* [PATCH 0/3] icedtea: Generate keystore.
@ 2016-07-18 11:59 Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
` (3 more replies)
0 siblings, 4 replies; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-18 11:59 UTC (permalink / raw)
To: guix-devel
Hi Guix,
our current IcedTea packages don't have TLS/SSL support as they don't come
with a certificate store. In the Java world we need to import certificates
into a keystore. (This is, unfortunately, not reproducible.)
These there patches add a build phase to icedtea-6 to generate a keystore from
the certificates in the nss-certs package. I've tested this with the Java
bindings for git and an HTTPS URL of a repository.
For some reason generating a keystore fails with icedtea-8, so I'm explicitly
deleting the build phase there. I'm not sure why this happens.
Overall I think this is an improvement, but more work is needed here.
What do you think?
~~ Ricardo
Ricardo Wurmus (3):
gnu: nss-certs: Stop inheriting from nss package.
gnu: icedtea-6: Use modify-phases syntax.
gnu: icedtea-6: Generate keystore.
gnu/packages/certs.scm | 22 ++-
gnu/packages/java.scm | 492 +++++++++++++++++++++++++++----------------------
2 files changed, 289 insertions(+), 225 deletions(-)
--
2.9.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package.
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
@ 2016-07-18 11:59 ` Ricardo Wurmus
2016-07-18 16:39 ` Leo Famulari
2016-07-19 12:44 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
` (2 subsequent siblings)
3 siblings, 2 replies; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-18 11:59 UTC (permalink / raw)
To: guix-devel
From: Ricardo Wurmus <rekado@elephly.net>
* gnu/packages/certs.scm (nss-certs): Stop inheriting from nss package.
---
gnu/packages/certs.scm | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index dd7d339..f5a4372 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,7 +25,6 @@
#:use-module (guix build-system gnu)
#:use-module (guix build-system trivial)
#:use-module (gnu packages)
- #:use-module (gnu packages gnuzilla)
#:use-module (gnu packages python)
#:use-module (gnu packages perl)
#:use-module (gnu packages tls))
@@ -71,8 +71,20 @@
(home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
(define-public nss-certs
- (package (inherit nss) ; to reuse the source, version and some metadata
+ (package
(name "nss-certs")
+ (version "3.23")
+ (source (origin
+ (method url-fetch)
+ (uri (let ((version-with-underscores
+ (string-join (string-split version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" version ".tar.gz")))
+ (sha256
+ (base32
+ "1kqidv91icq96m9m8zx50n7px08km2l88458rkgyjwcn3kiq7cwl"))))
(build-system gnu-build-system)
(outputs '("out"))
(native-inputs
@@ -123,5 +135,7 @@
'(set-paths install-locale unpack)))))
(synopsis "CA certificates from Mozilla")
(description
- "This package provides certificates for Certification Authorities (CA)
-taken from the NSS package and thus ultimately from the Mozilla project.")))
+ "This package provides certificates for Certification Authorities (CA)
+taken from the NSS package and thus ultimately from the Mozilla project.")
+ (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+ (license license:mpl2.0)))
--
2.9.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax.
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
@ 2016-07-18 11:59 ` Ricardo Wurmus
2016-07-19 12:45 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen
3 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-18 11:59 UTC (permalink / raw)
To: guix-devel
From: Ricardo Wurmus <rekado@elephly.net>
* gnu/packages/java.scm (icedtea-6)[arguments]: Use modify-phases
syntax.
---
gnu/packages/java.scm | 431 ++++++++++++++++++++++++--------------------------
1 file changed, 211 insertions(+), 220 deletions(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 753fb77..faa6e5b 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -281,111 +281,108 @@ build process and its dependencies, whereas Make uses Makefile format.")
,(string-append "--with-jdk-home=" jdk)
,(string-append "--with-java=" jdk "/bin/java")))
#:phases
- (alist-replace
- 'unpack
- (lambda* (#:key source inputs #:allow-other-keys)
- (and (zero? (system* "tar" "xvf" source))
- (begin
- (chdir (string-append "icedtea6-" ,version))
- (mkdir "openjdk.src")
- (with-directory-excursion "openjdk.src"
- (copy-file (assoc-ref inputs "openjdk6-src")
- "openjdk6-src.tar.xz")
- (zero? (system* "tar" "xvf" "openjdk6-src.tar.xz"))))))
- (alist-cons-after
- 'unpack 'patch-patches
- (lambda _
- ;; shebang in patches so that they apply cleanly
- (substitute* '("patches/jtreg-jrunscript.patch"
- "patches/hotspot/hs23/drop_unlicensed_test.patch")
- (("#!/bin/sh") (string-append "#!" (which "sh"))))
+ (modify-phases %standard-phases
+ (replace 'unpack
+ (lambda* (#:key source inputs #:allow-other-keys)
+ (and (zero? (system* "tar" "xvf" source))
+ (begin
+ (chdir (string-append "icedtea6-" ,version))
+ (mkdir "openjdk.src")
+ (with-directory-excursion "openjdk.src"
+ (copy-file (assoc-ref inputs "openjdk6-src")
+ "openjdk6-src.tar.xz")
+ (zero? (system* "tar" "xvf" "openjdk6-src.tar.xz")))))))
+ (add-after 'unpack 'patch-patches
+ (lambda _
+ ;; shebang in patches so that they apply cleanly
+ (substitute* '("patches/jtreg-jrunscript.patch"
+ "patches/hotspot/hs23/drop_unlicensed_test.patch")
+ (("#!/bin/sh") (string-append "#!" (which "sh"))))
- ;; fix path to alsa header in patch
- (substitute* "patches/openjdk/6799141-split_out_versions.patch"
- (("ALSA_INCLUDE=/usr/include/alsa/version.h")
- (string-append "ALSA_INCLUDE="
- (assoc-ref %build-inputs "alsa-lib")
- "/include/alsa/version.h"))))
- (alist-cons-after
- 'unpack 'patch-paths
- (lambda _
- ;; buildtree.make generates shell scripts, so we need to replace
- ;; the generated shebang
- (substitute* '("openjdk.src/hotspot/make/linux/makefiles/buildtree.make")
- (("/bin/sh") (which "bash")))
+ ;; fix path to alsa header in patch
+ (substitute* "patches/openjdk/6799141-split_out_versions.patch"
+ (("ALSA_INCLUDE=/usr/include/alsa/version.h")
+ (string-append "ALSA_INCLUDE="
+ (assoc-ref %build-inputs "alsa-lib")
+ "/include/alsa/version.h")))))
+ (add-after 'unpack 'patch-paths
+ (lambda _
+ ;; buildtree.make generates shell scripts, so we need to replace
+ ;; the generated shebang
+ (substitute* '("openjdk.src/hotspot/make/linux/makefiles/buildtree.make")
+ (("/bin/sh") (which "bash")))
- (let ((corebin (string-append
- (assoc-ref %build-inputs "coreutils") "/bin/"))
- (binbin (string-append
- (assoc-ref %build-inputs "binutils") "/bin/"))
- (grepbin (string-append
- (assoc-ref %build-inputs "grep") "/bin/")))
- (substitute* '("openjdk.src/jdk/make/common/shared/Defs-linux.gmk"
- "openjdk.src/corba/make/common/shared/Defs-linux.gmk")
- (("UNIXCOMMAND_PATH = /bin/")
- (string-append "UNIXCOMMAND_PATH = " corebin))
- (("USRBIN_PATH = /usr/bin/")
- (string-append "USRBIN_PATH = " corebin))
- (("DEVTOOLS_PATH *= */usr/bin/")
- (string-append "DEVTOOLS_PATH = " corebin))
- (("COMPILER_PATH *= */usr/bin/")
- (string-append "COMPILER_PATH = "
- (assoc-ref %build-inputs "gcc") "/bin/"))
- (("DEF_OBJCOPY *=.*objcopy")
- (string-append "DEF_OBJCOPY = " (which "objcopy"))))
+ (let ((corebin (string-append
+ (assoc-ref %build-inputs "coreutils") "/bin/"))
+ (binbin (string-append
+ (assoc-ref %build-inputs "binutils") "/bin/"))
+ (grepbin (string-append
+ (assoc-ref %build-inputs "grep") "/bin/")))
+ (substitute* '("openjdk.src/jdk/make/common/shared/Defs-linux.gmk"
+ "openjdk.src/corba/make/common/shared/Defs-linux.gmk")
+ (("UNIXCOMMAND_PATH = /bin/")
+ (string-append "UNIXCOMMAND_PATH = " corebin))
+ (("USRBIN_PATH = /usr/bin/")
+ (string-append "USRBIN_PATH = " corebin))
+ (("DEVTOOLS_PATH *= */usr/bin/")
+ (string-append "DEVTOOLS_PATH = " corebin))
+ (("COMPILER_PATH *= */usr/bin/")
+ (string-append "COMPILER_PATH = "
+ (assoc-ref %build-inputs "gcc") "/bin/"))
+ (("DEF_OBJCOPY *=.*objcopy")
+ (string-append "DEF_OBJCOPY = " (which "objcopy"))))
- ;; fix hard-coded utility paths
- (substitute* '("openjdk.src/jdk/make/common/shared/Defs-utils.gmk"
- "openjdk.src/corba/make/common/shared/Defs-utils.gmk")
- (("ECHO *=.*echo")
- (string-append "ECHO = " (which "echo")))
- (("^GREP *=.*grep")
- (string-append "GREP = " (which "grep")))
- (("EGREP *=.*egrep")
- (string-append "EGREP = " (which "egrep")))
- (("CPIO *=.*cpio")
- (string-append "CPIO = " (which "cpio")))
- (("READELF *=.*readelf")
- (string-append "READELF = " (which "readelf")))
- (("^ *AR *=.*ar")
- (string-append "AR = " (which "ar")))
- (("^ *TAR *=.*tar")
- (string-append "TAR = " (which "tar")))
- (("AS *=.*as")
- (string-append "AS = " (which "as")))
- (("LD *=.*ld")
- (string-append "LD = " (which "ld")))
- (("STRIP *=.*strip")
- (string-append "STRIP = " (which "strip")))
- (("NM *=.*nm")
- (string-append "NM = " (which "nm")))
- (("^SH *=.*sh")
- (string-append "SH = " (which "bash")))
- (("^FIND *=.*find")
- (string-append "FIND = " (which "find")))
- (("LDD *=.*ldd")
- (string-append "LDD = " (which "ldd")))
- (("NAWK *=.*(n|g)awk")
- (string-append "NAWK = " (which "gawk")))
- (("XARGS *=.*xargs")
- (string-append "XARGS = " (which "xargs")))
- (("UNZIP *=.*unzip")
- (string-append "UNZIP = " (which "unzip")))
- (("ZIPEXE *=.*zip")
- (string-append "ZIPEXE = " (which "zip")))
- (("SED *=.*sed")
- (string-append "SED = " (which "sed"))))
+ ;; fix hard-coded utility paths
+ (substitute* '("openjdk.src/jdk/make/common/shared/Defs-utils.gmk"
+ "openjdk.src/corba/make/common/shared/Defs-utils.gmk")
+ (("ECHO *=.*echo")
+ (string-append "ECHO = " (which "echo")))
+ (("^GREP *=.*grep")
+ (string-append "GREP = " (which "grep")))
+ (("EGREP *=.*egrep")
+ (string-append "EGREP = " (which "egrep")))
+ (("CPIO *=.*cpio")
+ (string-append "CPIO = " (which "cpio")))
+ (("READELF *=.*readelf")
+ (string-append "READELF = " (which "readelf")))
+ (("^ *AR *=.*ar")
+ (string-append "AR = " (which "ar")))
+ (("^ *TAR *=.*tar")
+ (string-append "TAR = " (which "tar")))
+ (("AS *=.*as")
+ (string-append "AS = " (which "as")))
+ (("LD *=.*ld")
+ (string-append "LD = " (which "ld")))
+ (("STRIP *=.*strip")
+ (string-append "STRIP = " (which "strip")))
+ (("NM *=.*nm")
+ (string-append "NM = " (which "nm")))
+ (("^SH *=.*sh")
+ (string-append "SH = " (which "bash")))
+ (("^FIND *=.*find")
+ (string-append "FIND = " (which "find")))
+ (("LDD *=.*ldd")
+ (string-append "LDD = " (which "ldd")))
+ (("NAWK *=.*(n|g)awk")
+ (string-append "NAWK = " (which "gawk")))
+ (("XARGS *=.*xargs")
+ (string-append "XARGS = " (which "xargs")))
+ (("UNZIP *=.*unzip")
+ (string-append "UNZIP = " (which "unzip")))
+ (("ZIPEXE *=.*zip")
+ (string-append "ZIPEXE = " (which "zip")))
+ (("SED *=.*sed")
+ (string-append "SED = " (which "sed"))))
- ;; Some of these timestamps cause problems as they are more than
- ;; 10 years ago, failing the build process.
- (substitute*
- "openjdk.src/jdk/src/share/classes/java/util/CurrencyData.properties"
- (("AZ=AZM;2005-12-31-20-00-00;AZN") "AZ=AZN")
- (("MZ=MZM;2006-06-30-22-00-00;MZN") "MZ=MZN")
- (("RO=ROL;2005-06-30-21-00-00;RON") "RO=RON")
- (("TR=TRL;2004-12-31-22-00-00;TRY") "TR=TRY"))))
- (alist-cons-before
- 'configure 'set-additional-paths
+ ;; Some of these timestamps cause problems as they are more than
+ ;; 10 years ago, failing the build process.
+ (substitute*
+ "openjdk.src/jdk/src/share/classes/java/util/CurrencyData.properties"
+ (("AZ=AZM;2005-12-31-20-00-00;AZN") "AZ=AZN")
+ (("MZ=MZM;2006-06-30-22-00-00;MZN") "MZ=MZN")
+ (("RO=ROL;2005-06-30-21-00-00;RON") "RO=RON")
+ (("TR=TRL;2004-12-31-22-00-00;TRY") "TR=TRY")))))
+ (add-before 'configure 'set-additional-paths
(lambda* (#:key inputs #:allow-other-keys)
(let* ((gcjdir (assoc-ref %build-inputs "gcj"))
(gcjlib (string-append gcjdir "/lib"))
@@ -412,125 +409,119 @@ build process and its dependencies, whereas Make uses Makefile format.")
"/include"))
(setenv "ALT_FREETYPE_LIB_PATH"
(string-append (assoc-ref %build-inputs "freetype")
- "/lib"))))
- (alist-cons-before
- 'check 'fix-test-framework
- (lambda _
- ;; Fix PATH in test environment
- (substitute* "src/jtreg/com/sun/javatest/regtest/Main.java"
- (("PATH=/bin:/usr/bin")
- (string-append "PATH=" (getenv "PATH"))))
- (substitute* "src/jtreg/com/sun/javatest/util/SysEnv.java"
- (("/usr/bin/env") (which "env")))
- #t)
- (alist-cons-before
- 'check 'fix-hotspot-tests
- (lambda _
- (with-directory-excursion "openjdk.src/hotspot/test/"
- (substitute* "jprt.config"
- (("PATH=\"\\$\\{path4sdk\\}\"")
- (string-append "PATH=" (getenv "PATH")))
- (("make=/usr/bin/make")
- (string-append "make=" (which "make"))))
- (substitute* '("runtime/6626217/Test6626217.sh"
- "runtime/7110720/Test7110720.sh")
- (("/bin/rm") (which "rm"))
- (("/bin/cp") (which "cp"))
- (("/bin/mv") (which "mv"))))
- #t)
- (alist-cons-before
- 'check 'fix-jdk-tests
- (lambda _
- (with-directory-excursion "openjdk.src/jdk/test/"
- (substitute* "com/sun/jdi/JdbReadTwiceTest.sh"
- (("/bin/pwd") (which "pwd")))
- (substitute* "com/sun/jdi/ShellScaffold.sh"
- (("/bin/kill") (which "kill")))
- (substitute* "start-Xvfb.sh"
- ;;(("/usr/bin/X11/Xvfb") (which "Xvfb"))
- (("/usr/bin/nohup") (which "nohup")))
- (substitute* "javax/security/auth/Subject/doAs/Test.sh"
- (("/bin/rm") (which "rm")))
- (substitute* "tools/launcher/MultipleJRE.sh"
- (("echo \"#!/bin/sh\"")
- (string-append "echo \"#!" (which "rm") "\""))
- (("/usr/bin/zip") (which "zip")))
- (substitute* "com/sun/jdi/OnThrowTest.java"
- (("#!/bin/sh") (string-append "#!" (which "sh"))))
- (substitute* "java/lang/management/OperatingSystemMXBean/GetSystemLoadAverage.java"
- (("/usr/bin/uptime") (which "uptime")))
- (substitute* "java/lang/ProcessBuilder/Basic.java"
- (("/usr/bin/env") (which "env"))
- (("/bin/false") (which "false"))
- (("/bin/true") (which "true"))
- (("/bin/cp") (which "cp"))
- (("/bin/sh") (which "sh")))
- (substitute* "java/lang/ProcessBuilder/FeelingLucky.java"
- (("/bin/sh") (which "sh")))
- (substitute* "java/lang/ProcessBuilder/Zombies.java"
- (("/usr/bin/perl") (which "perl"))
- (("/bin/ps") (which "ps"))
- (("/bin/true") (which "true")))
- (substitute* "java/lang/Runtime/exec/ConcurrentRead.java"
- (("/usr/bin/tee") (which "tee")))
- (substitute* "java/lang/Runtime/exec/ExecWithDir.java"
- (("/bin/true") (which "true")))
- (substitute* "java/lang/Runtime/exec/ExecWithInput.java"
- (("/bin/cat") (which "cat")))
- (substitute* "java/lang/Runtime/exec/ExitValue.java"
- (("/bin/sh") (which "sh"))
- (("/bin/true") (which "true"))
- (("/bin/kill") (which "kill")))
- (substitute* "java/lang/Runtime/exec/LotsOfDestroys.java"
- (("/usr/bin/echo") (which "echo")))
- (substitute* "java/lang/Runtime/exec/LotsOfOutput.java"
- (("/usr/bin/cat") (which "cat")))
- (substitute* "java/lang/Runtime/exec/SleepyCat.java"
- (("/bin/cat") (which "cat"))
- (("/bin/sleep") (which "sleep"))
- (("/bin/sh") (which "sh")))
- (substitute* "java/lang/Runtime/exec/StreamsSurviveDestroy.java"
- (("/bin/cat") (which "cat")))
- (substitute* "java/rmi/activation/CommandEnvironment/SetChildEnv.java"
- (("/bin/chmod") (which "chmod")))
- (substitute* "java/util/zip/ZipFile/Assortment.java"
- (("/bin/sh") (which "sh"))))
- #t)
- (alist-replace
- 'check
- (lambda _
- ;; The "make check-*" targets always return zero, so we need to
- ;; check for errors in the associated log files to determine
- ;; whether any tests have failed.
- (use-modules (ice-9 rdelim))
- (let* ((error-pattern (make-regexp "^(Error|FAILED):.*"))
- (checker (lambda (port)
- (let loop ()
- (let ((line (read-line port)))
- (cond
- ((eof-object? line) #t)
- ((regexp-exec error-pattern line) #f)
- (else (loop)))))))
- (run-test (lambda (test)
- (system* "make" test)
- (call-with-input-file
- (string-append "test/" test ".log")
- checker))))
- (or #t ; skip tests
- (and (run-test "check-hotspot")
- (run-test "check-langtools")
- (run-test "check-jdk")))))
- (alist-replace
- 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((doc (string-append (assoc-ref outputs "doc")
- "/share/doc/icedtea"))
- (jre (assoc-ref outputs "out"))
- (jdk (assoc-ref outputs "jdk")))
- (copy-recursively "openjdk.build/docs" doc)
- (copy-recursively "openjdk.build/j2re-image" jre)
- (copy-recursively "openjdk.build/j2sdk-image" jdk)))
- %standard-phases)))))))))))
+ "/lib")))))
+ (add-before 'check 'fix-test-framework
+ (lambda _
+ ;; Fix PATH in test environment
+ (substitute* "src/jtreg/com/sun/javatest/regtest/Main.java"
+ (("PATH=/bin:/usr/bin")
+ (string-append "PATH=" (getenv "PATH"))))
+ (substitute* "src/jtreg/com/sun/javatest/util/SysEnv.java"
+ (("/usr/bin/env") (which "env")))
+ #t))
+ (add-before 'check 'fix-hotspot-tests
+ (lambda _
+ (with-directory-excursion "openjdk.src/hotspot/test/"
+ (substitute* "jprt.config"
+ (("PATH=\"\\$\\{path4sdk\\}\"")
+ (string-append "PATH=" (getenv "PATH")))
+ (("make=/usr/bin/make")
+ (string-append "make=" (which "make"))))
+ (substitute* '("runtime/6626217/Test6626217.sh"
+ "runtime/7110720/Test7110720.sh")
+ (("/bin/rm") (which "rm"))
+ (("/bin/cp") (which "cp"))
+ (("/bin/mv") (which "mv"))))
+ #t))
+ (add-before 'check 'fix-jdk-tests
+ (lambda _
+ (with-directory-excursion "openjdk.src/jdk/test/"
+ (substitute* "com/sun/jdi/JdbReadTwiceTest.sh"
+ (("/bin/pwd") (which "pwd")))
+ (substitute* "com/sun/jdi/ShellScaffold.sh"
+ (("/bin/kill") (which "kill")))
+ (substitute* "start-Xvfb.sh"
+ ;;(("/usr/bin/X11/Xvfb") (which "Xvfb"))
+ (("/usr/bin/nohup") (which "nohup")))
+ (substitute* "javax/security/auth/Subject/doAs/Test.sh"
+ (("/bin/rm") (which "rm")))
+ (substitute* "tools/launcher/MultipleJRE.sh"
+ (("echo \"#!/bin/sh\"")
+ (string-append "echo \"#!" (which "rm") "\""))
+ (("/usr/bin/zip") (which "zip")))
+ (substitute* "com/sun/jdi/OnThrowTest.java"
+ (("#!/bin/sh") (string-append "#!" (which "sh"))))
+ (substitute* "java/lang/management/OperatingSystemMXBean/GetSystemLoadAverage.java"
+ (("/usr/bin/uptime") (which "uptime")))
+ (substitute* "java/lang/ProcessBuilder/Basic.java"
+ (("/usr/bin/env") (which "env"))
+ (("/bin/false") (which "false"))
+ (("/bin/true") (which "true"))
+ (("/bin/cp") (which "cp"))
+ (("/bin/sh") (which "sh")))
+ (substitute* "java/lang/ProcessBuilder/FeelingLucky.java"
+ (("/bin/sh") (which "sh")))
+ (substitute* "java/lang/ProcessBuilder/Zombies.java"
+ (("/usr/bin/perl") (which "perl"))
+ (("/bin/ps") (which "ps"))
+ (("/bin/true") (which "true")))
+ (substitute* "java/lang/Runtime/exec/ConcurrentRead.java"
+ (("/usr/bin/tee") (which "tee")))
+ (substitute* "java/lang/Runtime/exec/ExecWithDir.java"
+ (("/bin/true") (which "true")))
+ (substitute* "java/lang/Runtime/exec/ExecWithInput.java"
+ (("/bin/cat") (which "cat")))
+ (substitute* "java/lang/Runtime/exec/ExitValue.java"
+ (("/bin/sh") (which "sh"))
+ (("/bin/true") (which "true"))
+ (("/bin/kill") (which "kill")))
+ (substitute* "java/lang/Runtime/exec/LotsOfDestroys.java"
+ (("/usr/bin/echo") (which "echo")))
+ (substitute* "java/lang/Runtime/exec/LotsOfOutput.java"
+ (("/usr/bin/cat") (which "cat")))
+ (substitute* "java/lang/Runtime/exec/SleepyCat.java"
+ (("/bin/cat") (which "cat"))
+ (("/bin/sleep") (which "sleep"))
+ (("/bin/sh") (which "sh")))
+ (substitute* "java/lang/Runtime/exec/StreamsSurviveDestroy.java"
+ (("/bin/cat") (which "cat")))
+ (substitute* "java/rmi/activation/CommandEnvironment/SetChildEnv.java"
+ (("/bin/chmod") (which "chmod")))
+ (substitute* "java/util/zip/ZipFile/Assortment.java"
+ (("/bin/sh") (which "sh"))))
+ #t))
+ (replace 'check
+ (lambda _
+ ;; The "make check-*" targets always return zero, so we need to
+ ;; check for errors in the associated log files to determine
+ ;; whether any tests have failed.
+ (use-modules (ice-9 rdelim))
+ (let* ((error-pattern (make-regexp "^(Error|FAILED):.*"))
+ (checker (lambda (port)
+ (let loop ()
+ (let ((line (read-line port)))
+ (cond
+ ((eof-object? line) #t)
+ ((regexp-exec error-pattern line) #f)
+ (else (loop)))))))
+ (run-test (lambda (test)
+ (system* "make" test)
+ (call-with-input-file
+ (string-append "test/" test ".log")
+ checker))))
+ (or #t ; skip tests
+ (and (run-test "check-hotspot")
+ (run-test "check-langtools")
+ (run-test "check-jdk"))))))
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((doc (string-append (assoc-ref outputs "doc")
+ "/share/doc/icedtea"))
+ (jre (assoc-ref outputs "out"))
+ (jdk (assoc-ref outputs "jdk")))
+ (copy-recursively "openjdk.build/docs" doc)
+ (copy-recursively "openjdk.build/j2re-image" jre)
+ (copy-recursively "openjdk.build/j2sdk-image" jdk)))))))
(native-inputs
`(("ant" ,ant)
("alsa-lib" ,alsa-lib)
--
2.9.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
@ 2016-07-18 11:59 ` Ricardo Wurmus
2016-07-19 12:51 ` Ludovic Courtès
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen
3 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-18 11:59 UTC (permalink / raw)
To: guix-devel
From: Ricardo Wurmus <rekado@elephly.net>
* gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
"install-keystore".
[native-inputs]: Add nss-certs and openssl.
---
gnu/packages/java.scm | 63 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 61 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index faa6e5b..95e273e 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -30,6 +30,7 @@
#:use-module (gnu packages autotools)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages cpio)
#:use-module (gnu packages cups)
#:use-module (gnu packages compression)
@@ -47,6 +48,7 @@
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages perl)
#:use-module (gnu packages mit-krb5)
+ #:use-module (gnu packages tls)
#:use-module (gnu packages xml)
#:use-module (gnu packages xorg)
#:use-module (gnu packages zip)
@@ -262,7 +264,8 @@ build process and its dependencies, whereas Make uses Makefile format.")
#:modules ((guix build utils)
(guix build gnu-build-system)
(ice-9 popen)
- (ice-9 rdelim))
+ (ice-9 rdelim)
+ (srfi srfi-19))
#:configure-flags
(let* ((gcjdir (assoc-ref %build-inputs "gcj"))
@@ -521,7 +524,58 @@ build process and its dependencies, whereas Make uses Makefile format.")
(jdk (assoc-ref outputs "jdk")))
(copy-recursively "openjdk.build/docs" doc)
(copy-recursively "openjdk.build/j2re-image" jre)
- (copy-recursively "openjdk.build/j2sdk-image" jdk)))))))
+ (copy-recursively "openjdk.build/j2sdk-image" jdk))))
+ (add-after 'install 'install-keystore
+ (lambda* (#:key inputs outputs #:allow-other-keys)
+ (let* ((keystore "cacerts")
+ (certs-dir (string-append (assoc-ref inputs "nss-certs")
+ "/etc/ssl/certs"))
+ (keytool (string-append (assoc-ref outputs "jdk")
+ "/bin/keytool"))
+ (openssl (which "openssl"))
+ (recent (date->time-utc (string->date "2016-1-1"
+ "~Y-~m-~d"))))
+ (define (valid? cert)
+ (let* ((port (open-pipe* OPEN_READ openssl
+ "x509" "-enddate" "-in" cert "-noout"))
+ (str (read-line port))
+ (end (begin (close-pipe port)
+ ;; TODO: use match?
+ (cadr (string-split str #\=)))))
+ (time>? (date->time-utc
+ (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
+
+ (define (import-cert cert)
+ (format #t "Importing certificate ~a\n" (basename cert))
+ (let* ((port (open-pipe* OPEN_WRITE keytool
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" cert)))
+ (display "yes\n" port)
+ (when (not (eqv? 0 (status:exit-val (close-pipe port))))
+ (format (current-error-port)
+ "Failed to import certificate.\n"))))
+
+ ;; This is necessary because the certificate directory contains
+ ;; files with non-ASCII characters in their names.
+ (setlocale LC_ALL "en_US.utf8")
+ (setenv "LC_ALL" "en_US.utf8")
+
+ (for-each import-cert
+ (filter valid? (find-files certs-dir "\\.pem$")))
+ (mkdir-p (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (mkdir-p (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security"))
+ (install-file keystore
+ (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (install-file keystore
+ (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security"))
+ #t))))))
(native-inputs
`(("ant" ,ant)
("alsa-lib" ,alsa-lib)
@@ -544,6 +598,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
("libxslt" ,libxslt) ;for xsltproc
("mit-krb5" ,mit-krb5)
("nss" ,nss)
+ ("nss-certs" ,nss-certs)
("libx11" ,libx11)
("libxcomposite" ,libxcomposite)
("libxt" ,libxt)
@@ -554,6 +609,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
("libjpeg" ,libjpeg)
("libpng" ,libpng)
("giflib" ,giflib)
+ ("openssl" ,openssl)
("perl" ,perl)
("procps" ,procps) ;for "free", even though I'm not sure we should use it
("openjdk6-src"
@@ -789,6 +845,9 @@ build process and its dependencies, whereas Make uses Makefile format.")
(delete 'patch-paths)
(delete 'set-additional-paths)
(delete 'patch-patches)
+ ;; FIXME: This phase is needed but fails with this version of
+ ;; IcedTea.
+ (delete 'install-keystore)
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
(let ((doc (string-append (assoc-ref outputs "doc")
--
2.9.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package.
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
@ 2016-07-18 16:39 ` Leo Famulari
2016-07-18 19:34 ` Ricardo Wurmus
2016-07-19 12:44 ` Ludovic Courtès
1 sibling, 1 reply; 19+ messages in thread
From: Leo Famulari @ 2016-07-18 16:39 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
On Mon, Jul 18, 2016 at 01:59:39PM +0200, Ricardo Wurmus wrote:
> * gnu/packages/certs.scm (nss-certs): Stop inheriting from nss package.
Why do we want to do this?
It appears to me that the resulting package would be the same. Is there
a plan to let the versions diverge in the future?
> +;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
Is this intentional?
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 0/3] icedtea: Generate keystore.
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
` (2 preceding siblings ...)
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
@ 2016-07-18 17:51 ` Roel Janssen
3 siblings, 0 replies; 19+ messages in thread
From: Roel Janssen @ 2016-07-18 17:51 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Ricardo Wurmus writes:
> Hi Guix,
>
> our current IcedTea packages don't have TLS/SSL support as they don't come
> with a certificate store. In the Java world we need to import certificates
> into a keystore. (This is, unfortunately, not reproducible.)
>
> These there patches add a build phase to icedtea-6 to generate a keystore from
> the certificates in the nss-certs package. I've tested this with the Java
> bindings for git and an HTTPS URL of a repository.
>
> For some reason generating a keystore fails with icedtea-8, so I'm explicitly
> deleting the build phase there. I'm not sure why this happens.
>
> Overall I think this is an improvement, but more work is needed here.
>
> What do you think?
I haven't looked at the patches, but I would like to say that I have run
into the missing certificates with Java. I haven't looked at whether
this resolves the problem either, but I would like to thank you for your
work in this area.
I really appreciate your work on IcedTea and Java packages.
Thanks,
Roel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package.
2016-07-18 16:39 ` Leo Famulari
@ 2016-07-18 19:34 ` Ricardo Wurmus
2016-07-18 19:39 ` Leo Famulari
0 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-18 19:34 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> On Mon, Jul 18, 2016 at 01:59:39PM +0200, Ricardo Wurmus wrote:
>> * gnu/packages/certs.scm (nss-certs): Stop inheriting from nss package.
>
> Why do we want to do this?
>
> It appears to me that the resulting package would be the same. Is there
> a plan to let the versions diverge in the future?
We have a module cycle when using the certs module from the java
module. By separating “nss-certs” from the “nss” package we break the
cycle. Ludo explained it well in this email:
http://lists.gnu.org/archive/html/guix-devel/2016-06/msg00648.html
>> +;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
>
> Is this intentional?
Yes. This patch is almost exactly the same as what Ludo proposed in the
email above. I cannot take credit for this.
~~ Ricardo
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package.
2016-07-18 19:34 ` Ricardo Wurmus
@ 2016-07-18 19:39 ` Leo Famulari
0 siblings, 0 replies; 19+ messages in thread
From: Leo Famulari @ 2016-07-18 19:39 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
On Mon, Jul 18, 2016 at 09:34:18PM +0200, Ricardo Wurmus wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Mon, Jul 18, 2016 at 01:59:39PM +0200, Ricardo Wurmus wrote:
> >> * gnu/packages/certs.scm (nss-certs): Stop inheriting from nss package.
> >
> > Why do we want to do this?
> >
> > It appears to me that the resulting package would be the same. Is there
> > a plan to let the versions diverge in the future?
>
> We have a module cycle when using the certs module from the java
> module. By separating “nss-certs” from the “nss” package we break the
> cycle. Ludo explained it well in this email:
>
> http://lists.gnu.org/archive/html/guix-devel/2016-06/msg00648.html
>
> >> +;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
> >
> > Is this intentional?
>
> Yes. This patch is almost exactly the same as what Ludo proposed in the
> email above. I cannot take credit for this.
Ah, thanks for explaining!
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package.
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 16:39 ` Leo Famulari
@ 2016-07-19 12:44 ` Ludovic Courtès
1 sibling, 0 replies; 19+ messages in thread
From: Ludovic Courtès @ 2016-07-19 12:44 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
> From: Ricardo Wurmus <rekado@elephly.net>
>
> * gnu/packages/certs.scm (nss-certs): Stop inheriting from nss package.
OK!
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax.
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
@ 2016-07-19 12:45 ` Ludovic Courtès
0 siblings, 0 replies; 19+ messages in thread
From: Ludovic Courtès @ 2016-07-19 12:45 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
> From: Ricardo Wurmus <rekado@elephly.net>
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Use modify-phases
> syntax.
LGTM.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
@ 2016-07-19 12:51 ` Ludovic Courtès
2016-07-19 13:03 ` Ricardo Wurmus
2016-07-22 19:14 ` Ricardo Wurmus
0 siblings, 2 replies; 19+ messages in thread
From: Ludovic Courtès @ 2016-07-19 12:51 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
> From: Ricardo Wurmus <rekado@elephly.net>
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
> "install-keystore".
> [native-inputs]: Add nss-certs and openssl.
[...]
> + (add-after 'install 'install-keystore
> + (lambda* (#:key inputs outputs #:allow-other-keys)
Could you add a comment to explain what’s going on here?
Too bad IceTea’s build system doesn’t take care of that.
> + (let* ((keystore "cacerts")
> + (certs-dir (string-append (assoc-ref inputs "nss-certs")
> + "/etc/ssl/certs"))
> + (keytool (string-append (assoc-ref outputs "jdk")
> + "/bin/keytool"))
> + (openssl (which "openssl"))
> + (recent (date->time-utc (string->date "2016-1-1"
> + "~Y-~m-~d"))))
> + (define (valid? cert)
> + (let* ((port (open-pipe* OPEN_READ openssl
> + "x509" "-enddate" "-in" cert "-noout"))
> + (str (read-line port))
> + (end (begin (close-pipe port)
> + ;; TODO: use match?
> + (cadr (string-split str #\=)))))
Why not use ‘match’, indeed. :-) No big deal though.
> + (time>? (date->time-utc
> + (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
> +
> + (define (import-cert cert)
> + (format #t "Importing certificate ~a\n" (basename cert))
> + (let* ((port (open-pipe* OPEN_WRITE keytool
> + "-import"
> + "-alias" (basename cert)
> + "-keystore" keystore
> + "-storepass" "changeit"
> + "-file" cert)))
> + (display "yes\n" port)
> + (when (not (eqv? 0 (status:exit-val (close-pipe port))))
Maybe (zero? (status:exit-val …)).
> + (format (current-error-port)
> + "Failed to import certificate.\n"))))
Rather (error "failed to import" cert) so the process stops here.
> + ;; This is necessary because the certificate directory contains
> + ;; files with non-ASCII characters in their names.
> + (setlocale LC_ALL "en_US.utf8")
> + (setenv "LC_ALL" "en_US.utf8")
> +
> + (for-each import-cert
> + (filter valid? (find-files certs-dir "\\.pem$")))
Why do we need to filter out invalid certificates?
The problem I see is that the result of ‘valid?’, and thus the output of
the build process, depends on the build time, which isn’t great.
I would prefer to unconditionally install all the certificates if that
doesn’t cause any problems. WDYT?
Thank you for working on it!
Ludo’.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-19 12:51 ` Ludovic Courtès
@ 2016-07-19 13:03 ` Ricardo Wurmus
2016-07-22 19:14 ` Ricardo Wurmus
1 sibling, 0 replies; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-19 13:03 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>
>> From: Ricardo Wurmus <rekado@elephly.net>
>>
>> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
>> "install-keystore".
>> [native-inputs]: Add nss-certs and openssl.
>
> [...]
>
>> + (add-after 'install 'install-keystore
>> + (lambda* (#:key inputs outputs #:allow-other-keys)
>
> Could you add a comment to explain what’s going on here?
Okay, I’ll add a comment.
> Too bad IceTea’s build system doesn’t take care of that.
Yeah, there is an old bug report about this, but its resolution has been
pushed to later releases repeatedly. All distributions have their own
bash scripts to generate a keystore.
>> + (let* ((keystore "cacerts")
>> + (certs-dir (string-append (assoc-ref inputs "nss-certs")
>> + "/etc/ssl/certs"))
>> + (keytool (string-append (assoc-ref outputs "jdk")
>> + "/bin/keytool"))
>> + (openssl (which "openssl"))
>> + (recent (date->time-utc (string->date "2016-1-1"
>> + "~Y-~m-~d"))))
>> + (define (valid? cert)
>> + (let* ((port (open-pipe* OPEN_READ openssl
>> + "x509" "-enddate" "-in" cert "-noout"))
>> + (str (read-line port))
>> + (end (begin (close-pipe port)
>> + ;; TODO: use match?
>> + (cadr (string-split str #\=)))))
>
> Why not use ‘match’, indeed. :-) No big deal though.
>
>> + (time>? (date->time-utc
>> + (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
>> +
>> + (define (import-cert cert)
>> + (format #t "Importing certificate ~a\n" (basename cert))
>> + (let* ((port (open-pipe* OPEN_WRITE keytool
>> + "-import"
>> + "-alias" (basename cert)
>> + "-keystore" keystore
>> + "-storepass" "changeit"
>> + "-file" cert)))
>> + (display "yes\n" port)
>> + (when (not (eqv? 0 (status:exit-val (close-pipe port))))
>
> Maybe (zero? (status:exit-val …)).
Okay.
>> + (format (current-error-port)
>> + "Failed to import certificate.\n"))))
>
> Rather (error "failed to import" cert) so the process stops here.
Yes, that’s better. I changed this for testing purposes and forgot to
change it back.
>> + ;; This is necessary because the certificate directory contains
>> + ;; files with non-ASCII characters in their names.
>> + (setlocale LC_ALL "en_US.utf8")
>> + (setenv "LC_ALL" "en_US.utf8")
>> +
>> + (for-each import-cert
>> + (filter valid? (find-files certs-dir "\\.pem$")))
>
> Why do we need to filter out invalid certificates?
>
> The problem I see is that the result of ‘valid?’, and thus the output of
> the build process, depends on the build time, which isn’t great.
It actually depends on the arbitrary value of “recent”, which I set to
2016-1-1, but I must admit that I don’t know if we really must filter
out invalid certs at all. I don’t know if it is a problem if invalid
certs are part of the keystore. Maybe it’s not an issue.
~~ Ricardo
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-19 12:51 ` Ludovic Courtès
2016-07-19 13:03 ` Ricardo Wurmus
@ 2016-07-22 19:14 ` Ricardo Wurmus
2016-07-23 18:32 ` Andreas Enge
1 sibling, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-22 19:14 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>
>> From: Ricardo Wurmus <rekado@elephly.net>
>>
>> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
>> "install-keystore".
>> [native-inputs]: Add nss-certs and openssl.
>
> [...]
>
>> + (add-after 'install 'install-keystore
>> + (lambda* (#:key inputs outputs #:allow-other-keys)
>
> Could you add a comment to explain what’s going on here?
>
> Too bad IceTea’s build system doesn’t take care of that.
>
>> + (let* ((keystore "cacerts")
>> + (certs-dir (string-append (assoc-ref inputs "nss-certs")
>> + "/etc/ssl/certs"))
>> + (keytool (string-append (assoc-ref outputs "jdk")
>> + "/bin/keytool"))
>> + (openssl (which "openssl"))
>> + (recent (date->time-utc (string->date "2016-1-1"
>> + "~Y-~m-~d"))))
>> + (define (valid? cert)
>> + (let* ((port (open-pipe* OPEN_READ openssl
>> + "x509" "-enddate" "-in" cert "-noout"))
>> + (str (read-line port))
>> + (end (begin (close-pipe port)
>> + ;; TODO: use match?
>> + (cadr (string-split str #\=)))))
>
> Why not use ‘match’, indeed. :-) No big deal though.
>
>> + (time>? (date->time-utc
>> + (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
>> +
>> + (define (import-cert cert)
>> + (format #t "Importing certificate ~a\n" (basename cert))
>> + (let* ((port (open-pipe* OPEN_WRITE keytool
>> + "-import"
>> + "-alias" (basename cert)
>> + "-keystore" keystore
>> + "-storepass" "changeit"
>> + "-file" cert)))
>> + (display "yes\n" port)
>> + (when (not (eqv? 0 (status:exit-val (close-pipe port))))
>
> Maybe (zero? (status:exit-val …)).
>
>> + (format (current-error-port)
>> + "Failed to import certificate.\n"))))
>
> Rather (error "failed to import" cert) so the process stops here.
>
>> + ;; This is necessary because the certificate directory contains
>> + ;; files with non-ASCII characters in their names.
>> + (setlocale LC_ALL "en_US.utf8")
>> + (setenv "LC_ALL" "en_US.utf8")
>> +
>> + (for-each import-cert
>> + (filter valid? (find-files certs-dir "\\.pem$")))
>
> Why do we need to filter out invalid certificates?
>
> The problem I see is that the result of ‘valid?’, and thus the output of
> the build process, depends on the build time, which isn’t great.
>
> I would prefer to unconditionally install all the certificates if that
> doesn’t cause any problems. WDYT?
I removed the validation (because I expect certs to be validated at
runtime). I also added a comment explaining why this is needed and made
the suggested changes.
(I pushed from my workstation without signing key, because I forgot that
I normally push from my laptop. Sorry, won’t happen again! Key
replacement is on my list, and then I’ll get myself a subkey for the
office workstation.)
Thanks for the review!
~~ Ricardo
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-22 19:14 ` Ricardo Wurmus
@ 2016-07-23 18:32 ` Andreas Enge
2016-07-23 21:19 ` Ricardo Wurmus
0 siblings, 1 reply; 19+ messages in thread
From: Andreas Enge @ 2016-07-23 18:32 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
Hello, Ricardo!
Icedtea@1 in master now fails to build in the install-keystore phase.
http://hydra.gnu.org:3000/build/1309224
http://hydra.gnu.org:3000/build/1308950
Could you have a look, please?
Andreas
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-23 18:32 ` Andreas Enge
@ 2016-07-23 21:19 ` Ricardo Wurmus
2016-07-23 21:33 ` Ricardo Wurmus
0 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-23 21:19 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
Andreas Enge <andreas@enge.fr> writes:
> Hello, Ricardo!
>
> Icedtea@1 in master now fails to build in the install-keystore phase.
> http://hydra.gnu.org:3000/build/1309224
> http://hydra.gnu.org:3000/build/1308950
> Could you have a look, please?
Hmm, that’s strange. I ran “guix build icedtea” after removing the
validation filter and built out all three versions of icedtea before
pushing this.
I don’t have the very same version of the “keytool” binary on my machine
right now (with the very same version of nss-certs as on hydra), but in
principle this works without errors:
~~~~~~~~~~~~
/gnu/store/r63vag0814nz79xr9g2ph6fvhq5xp2f3-icedtea-2.6.6/bin/keytool \
-import \
-alias ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem \
-keystore /tmp/keystore \
-storepass changeit \
-file /gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem
…
Trust this certificate? [no]: yes
Certificate was added to keystore
~~~~~~~~~~~~
The pem file looks like a valid X.509 certificate to me.
I cannot build icedtea@1 on my machine right now as I’m traveling, but I
just started a build remotely on my workstation in the office and it
failed. I used to have an additional stripping phase that I removed at
some point. As I continued to refine the new phase I must have used the
cached build of icedtea@1 without ever rebuilding it. Sorry!
The keytool from icedtea@1 doesn’t like this certificate. My hunch is
that we may need to remove comments from the certificate files, only
leaving the certificate block.
I’ll fix this as soon as I can.
~~ Ricardo
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-23 21:19 ` Ricardo Wurmus
@ 2016-07-23 21:33 ` Ricardo Wurmus
2016-07-23 23:27 ` Andreas Enge
0 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-23 21:33 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 908 bytes --]
Ricardo Wurmus <rekado@elephly.net> writes:
> Andreas Enge <andreas@enge.fr> writes:
>
>> Hello, Ricardo!
>>
>> Icedtea@1 in master now fails to build in the install-keystore phase.
>> http://hydra.gnu.org:3000/build/1309224
>> http://hydra.gnu.org:3000/build/1308950
>> Could you have a look, please?
[…]
> The keytool from icedtea@1 doesn’t like this certificate. My hunch is
> that we may need to remove comments from the certificate files, only
> leaving the certificate block.
>
> I’ll fix this as soon as I can.
Attached is an untested patch to fix this. I’m now building icedtea@1
again with this patch (on a remote machine). Not sure when I can check
on the result as I’ll be out for the most part of tomorrow.
You’re welcome to give it a try yourself! (Who knows, maybe this change
would also allow us to reinstate the phase in the latest icedtea
version?)
~~ Ricardo
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-icedtea-6-Narrow-file-to-certificate-block.patch --]
[-- Type: text/x-patch, Size: 3337 bytes --]
From 04cafa35d7e226843cdccaf5a3ea5a82d9dc5d3e Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Sat, 23 Jul 2016 23:25:11 +0200
Subject: [PATCH] gnu: icedtea-6: Narrow file to certificate block.
* gnu/packages/java.scm (icedtea-6)[arguments]: Extract certificate
blocks from pem files before importing.
---
gnu/packages/java.scm | 39 ++++++++++++++++++++++++++++++---------
1 file changed, 30 insertions(+), 9 deletions(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 2d50ad8..78e2143 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -535,17 +535,38 @@ build process and its dependencies, whereas Make uses Makefile format.")
"/etc/ssl/certs"))
(keytool (string-append (assoc-ref outputs "jdk")
"/bin/keytool")))
+ (define (extract-cert file target)
+ (call-with-input-file file
+ (lambda (in)
+ (call-with-output-file target
+ (lambda (out)
+ (let loop ((line (read-line in 'concat))
+ (copying? #f))
+ (cond
+ ((eof-object? line) #t)
+ ((string-prefix? "-----BEGIN" line)
+ (display line out)
+ (loop (read-line in 'concat) #t))
+ ((string-prefix? "-----END" line)
+ (display line out)
+ #t)
+ (else
+ (when copying? (display line out))
+ (loop (read-line in 'concat) copying?)))))))))
(define (import-cert cert)
(format #t "Importing certificate ~a\n" (basename cert))
- (let* ((port (open-pipe* OPEN_WRITE keytool
- "-import"
- "-alias" (basename cert)
- "-keystore" keystore
- "-storepass" "changeit"
- "-file" cert)))
- (display "yes\n" port)
- (when (not (zero? (status:exit-val (close-pipe port))))
- (error "failed to import" cert))))
+ (let ((temp (tmpfile)))
+ (extract-cert cert temp)
+ (let ((port (open-pipe* OPEN_WRITE keytool
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" temp)))
+ (display "yes\n" port)
+ (when (not (zero? (status:exit-val (close-pipe port))))
+ (error "failed to import" cert)))
+ (delete-file temp)))
;; This is necessary because the certificate directory contains
;; files with non-ASCII characters in their names.
--
2.9.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-23 21:33 ` Ricardo Wurmus
@ 2016-07-23 23:27 ` Andreas Enge
2016-07-24 7:43 ` Ricardo Wurmus
0 siblings, 1 reply; 19+ messages in thread
From: Andreas Enge @ 2016-07-23 23:27 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
On Sat, Jul 23, 2016 at 11:33:12PM +0200, Ricardo Wurmus wrote:
> You’re welcome to give it a try yourself! (Who knows, maybe this change
> would also allow us to reinstate the phase in the latest icedtea
> version?)
Unfortunately it fails for me with the following error message:
starting phase `install-keystore'
Importing certificate ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem
Backtrace:
In ice-9/boot-9.scm:
157: 17 [catch #t #<catch-closure 8c9580> ...]
In unknown file:
?: 16 [apply-smob/1 #<catch-closure 8c9580>]
In ice-9/boot-9.scm:
63: 15 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 14 [eval # #]
In ice-9/boot-9.scm:
2401: 13 [save-module-excursion #<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
4050: 12 [#<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
1724: 11 [%start-stack load-stack #<procedure 8f97c0 at ice-9/boot-9.scm:4041:10 ()>]
1729: 10 [#<procedure 8fcc60 ()>]
In unknown file:
?: 9 [primitive-load "/gnu/store/i0322cxlmymrnxrlsnplh4894fzjbj9h-icedtea-1.13.11-guile-builder"]
In ice-9/eval.scm:
387: 8 [eval # ()]
In srfi/srfi-1.scm:
830: 7 [every1 #<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> ...]
In /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:
593: 6 [#<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> #]
In ice-9/eval.scm:
432: 5 [eval # #]
In ice-9/boot-9.scm:
768: 4 [for-each #<procedure 31c3a80 at ice-9/eval.scm:416:20 (a)> #]
In ice-9/eval.scm:
432: 3 [eval # #]
In ice-9/boot-9.scm:
867: 2 [call-with-input-file "/gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem" ...]
883: 1 [call-with-output-file #<input-output: file 11> ...]
In unknown file:
?: 0 [open-file #<input-output: file 11> "w" #:encoding #f]
ERROR: In procedure open-file:
ERROR: Wrong type (expecting string): #<input-output: file 11>
Andreas
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-23 23:27 ` Andreas Enge
@ 2016-07-24 7:43 ` Ricardo Wurmus
2016-07-24 8:07 ` Andreas Enge
0 siblings, 1 reply; 19+ messages in thread
From: Ricardo Wurmus @ 2016-07-24 7:43 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel
Andreas Enge <andreas@enge.fr> writes:
> On Sat, Jul 23, 2016 at 11:33:12PM +0200, Ricardo Wurmus wrote:
>> You’re welcome to give it a try yourself! (Who knows, maybe this change
>> would also allow us to reinstate the phase in the latest icedtea
>> version?)
>
> Unfortunately it fails for me with the following error message:
>
> starting phase `install-keystore'
> Importing certificate ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem
> Backtrace:
> In ice-9/boot-9.scm:
> 157: 17 [catch #t #<catch-closure 8c9580> ...]
> In unknown file:
> ?: 16 [apply-smob/1 #<catch-closure 8c9580>]
> In ice-9/boot-9.scm:
> 63: 15 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
> 432: 14 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 13 [save-module-excursion #<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
> 4050: 12 [#<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 11 [%start-stack load-stack #<procedure 8f97c0 at ice-9/boot-9.scm:4041:10 ()>]
> 1729: 10 [#<procedure 8fcc60 ()>]
> In unknown file:
> ?: 9 [primitive-load "/gnu/store/i0322cxlmymrnxrlsnplh4894fzjbj9h-icedtea-1.13.11-guile-builder"]
> In ice-9/eval.scm:
> 387: 8 [eval # ()]
> In srfi/srfi-1.scm:
> 830: 7 [every1 #<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> ...]
> In /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:
> 593: 6 [#<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> #]
> In ice-9/eval.scm:
> 432: 5 [eval # #]
> In ice-9/boot-9.scm:
> 768: 4 [for-each #<procedure 31c3a80 at ice-9/eval.scm:416:20 (a)> #]
> In ice-9/eval.scm:
> 432: 3 [eval # #]
> In ice-9/boot-9.scm:
> 867: 2 [call-with-input-file "/gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem" ...]
> 883: 1 [call-with-output-file #<input-output: file 11> ...]
> In unknown file:
> ?: 0 [open-file #<input-output: file 11> "w" #:encoding #f]
>
> ERROR: In procedure open-file:
> ERROR: Wrong type (expecting string): #<input-output: file 11>
Oh, “(tmpfile)” returns a port. Changed to a string (it can be the same
temp file for each certificate) rebuilt all three icedtea packages
successfully and pushed to master as
6af691723ed6c70fc468768e1e07b19b27c6f4d8.
Thanks again for reporting this!
~~ Ricardo
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
2016-07-24 7:43 ` Ricardo Wurmus
@ 2016-07-24 8:07 ` Andreas Enge
0 siblings, 0 replies; 19+ messages in thread
From: Andreas Enge @ 2016-07-24 8:07 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
On Sun, Jul 24, 2016 at 09:43:59AM +0200, Ricardo Wurmus wrote:
> Thanks again for reporting this!
Thanks for fixing it so quickly! 2 more packages out of the 700 that
currently fail :-)
Andreas
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2016-07-24 8:08 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 16:39 ` Leo Famulari
2016-07-18 19:34 ` Ricardo Wurmus
2016-07-18 19:39 ` Leo Famulari
2016-07-19 12:44 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
2016-07-19 12:45 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
2016-07-19 12:51 ` Ludovic Courtès
2016-07-19 13:03 ` Ricardo Wurmus
2016-07-22 19:14 ` Ricardo Wurmus
2016-07-23 18:32 ` Andreas Enge
2016-07-23 21:19 ` Ricardo Wurmus
2016-07-23 21:33 ` Ricardo Wurmus
2016-07-23 23:27 ` Andreas Enge
2016-07-24 7:43 ` Ricardo Wurmus
2016-07-24 8:07 ` Andreas Enge
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).