From: Roel Janssen <roel@gnu.org>
To: Carlo Zancanaro <carlo@zancanaro.id.au>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates.
Date: Sun, 26 Feb 2017 18:02:08 +0100 [thread overview]
Message-ID: <87fuj03my7.fsf@gnu.org> (raw)
In-Reply-To: <877f4d3hnt.fsf@zancanaro.id.au>
Carlo Zancanaro writes:
> On Fri, Feb 10 2017, Roel Janssen wrote
>> [ ... ]
>
> I was getting frustrated at not having certificates with java 8 (it's
> surprisingly annoying to have to use one environment with java 7 to
> download dependencies with maven, then a different environment with java
> 8 to actually run your program), so I downloaded and tried out your
> patch. It seems to work!
Thanks for picking up the patch!
> But then I wondered, could we just change the generate-keystore phase of
> the icedtea-6 package to log a failed certificate import without failing
> the build? Then we could move the permissions change there, too, which
> would give us a smaller patch that should accomplish a similar result
> (attached).
Great idea. This is also a more durable solution for when certificates
change in nss-certs.
> From b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001
> From: Carlo Zancanaro <carlo@zancanaro.id.au>
> Date: Sun, 26 Feb 2017 11:34:44 +1100
> Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for
> icedtea-8.
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase to
> not fail the build when attempting to import unsupported certificate
> types (which occur with icedtea-8, which inherits from icedtea-6). Also
> ensure that the keystore is able to be written to before copying it.
> ---
> gnu/packages/java.scm | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index e7479e1b0..c7f9b9aad 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
> "-file" temp)))
> (display "yes\n" port)
> (when (not (zero? (status:exit-val (close-pipe port))))
> - (error "failed to import" cert)))
> + (format #t "failed to import ~a\n" cert)))
> (delete-file temp)))
>
> ;; This is necessary because the certificate directory contains
> @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses Makefile format.")
> "/lib/security"))
> (mkdir-p (string-append (assoc-ref outputs "jdk")
> "/jre/lib/security"))
> +
> + ;; The cacerts files we are going to overwrite are chmod'ed as
> + ;; read-only (444) in icedtea-8 (which derives from this
> + ;; package). We have to change this so we can overwrite them.
> + (chmod (string-append (assoc-ref outputs "out")
> + "/lib/security/" keystore) #o644)
> + (chmod (string-append (assoc-ref outputs "jdk")
> + "/jre/lib/security/" keystore) #o644)
> +
> (install-file keystore
> (string-append (assoc-ref outputs "out")
> "/lib/security"))
I checked to see if the keystore is actually chmod'ed back to #o444, and
it is! So this looks fine to me as well.
> @@ -1023,9 +1032,6 @@ build process and its dependencies, whereas Make uses Makefile format.")
> (find-files "openjdk.src/jdk/src/solaris/native"
> "\\.c|\\.h"))
> #t)))
> - ;; FIXME: This phase is needed but fails with this version of
> - ;; IcedTea.
> - (delete 'install-keystore)
> (replace 'install
> (lambda* (#:key outputs #:allow-other-keys)
> (let ((doc (string-append (assoc-ref outputs "doc")
I tried this patch and it works fine.
I think we should add ourselves to the copyright notice.
Other than that, I think this patch is good to be pushed.
Kind regards,
Roel Janssen
next prev parent reply other threads:[~2017-02-26 17:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-10 11:32 [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates Roel Janssen
2017-02-26 0:44 ` Carlo Zancanaro
2017-02-26 17:02 ` Roel Janssen [this message]
2017-02-27 12:45 ` Carlo Zancanaro
2017-02-27 14:02 ` Roel Janssen
2017-03-01 21:23 ` Carlo Zancanaro
2017-03-01 22:31 ` Ricardo Wurmus
2017-03-01 22:52 ` Roel Janssen
2017-03-02 7:07 ` Ricardo Wurmus
2017-02-27 15:01 ` Ricardo Wurmus
2017-02-27 21:16 ` Carlo Zancanaro
2017-02-27 22:07 ` Leo Famulari
2017-03-01 22:34 ` Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fuj03my7.fsf@gnu.org \
--to=roel@gnu.org \
--cc=carlo@zancanaro.id.au \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).