would be pleased with a hacky custom > > solution if it made Jupyter notebooks work. >=20 > The reason is security. ;-) It=E2=80=99s Julia that does poorly here. >=20 > As pointed with the upstream package MbedTLS.jl, the fix should come > from Julia itself; therefore, it could be worth to open an issue, if it > is not already the case. ;-) >=20 > From my understanding, the culprit is this [1]: >=20 > --8<---------------cut here---------------start------------->8--- > function __init__() > global artifact_dir =3D dirname(Sys.BINDIR) > global cacert =3D normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "ce= rt.pem") > end > --8<---------------cut here---------------end--------------->8--- >=20 > And it is not clear for me if NetworkOptions.jl [2] provides the option > of not, and I am missing why Julia itself does not depend on it. >=20 > 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_j= ll/src/MozillaCACerts_jll.jl#L20 > 2: https://github.com/JuliaLang/NetworkOptions.jl >=20 >=20 > Efraim, do you think it would be possible to patch Julia to point to > some certificates via bundled_ca_roots or ca_roots_path? In the initial patch for julia-1.8.1 I think there was a substitution to hardcode /etc/ssl/something instead for 'global cacert' but I took that out since we don't like hardcoding that. GIT_SSL_CAINFO=3D/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certifica= tes.crt SSL_CERT_DIR=3D/run/current-system/profile/etc/ssl/certs CURL_CA_BUNDLE=3D/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certifica= tes.crt SSL_CERT_FILE=3D/run/current-system/profile/etc/ssl/certs/ca-certificates.c= rt I think it would be fine to tell Julia to look at SSL_CERT_FILE as the cacert so it can be overridden as desired, and then we can add a (native-?)search-path to Julia for SSL_CERT_FILE. Does anyone know offhand how to get the environment variable? If not I'll grep the sources and then look online. > Well, somehow turn back these tests: >=20 > --8<---------------cut here---------------start------------->8--- > ;; julia embeds a certificate, we are not doing that > (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl" > (("@test isfile\\(MozillaCACerts_jll.cacert\\)") > "@test_broken isfile(MozillaCACerts_jll.cacert)")) > ;; since certificate is not present some tests are failing i= n network option > (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/tes= t/runtests.jl" > (("@test isfile\\(bundled_ca_roots\\(\\)\\)") > "@test_broken isfile(bundled_ca_roots())") > (("@test ispath\\(ca_roots_path\\(\\)\\)") > "@test_broken ispath(ca_roots_path())") > (("@test ca_roots_path\\(\\) \\!=3D bundled_ca_roots\\(\\)= ") > "@test_broken ca_roots_path() !=3D bundled_ca_roots()")) > --8<---------------cut here---------------end--------------->8--- That one might be a little harder, I'd rather not add nss-certs to the build just for the test suite, but I'll see how it goes. Or at least update the comment afterward. >=20 > Cheers, > simon --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --W5mt5F0TvO9kpALK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmPkvRAACgkQQarn3Mo9 g1H42g/+NBbSto/YVvqnqo1gX6zgFglkzfca4ROj4qznOnZ9ho16YHD+Y2r9tQO2 shkJUzx3XfR4S3Tn8gSwHVzLttk25hcDxDwYcjsiq15qPzfdtmlOubhDQ9PcHKxZ V51m6hyzwONDxH7mvgbBs1s+R/Sj3UQ6weS5zZ7KodB7wo2XMrfGPGckc+0lz8HO o+72HsQjuqKrFrdiiLkQ9rqAz8OE/4nVYRRSUSmICLOT/1EDHfMY9T1Ka3QZte1S YSAyLfey1/s5LFPo0jOcJxNVRAtfC8aqt1m4iOXo7Dpp+jbO8lZLVkloZflHxNjx oLuwfmri2z/WSCz61Crlk+q9mgwSE2/gDKpzonyi7+F5fzH2wNH5uKy6M124/kUE TXA5MBUcj+zAReMC0sctkzwHgIrAx8aSF6Cw1RgpY7GHCaOn9YqtoGYefntN5eDX +3nCuCssy5RMyXnNaVM+XZUvP1jTSbc6X+418pxKBZBA80H/mt2quLlALRIFFZ9G Mz2KHNf0QyW2Ome0Wj65Q7uYeTc3l4ncZVaK5hTFVn29kNWPnJGJXQTqEJ6htNTZ vrDLOdtYa/JDSQ7DppbbC4+piYBj9NgMolx0qEYPwOwLbxmYjtQaMtRfSYLd6SJ/ SA7o6HUhOOIuCQjGKhbWzc+NZS5Vg2L/FASwc7clheUr/lH99rY= =9cwu -----END PGP SIGNATURE----- --W5mt5F0TvO9kpALK--