From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
Date: Fri, 22 Jul 2016 21:14:59 +0200 [thread overview]
Message-ID: <878twteb7w.fsf@mdc-berlin.de> (raw)
In-Reply-To: <87fur5lrje.fsf@gnu.org>
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>
>> From: Ricardo Wurmus <rekado@elephly.net>
>>
>> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
>> "install-keystore".
>> [native-inputs]: Add nss-certs and openssl.
>
> [...]
>
>> + (add-after 'install 'install-keystore
>> + (lambda* (#:key inputs outputs #:allow-other-keys)
>
> Could you add a comment to explain what’s going on here?
>
> Too bad IceTea’s build system doesn’t take care of that.
>
>> + (let* ((keystore "cacerts")
>> + (certs-dir (string-append (assoc-ref inputs "nss-certs")
>> + "/etc/ssl/certs"))
>> + (keytool (string-append (assoc-ref outputs "jdk")
>> + "/bin/keytool"))
>> + (openssl (which "openssl"))
>> + (recent (date->time-utc (string->date "2016-1-1"
>> + "~Y-~m-~d"))))
>> + (define (valid? cert)
>> + (let* ((port (open-pipe* OPEN_READ openssl
>> + "x509" "-enddate" "-in" cert "-noout"))
>> + (str (read-line port))
>> + (end (begin (close-pipe port)
>> + ;; TODO: use match?
>> + (cadr (string-split str #\=)))))
>
> Why not use ‘match’, indeed. :-) No big deal though.
>
>> + (time>? (date->time-utc
>> + (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
>> +
>> + (define (import-cert cert)
>> + (format #t "Importing certificate ~a\n" (basename cert))
>> + (let* ((port (open-pipe* OPEN_WRITE keytool
>> + "-import"
>> + "-alias" (basename cert)
>> + "-keystore" keystore
>> + "-storepass" "changeit"
>> + "-file" cert)))
>> + (display "yes\n" port)
>> + (when (not (eqv? 0 (status:exit-val (close-pipe port))))
>
> Maybe (zero? (status:exit-val …)).
>
>> + (format (current-error-port)
>> + "Failed to import certificate.\n"))))
>
> Rather (error "failed to import" cert) so the process stops here.
>
>> + ;; This is necessary because the certificate directory contains
>> + ;; files with non-ASCII characters in their names.
>> + (setlocale LC_ALL "en_US.utf8")
>> + (setenv "LC_ALL" "en_US.utf8")
>> +
>> + (for-each import-cert
>> + (filter valid? (find-files certs-dir "\\.pem$")))
>
> Why do we need to filter out invalid certificates?
>
> The problem I see is that the result of ‘valid?’, and thus the output of
> the build process, depends on the build time, which isn’t great.
>
> I would prefer to unconditionally install all the certificates if that
> doesn’t cause any problems. WDYT?
I removed the validation (because I expect certs to be validated at
runtime). I also added a comment explaining why this is needed and made
the suggested changes.
(I pushed from my workstation without signing key, because I forgot that
I normally push from my laptop. Sorry, won’t happen again! Key
replacement is on my list, and then I’ll get myself a subkey for the
office workstation.)
Thanks for the review!
~~ Ricardo
next prev parent reply other threads:[~2016-07-22 19:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 16:39 ` Leo Famulari
2016-07-18 19:34 ` Ricardo Wurmus
2016-07-18 19:39 ` Leo Famulari
2016-07-19 12:44 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
2016-07-19 12:45 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
2016-07-19 12:51 ` Ludovic Courtès
2016-07-19 13:03 ` Ricardo Wurmus
2016-07-22 19:14 ` Ricardo Wurmus [this message]
2016-07-23 18:32 ` Andreas Enge
2016-07-23 21:19 ` Ricardo Wurmus
2016-07-23 21:33 ` Ricardo Wurmus
2016-07-23 23:27 ` Andreas Enge
2016-07-24 7:43 ` Ricardo Wurmus
2016-07-24 8:07 ` Andreas Enge
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878twteb7w.fsf@mdc-berlin.de \
--to=ricardo.wurmus@mdc-berlin.de \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).