Errors Linting Package Definition for New Package ruby-net-http-digest-auth

Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Frederick Muriithi]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

Hi.

I'm new to guix and was trying to contribute a new package, for the
ruby gem net-http-digest_auth

Running "./pre-inst-env guix build ruby-net-http-digest-auth" runs
with seemingly no errors (I've attached the build log).

Running "./pre-inst-env guix lint ruby-net-http-digest-auth" fails
with the errors indicated in the attached file lint_log

I'm also new to guile, so while I am working on entangling the issue,
I will be grateful for any assistance in identifying what the issue
is, so that I can fix it and submit a patch.

Thank you.

-- 
Frederick M. Muriithi

[-- Attachment #2: build_log --]
[-- Type: application/octet-stream, Size: 138 bytes --]

substitute: warning: failed to install locale: Invalid argument
/gnu/store/zddmx99r5133jpy86b70qy858y4v14pp-ruby-net-http-digest-auth-1.4

[-- Attachment #3: lint_log --]
[-- Type: application/octet-stream, Size: 2091 bytes --]

gnu/packages/ruby.scm:4182:2: ruby-net-http-digest-auth-1.4: TLS certificate error: ERROR: X.509 certificate of 'github.com' could not be verified:
  signer-not-found
  invalid


gnu/packages/ruby.scm:4207:4: ruby-net-http-digest-auth-1.4: invalid license field
substitute: warning: failed to install locale: Invalid argument
Backtrace:
In ice-9/boot-9.scm:
1729: 19 [#<procedure 289dea0 ()>]
In unknown file:
   ?: 18 [primitive-load "/home/frederick/repositories/projects/pjotrp_projects/guix/scripts/guix"]
In guix/ui.scm:
1220: 17 [run-guix-command lint "ruby-net-http-digest-auth"]
In srfi/srfi-1.scm:
 619: 16 [for-each #<procedure 38e6c40 at guix/scripts/lint.scm:974:20 (spec)> #]
In guix/scripts/lint.scm:
 882: 15 [run-checkers # #]
In srfi/srfi-1.scm:
 619: 14 [for-each #<procedure 5ec09c0 at guix/scripts/lint.scm:882:14 (checker)> #]
In guix/scripts/lint.scm:
 712: 13 [check-vulnerabilities #]
 707: 12 [#<procedure 38e2200 at guix/scripts/lint.scm:697:4 (package)> #]
In unknown file:
   ?: 11 [force #<promise #<procedure 38e22e0 at guix/scripts/lint.scm:695:16 ()>>]
In guix/scripts/lint.scm:
 696: 10 [#<procedure 38e22e0 at guix/scripts/lint.scm:695:16 ()>]
In ice-9/boot-9.scm:
 157: 9 [catch srfi-34 #<procedure 38e23e0 at guix/scripts/lint.scm:677:2 ()> ...]
 157: 8 [catch getaddrinfo-error ...]
In srfi/srfi-1.scm:
 646: 7 [append-map #<procedure fetch-vulnerabilities (year ttl)> # #]
 601: 6 [map #<procedure fetch-vulnerabilities (year ttl)> (2016 2015 2014 ...) ...]
In ice-9/boot-9.scm:
 157: 5 [catch system-error #<procedure 7ab7b10 at guix/cve.scm:233:4 ()> ...]
In guix/cve.scm:
 217: 4 [#<procedure 7ab7b10 at guix/cve.scm:233:4 ()>]
  79: 3 [call-with-cve-port # 10800 ...]
In guix/http-client.scm:
 238: 2 [loop #]
In guix/build/download.scm:
 483: 1 [open-connection-for-uri # # #f ...]
 383: 0 [tls-wrap #<closed: file 0> "static.nvd.nist.gov" #:verify-certificate? #t]

guix/build/download.scm:383:6: In procedure tls-wrap:
guix/build/download.scm:383:6: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
  signer-not-found
  invalid

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Leo Famulari]

On Tue, Nov 08, 2016 at 08:41:51PM +0300, Frederick Muriithi wrote:
> I'm new to guix and was trying to contribute a new package, for the
> ruby gem net-http-digest_auth
> 
> Running "./pre-inst-env guix build ruby-net-http-digest-auth" runs
> with seemingly no errors (I've attached the build log).

Yes, that looks fine.

> Running "./pre-inst-env guix lint ruby-net-http-digest-auth" fails
> with the errors indicated in the attached file lint_log

> gnu/packages/ruby.scm:4182:2: ruby-net-http-digest-auth-1.4: TLS certificate error: ERROR: X.509 certificate of 'github.com' could not be verified:
>   signer-not-found
>   invalid

There are two TLS errors (here, for GitHub, and below, for NIST). I'm
not sure but I'd guess that the linter is unable to find your
certificate store, or it lacks the GnuTLS client. How about if you try
invoking the linter in an environment where you have all of Guix's
dependencies available? Like this:

$ guix environment guix --pure -- ./pre-inst-env guilx lint ruby-net-http-digest-auth

> gnu/packages/ruby.scm:4207:4: ruby-net-http-digest-auth-1.4: invalid license field

This will need to be corrected as well.

> substitute: warning: failed to install locale: Invalid argument
> Backtrace:
> In ice-9/boot-9.scm:
> 1729: 19 [#<procedure 289dea0 ()>]
> In unknown file:
>    ?: 18 [primitive-load "/home/frederick/repositories/projects/pjotrp_projects/guix/scripts/guix"]
> In guix/ui.scm:
> 1220: 17 [run-guix-command lint "ruby-net-http-digest-auth"]
> In srfi/srfi-1.scm:
>  619: 16 [for-each #<procedure 38e6c40 at guix/scripts/lint.scm:974:20 (spec)> #]
> In guix/scripts/lint.scm:
>  882: 15 [run-checkers # #]
> In srfi/srfi-1.scm:
>  619: 14 [for-each #<procedure 5ec09c0 at guix/scripts/lint.scm:882:14 (checker)> #]
> In guix/scripts/lint.scm:
>  712: 13 [check-vulnerabilities #]
>  707: 12 [#<procedure 38e2200 at guix/scripts/lint.scm:697:4 (package)> #]
> In unknown file:
>    ?: 11 [force #<promise #<procedure 38e22e0 at guix/scripts/lint.scm:695:16 ()>>]
> In guix/scripts/lint.scm:
>  696: 10 [#<procedure 38e22e0 at guix/scripts/lint.scm:695:16 ()>]
> In ice-9/boot-9.scm:
>  157: 9 [catch srfi-34 #<procedure 38e23e0 at guix/scripts/lint.scm:677:2 ()> ...]
>  157: 8 [catch getaddrinfo-error ...]
> In srfi/srfi-1.scm:
>  646: 7 [append-map #<procedure fetch-vulnerabilities (year ttl)> # #]
>  601: 6 [map #<procedure fetch-vulnerabilities (year ttl)> (2016 2015 2014 ...) ...]
> In ice-9/boot-9.scm:
>  157: 5 [catch system-error #<procedure 7ab7b10 at guix/cve.scm:233:4 ()> ...]
> In guix/cve.scm:
>  217: 4 [#<procedure 7ab7b10 at guix/cve.scm:233:4 ()>]
>   79: 3 [call-with-cve-port # 10800 ...]
> In guix/http-client.scm:
>  238: 2 [loop #]
> In guix/build/download.scm:
>  483: 1 [open-connection-for-uri # # #f ...]
>  383: 0 [tls-wrap #<closed: file 0> "static.nvd.nist.gov" #:verify-certificate? #t]
> 
> guix/build/download.scm:383:6: In procedure tls-wrap:
> guix/build/download.scm:383:6: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
>   signer-not-found
>   invalid

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Frederick Muriithi]

> There are two TLS errors (here, for GitHub, and below, for NIST). I'm
> not sure but I'd guess that the linter is unable to find your
> certificate store, or it lacks the GnuTLS client. How about if you try
> invoking the linter in an environment where you have all of Guix's
> dependencies available? Like this:
>
> $ guix environment guix --pure -- ./pre-inst-env guilx lint ruby-net-http-digest-auth

I tried that and still my system can't seem to find the X.509
certificates. I then hit up the manuals some more to read up on
certificates (https://www.gnu.org/software/guix/manual/html_node/X_002e509-Certificates.html#X_002e509-Certificates)
and tried the same command after setting up as show in the link.
Still, my system couldn't find the certificates.

So I decided to try and lint an already accepted package, for the fun
of it, in this case ruby-concurrent by running:

$ guix environment guix --pure -- ./pre-inst-env guilx lint ruby-concurrent

The same 2 failing certs, github and static.nvd.nist.gov failed, even
in the case of the accepted packages.

At this point I am stumped. For more troubleshooting information, I am
running Debian 8 "Jessie"

$ uname -a
Linux localhost 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 GNU/Linux

I will keep looking, and should I find out what the issue is on my
own, I will update this thread with the results.
If anyone has an idea, I'd be grateful for pointers on what I am doing wrong.

-- 
Frederick M. Muriithi

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Ludovic Courtès]

Hello,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Nov 08, 2016 at 08:41:51PM +0300, Frederick Muriithi wrote:

[...]

>> Running "./pre-inst-env guix lint ruby-net-http-digest-auth" fails
>> with the errors indicated in the attached file lint_log
>
>> gnu/packages/ruby.scm:4182:2: ruby-net-http-digest-auth-1.4: TLS certificate error: ERROR: X.509 certificate of 'github.com' could not be verified:
>>   signer-not-found
>>   invalid
>
> There are two TLS errors (here, for GitHub, and below, for NIST). I'm
> not sure but I'd guess that the linter is unable to find your
> certificate store, or it lacks the GnuTLS client.

Exactly: you need to tell ‘guix lint’ where to find X.509 certificates.
This comes from:

  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=bc3c41ce36349ed4ec758c70b48a7059e363043a

For background info, see:

  https://www.gnu.org/software/guix/manual/html_node/Application-Setup.html#X_002e509-Certificates-1

That said, ‘guix lint’ shouldn’t print an ugly backtrace when that
happens.  I’ll push a commit that fixes that.

Thanks for your report, Frederick!

Ludo’.

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Frederick Muriithi]

I deleted my local copy of the guix repository and rebuilt it guix
from source again, and somehow, this fixed the issue with the X.509
certificates.

I can't really explain what was causing the issue, seeing as I'd even
installed nss-certs, but it was still failing.

I guess this is one way to solve the issue - recompile guix from scratch.

-- 
Frederick M. Muriithi

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]


>> guix/build/download.scm:383:6: In procedure tls-wrap:
>> guix/build/download.scm:383:6: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
>>   signer-not-found
>>   invalid

That's interesting, I have a similar problem after rebuilding my GuixSD
system from latest git and rebooting. The substituter consistently fails
to verify mirror.hydra.gnu.org. Passing --no-substitutes works, however.

substitute: Backtrace:
substitute: In ice-9/boot-9.scm:
substitute:  157: 9 [catch #t #<catch-closure 187c840> ...]
substitute: In unknown file:
substitute:    ?: 8 [apply-smob/1 #<catch-closure 187c840>]
substitute: In ice-9/boot-9.scm:
substitute:   63: 7 [call-with-prompt prompt0 ...]
substitute: In ice-9/eval.scm:
substitute:  432: 6 [eval # #]
substitute: In ice-9/boot-9.scm:
substitute: 2401: 5 [save-module-excursion #<procedure 1899940 at ice-9/boot-9.scm:4045:3 ()>]
substitute: 4050: 4 [#<procedure 1899940 at ice-9/boot-9.scm:4045:3 ()>]
substitute: 1724: 3 [%start-stack load-stack ...]
substitute: 1729: 2 [#<procedure 18b1ea0 ()>]
substitute: In unknown file:
substitute:    ?: 1 [primitive-load "/gnu/store/84favpg3n9wxx3sv7v3sd6y0s8722p35-guix-0.11.0-1.324a/bin/.guix-real"]
substitute: In guix/ui.scm:
substitute: 1220: 0 [run-guix-command substitute "--query"]
substitute: 
substitute: guix/ui.scm:1220:8: In procedure run-guix-command:
substitute: guix/ui.scm:1220:8: X.509 certificate of 'mirror.hydra.gnu.org' could not be verified:
substitute:   signer-not-found
substitute:   invalid
substitute: 
guix package: error: build failed: substituter `substitute' died unexpectedly

Rebuilding Guix from source did not help, but booting into an older
generation works. I'm guessing the daemon needs SSL_CERT_DIR, or call
`guix download` without verifying TLS certificates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]

Re: Errors Linting Package Definition for New Package ruby-net-http-digest-auth

[Ludovic Courtès]

Marius Bakke <mbakke@fastmail.com> skribis:

>>> guix/build/download.scm:383:6: In procedure tls-wrap:
>>> guix/build/download.scm:383:6: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
>>>   signer-not-found
>>>   invalid
>
> That's interesting, I have a similar problem after rebuilding my GuixSD
> system from latest git and rebooting. The substituter consistently fails
> to verify mirror.hydra.gnu.org. Passing --no-substitutes works, however.
>
> substitute: Backtrace:
> substitute: In ice-9/boot-9.scm:
> substitute:  157: 9 [catch #t #<catch-closure 187c840> ...]
> substitute: In unknown file:
> substitute:    ?: 8 [apply-smob/1 #<catch-closure 187c840>]
> substitute: In ice-9/boot-9.scm:
> substitute:   63: 7 [call-with-prompt prompt0 ...]
> substitute: In ice-9/eval.scm:
> substitute:  432: 6 [eval # #]
> substitute: In ice-9/boot-9.scm:
> substitute: 2401: 5 [save-module-excursion #<procedure 1899940 at ice-9/boot-9.scm:4045:3 ()>]
> substitute: 4050: 4 [#<procedure 1899940 at ice-9/boot-9.scm:4045:3 ()>]
> substitute: 1724: 3 [%start-stack load-stack ...]
> substitute: 1729: 2 [#<procedure 18b1ea0 ()>]
> substitute: In unknown file:
> substitute:    ?: 1 [primitive-load "/gnu/store/84favpg3n9wxx3sv7v3sd6y0s8722p35-guix-0.11.0-1.324a/bin/.guix-real"]
> substitute: In guix/ui.scm:
> substitute: 1220: 0 [run-guix-command substitute "--query"]
> substitute: 
> substitute: guix/ui.scm:1220:8: In procedure run-guix-command:
> substitute: guix/ui.scm:1220:8: X.509 certificate of 'mirror.hydra.gnu.org' could not be verified:
> substitute:   signer-not-found
> substitute:   invalid
> substitute: 
> guix package: error: build failed: substituter `substitute' died unexpectedly
>
> Rebuilding Guix from source did not help, but booting into an older
> generation works. I'm guessing the daemon needs SSL_CERT_DIR, or call
> `guix download` without verifying TLS certificates.

Oh, I had overlooked that, indeed.

I’ll disable certificate verification in ‘guix substitute’: it doesn’t
provide any additional guarantee since we authenticate narinfos and
nars.

Done in commits 166ba5b10207f44360e218d9e3f00772d09bc7cd and
998f9ac56df6c8cc2ca383c0309f394b262d7f6a.

You should now be able to reconfigure GuixSD with --no-substitute to get
the fix.

Thank you!

Ludo’.