From mboxrd@z Thu Jan 1 00:00:00 1970 From: Carlo Zancanaro Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates. Date: Sun, 26 Feb 2017 11:44:06 +1100 Message-ID: <877f4d3hnt.fsf@zancanaro.id.au> References: Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44384) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1chmwj-0006tD-8c for guix-devel@gnu.org; Sat, 25 Feb 2017 19:44:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1chmwe-00018s-C0 for guix-devel@gnu.org; Sat, 25 Feb 2017 19:44:17 -0500 In-reply-to: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Roel Janssen Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain On Fri, Feb 10 2017, Roel Janssen wrote > [ ... ] I was getting frustrated at not having certificates with java 8 (it's surprisingly annoying to have to use one environment with java 7 to download dependencies with maven, then a different environment with java 8 to actually run your program), so I downloaded and tried out your patch. It seems to work! But then I wondered, could we just change the generate-keystore phase of the icedtea-6 package to log a failed certificate import without failing the build? Then we could move the permissions change there, too, which would give us a smaller patch that should accomplish a similar result (attached). --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-icedtea-6-Modify-certificate-import-to-not-fail-.patch Content-Transfer-Encoding: quoted-printable From=20b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001 From: Carlo Zancanaro Date: Sun, 26 Feb 2017 11:34:44 +1100 Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for icedtea-8. * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase = to not fail the build when attempting to import unsupported certificate types (which occur with icedtea-8, which inherits from icedtea-6). Also ensure that the keystore is able to be written to before copying it. =2D-- gnu/packages/java.scm | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index e7479e1b0..c7f9b9aad 100644 =2D-- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses M= akefile format.") "-file" temp))) (display "yes\n" port) (when (not (zero? (status:exit-val (close-pipe port))= )) =2D (error "failed to import" cert))) + (format #t "failed to import ~a\n" cert))) (delete-file temp))) =20 ;; This is necessary because the certificate directory cont= ains @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses = Makefile format.") "/lib/security")) (mkdir-p (string-append (assoc-ref outputs "jdk") "/jre/lib/security")) + + ;; The cacerts files we are going to overwrite are chmod'ed= as + ;; read-only (444) in icedtea-8 (which derives from this + ;; package). We have to change this so we can overwrite th= em. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o644) + (chmod (string-append (assoc-ref outputs "jdk") + "/jre/lib/security/" keystore) #o644) + (install-file keystore (string-append (assoc-ref outputs "out") "/lib/security")) @@ -1023,9 +1032,6 @@ build process and its dependencies, whereas Make uses= Makefile format.") (find-files "openjdk.src/jdk/src/solaris/native" "\\.c|\\.h")) #t))) =2D ;; FIXME: This phase is needed but fails with this version = of =2D ;; IcedTea. =2D (delete 'install-keystore) (replace 'install (lambda* (#:key outputs #:allow-other-keys) (let ((doc (string-append (assoc-ref outputs "doc") =2D-=20 2.11.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEETnMK3I26XHaBYsl5wFUlyLtgbSsFAliyJNYACgkQwFUlyLtg bSudHQf/WbF/ql0TmiSN3Myp3p/glN4oLDnkm2vibVSaP3uCM9xXPOMGr+aPI9Ej o3ou9MjQPOG1+snHXipy6+EZBTIM9vmy1HZZgZMA7ExPNvbhimxNzlw92MF7G0cx F74m/nIXWLPE3S1jJUCjRssh3pPiNDfP2jB029GP54+Hh1vH4gRoJlh4hf/dNViE G2LwjBlWn6D0NKyWQssQDYzt4nVdLJRcWCwbdw01hDnPWHtbEif5UN2n0WP1KK2z NZ35I33brGVYTaHPnM38VAjdOwIoyo3mUt3JeGCV3G/oe4Bb2ClQOxZRIeMHKsYG ZC4z9N1l1QV3CALChrXAIEDrGHSogw== =xZaY -----END PGP SIGNATURE----- --==-=-=--