From mboxrd@z Thu Jan  1 00:00:00 1970
From: Carlo Zancanaro <carlo@zancanaro.id.au>
Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey
	certificates.
Date: Sun, 26 Feb 2017 11:44:06 +1100
Message-ID: <877f4d3hnt.fsf@zancanaro.id.au>
References: <rbuwpcycmd1.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44384)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <carlozancanaro@gmail.com>) id 1chmwj-0006tD-8c
	for guix-devel@gnu.org; Sat, 25 Feb 2017 19:44:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <carlozancanaro@gmail.com>) id 1chmwe-00018s-C0
	for guix-devel@gnu.org; Sat, 25 Feb 2017 19:44:17 -0500
In-reply-to: <rbuwpcycmd1.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Roel Janssen <roel@gnu.org>
Cc: guix-devel@gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

On Fri, Feb 10 2017, Roel Janssen wrote
> [ ... ]

I was getting frustrated at not having certificates with java 8 (it's
surprisingly annoying to have to use one environment with java 7 to
download dependencies with maven, then a different environment with java
8 to actually run your program), so I downloaded and tried out your
patch. It seems to work!

But then I wondered, could we just change the generate-keystore phase of
the icedtea-6 package to log a failed certificate import without failing
the build? Then we could move the permissions change there, too, which
would give us a smaller patch that should accomplish a similar result
(attached).


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-gnu-icedtea-6-Modify-certificate-import-to-not-fail-.patch
Content-Transfer-Encoding: quoted-printable

From=20b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001
From: Carlo Zancanaro <carlo@zancanaro.id.au>
Date: Sun, 26 Feb 2017 11:34:44 +1100
Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for
 icedtea-8.

* gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase =
to
  not fail the build when attempting to import unsupported certificate
  types (which occur with icedtea-8, which inherits from icedtea-6). Also
  ensure that the keystore is able to be written to before copying it.
=2D--
 gnu/packages/java.scm | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index e7479e1b0..c7f9b9aad 100644
=2D-- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses M=
akefile format.")
                                            "-file" temp)))
                      (display "yes\n" port)
                      (when (not (zero? (status:exit-val (close-pipe port))=
))
=2D                       (error "failed to import" cert)))
+                       (format #t "failed to import ~a\n" cert)))
                    (delete-file temp)))
=20
                ;; This is necessary because the certificate directory cont=
ains
@@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses =
Makefile format.")
                                        "/lib/security"))
                (mkdir-p (string-append (assoc-ref outputs "jdk")
                                        "/jre/lib/security"))
+
+               ;; The cacerts files we are going to overwrite are chmod'ed=
 as
+               ;; read-only (444) in icedtea-8 (which derives from this
+               ;; package).  We have to change this so we can overwrite th=
em.
+               (chmod (string-append (assoc-ref outputs "out")
+                                     "/lib/security/" keystore) #o644)
+               (chmod (string-append (assoc-ref outputs "jdk")
+                                     "/jre/lib/security/" keystore) #o644)
+
                (install-file keystore
                              (string-append (assoc-ref outputs "out")
                                             "/lib/security"))
@@ -1023,9 +1032,6 @@ build process and its dependencies, whereas Make uses=
 Makefile format.")
                     (find-files "openjdk.src/jdk/src/solaris/native"
                                 "\\.c|\\.h"))
                    #t)))
=2D             ;; FIXME: This phase is needed but fails with this version =
of
=2D             ;; IcedTea.
=2D             (delete 'install-keystore)
              (replace 'install
                (lambda* (#:key outputs #:allow-other-keys)
                  (let ((doc (string-append (assoc-ref outputs "doc")
=2D-=20
2.11.1


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEETnMK3I26XHaBYsl5wFUlyLtgbSsFAliyJNYACgkQwFUlyLtg
bSudHQf/WbF/ql0TmiSN3Myp3p/glN4oLDnkm2vibVSaP3uCM9xXPOMGr+aPI9Ej
o3ou9MjQPOG1+snHXipy6+EZBTIM9vmy1HZZgZMA7ExPNvbhimxNzlw92MF7G0cx
F74m/nIXWLPE3S1jJUCjRssh3pPiNDfP2jB029GP54+Hh1vH4gRoJlh4hf/dNViE
G2LwjBlWn6D0NKyWQssQDYzt4nVdLJRcWCwbdw01hDnPWHtbEif5UN2n0WP1KK2z
NZ35I33brGVYTaHPnM38VAjdOwIoyo3mUt3JeGCV3G/oe4Bb2ClQOxZRIeMHKsYG
ZC4z9N1l1QV3CALChrXAIEDrGHSogw==
=xZaY
-----END PGP SIGNATURE-----
--==-=-=--