From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates. Date: Mon, 27 Feb 2017 16:01:17 +0100 Message-ID: <87shmzk79e.fsf@elephly.net> References: <877f4d3hnt.fsf@zancanaro.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47375) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciMo3-0002mo-0Q for guix-devel@gnu.org; Mon, 27 Feb 2017 10:01:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciMo1-0001i7-VE for guix-devel@gnu.org; Mon, 27 Feb 2017 10:01:43 -0500 In-reply-to: <877f4d3hnt.fsf@zancanaro.id.au> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Carlo Zancanaro Cc: guix-devel@gnu.org Carlo Zancanaro writes: > But then I wondered, could we just change the generate-keystore phase of > the icedtea-6 package to log a failed certificate import without failing > the build? Then we could move the permissions change there, too, which > would give us a smaller patch that should accomplish a similar result > (attached). Hmm, I have a slight preference to have the build fail in those cases, because that prompts us to fix the underlying problem. Roel’s fix seems more direct, even though it results in more lines of code. > From b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001 > From: Carlo Zancanaro > Date: Sun, 26 Feb 2017 11:34:44 +1100 > Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for > icedtea-8. > > * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase to > not fail the build when attempting to import unsupported certificate > types (which occur with icedtea-8, which inherits from icedtea-6). Also > ensure that the keystore is able to be written to before copying it. > --- > gnu/packages/java.scm | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm > index e7479e1b0..c7f9b9aad 100644 > --- a/gnu/packages/java.scm > +++ b/gnu/packages/java.scm > @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses Makefile format.") > "-file" temp))) > (display "yes\n" port) > (when (not (zero? (status:exit-val (close-pipe port)))) > - (error "failed to import" cert))) > + (format #t "failed to import ~a\n" cert))) > (delete-file temp))) > > ;; This is necessary because the certificate directory contains > @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses Makefile format.") > "/lib/security")) > (mkdir-p (string-append (assoc-ref outputs "jdk") > "/jre/lib/security")) > + > + ;; The cacerts files we are going to overwrite are chmod'ed as > + ;; read-only (444) in icedtea-8 (which derives from this > + ;; package). We have to change this so we can overwrite them. > + (chmod (string-append (assoc-ref outputs "out") > + "/lib/security/" keystore) #o644) > + (chmod (string-append (assoc-ref outputs "jdk") > + "/jre/lib/security/" keystore) #o644) > + I don’t understand this. It also seems inelegant to make a change in “icedtea-6” for the sake of “icedtea-8”. Could this be done in “icedtea-8” instead? Also note that icedtea-6 will eventually be removed (as it will no longer receive upstream updates) and the other icedtea* packages should no longer use inheritance to make that possible. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net