From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [PATCH] gnu: r-curl: Respect CURL_CA_BUNDLE variable. Date: Wed, 21 Sep 2016 21:24:10 +0200 Message-ID: <87intp83ad.fsf@elephly.net> References: <20160907145659.7543-1-ricardo.wurmus@mdc-berlin.de> <87d1k7sbz6.fsf@gnu.org> <20160914011759.GA16363@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51201) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmn86-0006SD-1R for guix-devel@gnu.org; Wed, 21 Sep 2016 15:24:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bmn85-00084i-0P for guix-devel@gnu.org; Wed, 21 Sep 2016 15:24:25 -0400 In-reply-to: <20160914011759.GA16363@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > On Tue, Sep 13, 2016 at 11:53:33PM +0200, Roel Janssen wrote: >> This patch was essential to me being able to interact with HTTPS urls in >> R. As far as I understand, by default, R only looks for CURL_CA_BUNDLE >> on Windows, but with this patch it looks for CURL_CA_BUNDLE on GNU/Linux >> as well. Is this correct? >> >> I can confirm it works for me, so I'd like to see this patch pushed. > > It's good to hear that it works, but I still think we should run it by > the upstream maintainers. We are activating C code that they > specifically decided not to use on GNU / Linux. Why did they do that? The comments in the code indicate that on Windows they try to load the certs bundle that comes with R for Windows, i.e. in the R HOME’s “etc” directory. There is no such file on GNU, so no special handling is needed. On GNU this is taken care of by libcurl. It comes with a default path to the certs bundle, which can be overridden with configure flags (“--with-ca-bundle” or “--with-ca-path”). In our Guix package we don’t do this (yet?), so by default SSL cert validation is broken. libcurl does not respect CURL_CA_BUNDLE; it assumes that the application will override the CA bundle path if it needs a special path, otherwise it assumes that the default path is fine (using Guix this is not the case). The maintainers of the R curl package made the special case for Windows because it is not needed on GNU systems following the FHS. The best fix here would be to patch libcurl such that it checks the CURL_CA_BUNDLE environment variable invariably, just like the curl command line tool does. Until this is done I think we should path packages such as r-curl to make them usable. Once we have agreed on a fix to libcurl we can remove all patches to individual packages using libcurl. ~~ Ricardo