* [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs.
2021-12-21 0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
@ 2021-12-21 0:37 ` Leo Famulari
2021-12-21 2:48 ` [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs Leo Famulari
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-21 0:37 UTC (permalink / raw)
To: 52690
If ldns depends on a particular version of nss-certs, the features that use the
certificates will eventually stop working as the certificates expire. Instead,
the certificates should be found at run-time.
* gnu/packages/dns.scm (ldns)[inputs]: Remove nss-certs.
[arguments]: Adjust the value of "--with-ca-path" in #:configure-flags.
---
gnu/packages/dns.scm | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 5c5f95537b..269d312487 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -40,7 +40,6 @@ (define-module (gnu packages dns)
#:use-module (gnu packages autotools)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
- #:use-module (gnu packages certs)
#:use-module (gnu packages check)
#:use-module (gnu packages curl)
#:use-module (gnu packages databases)
@@ -178,9 +177,7 @@ (define-public ldns
;; "--with-p5-dns-ldns"
(string-append "--with-ssl="
(assoc-ref %build-inputs "openssl"))
- (string-append "--with-ca-path="
- (assoc-ref %build-inputs "nss-certs")
- "/etc/ssl/certs"))
+ (string-append "--with-ca-path=/etc/ssl/certs"))
#:make-flags
(list
(string-append "drillbindir="
@@ -210,7 +207,7 @@ (define-public ldns
("python" ,python-wrapper)
("swig" ,swig)))
(inputs
- (list libpcap nss-certs openssl))
+ (list libpcap openssl))
(synopsis "DNS library that facilitates DNS tool programming")
(description "LDNS aims to simplify DNS programming, it supports recent
RFCs like the DNSSEC documents, and allows developers to easily create
--
2.34.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs.
2021-12-21 0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
2021-12-21 0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
@ 2021-12-21 2:48 ` Leo Famulari
2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
2021-12-26 21:32 ` [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs Leo Famulari
3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-21 2:48 UTC (permalink / raw)
To: 52690
Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.
* gnu/packages/python.scm (pypy3)[arguments]: Add nss-certs
to #:disallowed-references.
---
gnu/packages/python.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index f0d2fd6eb8..23f188c6f9 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -780,6 +780,7 @@ (define-public pypy3
`(#:tests? #f ;FIXME: 43 out of 364 tests are failing
#:modules ((ice-9 ftw) (ice-9 match)
(guix build utils) (guix build gnu-build-system))
+ #:disallowed-references (,nss-certs)
#:phases (modify-phases %standard-phases
(delete 'configure)
(add-after 'unpack 'patch-source
--
2.34.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [bug#52690] Remove direct dependencies on the nss-certs certificate store
2021-12-21 0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
2021-12-21 0:37 ` [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs Leo Famulari
2021-12-21 2:48 ` [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs Leo Famulari
@ 2021-12-26 17:37 ` Mathieu Othacehe
2021-12-26 20:55 ` Leo Famulari
2021-12-26 21:32 ` [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs Leo Famulari
3 siblings, 1 reply; 6+ messages in thread
From: Mathieu Othacehe @ 2021-12-26 17:37 UTC (permalink / raw)
To: Leo Famulari; +Cc: 52690
Hello Leo,
> I'll send a patch removing the dependency from ldns.
>
> pypy3 does not build anyways because its runpath cannot be successfully
> validated, but I will investigate anyways after disabling the runpath
> validator.
The ldns and pypy3 patches make sense to me.
Thanks,
Mathieu
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs.
2021-12-21 0:36 [bug#52690] Remove direct dependencies on the nss-certs certificate store Leo Famulari
` (2 preceding siblings ...)
2021-12-26 17:37 ` [bug#52690] Remove direct dependencies on the nss-certs certificate store Mathieu Othacehe
@ 2021-12-26 21:32 ` Leo Famulari
3 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-12-26 21:32 UTC (permalink / raw)
To: 52690
I checked, and neither of these packages keep references to nss-certs.
So, although this change will cause rebuilds, it shouldn't cause any
functional changes.
However, my understanding is that the IcedTea packages actually copy the
NSS certificate store, so there wouldn't be a reference anyways, but we
would have the problem of "software that expires".
Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.
* gnu/packages/java.scm (icedtea-7, icedtea-8)[arguments]: Add nss-certs
to #:disallowed-references.
---
gnu/packages/java.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 0a757b2391..91a16bb53d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -812,6 +812,8 @@ (define-public icedtea-7
;; gremlin) doesn't support it yet, so skip this phase.
#:validate-runpath? #f
+ #:disallowed-references (,nss-certs)
+
#:modules ((guix build utils)
(guix build gnu-build-system)
(ice-9 match)
@@ -1376,7 +1378,8 @@ (define-public icedtea-8
(guix build syscalls)
,@%gnu-build-system-modules)
- #:disallowed-references ,(list (gexp-input icedtea-7 "jdk"))
+ #:disallowed-references ,(list (gexp-input icedtea-7 "jdk")
+ nss-certs)
,@(substitute-keyword-arguments (package-arguments icedtea-7)
((#:modules modules)
--
2.34.0
^ permalink raw reply related [flat|nested] 6+ messages in thread