* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
@ 2018-08-26 0:42 Kei Kebreau
2018-09-13 8:43 ` Ludovic Courtès
2018-09-15 8:37 ` Marius Bakke
0 siblings, 2 replies; 16+ messages in thread
From: Kei Kebreau @ 2018-08-26 0:42 UTC (permalink / raw)
To: 32530; +Cc: Kei Kebreau
* gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
Octave with the path to system CA certificates.
---
gnu/packages/maths.scm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 3d571e8cc..b0caff0f5 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1417,7 +1417,13 @@ can solve two kinds of problems:
(string-append "Vmakeinfo_program = \""
(assoc-ref inputs "texinfo")
"/bin/makeinfo\"")))
- #t)))))
+ #t))
+ (add-after 'install 'wrap-program
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out")))
+ (wrap-program (string-append out "/bin/octave")
+ '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
+ #t))))))
(home-page "https://www.gnu.org/software/octave/")
(synopsis "High-level language for numerical computation")
(description "GNU Octave is a high-level interpreted language that is
--
2.18.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-08-26 0:42 [bug#32530] [PATCH] gnu: octave: Fix CA certificate use Kei Kebreau
@ 2018-09-13 8:43 ` Ludovic Courtès
2018-09-13 23:44 ` Kei Kebreau
2018-09-15 8:37 ` Marius Bakke
1 sibling, 1 reply; 16+ messages in thread
From: Ludovic Courtès @ 2018-09-13 8:43 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 32530
Hi,
Kei Kebreau <kkebreau@posteo.net> skribis:
> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
> Octave with the path to system CA certificates.
[...]
> + (add-after 'install 'wrap-program
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let ((out (assoc-ref outputs "out")))
> + (wrap-program (string-append out "/bin/octave")
> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
Users might want to ignore /etc/ssl/certs altogether and instead only
use their own set of certificates, so I’m rather reluctant to such a
change.
Now, I agree that there’s a usability problem: we don’t want every
Octave user to stumble upon a certificate error message. I can think of
several solutions:
1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
assuming that variable is honored by libcurl itself. It won’t
solve this immediate issue, but it sounds like “the right way.”
2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
/etc/profile, like we already do for other variables.
3. We could document this variable under “X.509 Certificates” in the
manual.
#1 would have to go to ‘core-updates’. WDYT?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-13 8:43 ` Ludovic Courtès
@ 2018-09-13 23:44 ` Kei Kebreau
2018-09-15 1:54 ` Kei Kebreau
0 siblings, 1 reply; 16+ messages in thread
From: Kei Kebreau @ 2018-09-13 23:44 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 32530
ludo@gnu.org (Ludovic Courtès) writes:
> Hi,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>
> [...]
>
>> + (add-after 'install 'wrap-program
>> + (lambda* (#:key outputs #:allow-other-keys)
>> + (let ((out (assoc-ref outputs "out")))
>> + (wrap-program (string-append out "/bin/octave")
>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>
> Users might want to ignore /etc/ssl/certs altogether and instead only
> use their own set of certificates, so I’m rather reluctant to such a
> change.
>
> Now, I agree that there’s a usability problem: we don’t want every
> Octave user to stumble upon a certificate error message. I can think of
> several solutions:
>
> 1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
> assuming that variable is honored by libcurl itself. It won’t
> solve this immediate issue, but it sounds like “the right way.”
>
> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
> /etc/profile, like we already do for other variables.
>
> 3. We could document this variable under “X.509 Certificates” in the
> manual.
>
> #1 would have to go to ‘core-updates’. WDYT?
>
> Thanks,
> Ludo’.
I don't mind putting #1 on 'core-updates' assuming it works. I will test
it locally first. Also, thanks for looking at this!
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-13 23:44 ` Kei Kebreau
@ 2018-09-15 1:54 ` Kei Kebreau
0 siblings, 0 replies; 16+ messages in thread
From: Kei Kebreau @ 2018-09-15 1:54 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 32530
Kei Kebreau <kkebreau@posteo.net> writes:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Hi,
>>
>> Kei Kebreau <kkebreau@posteo.net> skribis:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program'
>>> phase to wrap
>>> Octave with the path to system CA certificates.
>>
>> [...]
>>
>>> + (add-after 'install 'wrap-program
>>> + (lambda* (#:key outputs #:allow-other-keys)
>>> + (let ((out (assoc-ref outputs "out")))
>>> + (wrap-program (string-append out "/bin/octave")
>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>
>> Users might want to ignore /etc/ssl/certs altogether and instead only
>> use their own set of certificates, so I’m rather reluctant to such a
>> change.
>>
>> Now, I agree that there’s a usability problem: we don’t want every
>> Octave user to stumble upon a certificate error message. I can think of
>> several solutions:
>>
>> 1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
>> assuming that variable is honored by libcurl itself. It won’t
>> solve this immediate issue, but it sounds like “the right way.”
>>
>> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
>> /etc/profile, like we already do for other variables.
>>
>> 3. We could document this variable under “X.509 Certificates” in the
>> manual.
>>
>> #1 would have to go to ‘core-updates’. WDYT?
>>
>> Thanks,
>> Ludo’.
>
> I don't mind putting #1 on 'core-updates' assuming it works. I will test
> it locally first. Also, thanks for looking at this!
It looks like solution #1 does not work as expected. In this case,
perhaps #3 would be preferable because the user can more easily control
the environment variable?
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-08-26 0:42 [bug#32530] [PATCH] gnu: octave: Fix CA certificate use Kei Kebreau
2018-09-13 8:43 ` Ludovic Courtès
@ 2018-09-15 8:37 ` Marius Bakke
2018-09-15 18:30 ` Kei Kebreau
1 sibling, 1 reply; 16+ messages in thread
From: Marius Bakke @ 2018-09-15 8:37 UTC (permalink / raw)
To: Kei Kebreau, 32530
[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]
Kei Kebreau <kkebreau@posteo.net> writes:
> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
> Octave with the path to system CA certificates.
> ---
> gnu/packages/maths.scm | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index 3d571e8cc..b0caff0f5 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
> (string-append "Vmakeinfo_program = \""
> (assoc-ref inputs "texinfo")
> "/bin/makeinfo\"")))
> - #t)))))
> + #t))
> + (add-after 'install 'wrap-program
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let ((out (assoc-ref outputs "out")))
> + (wrap-program (string-append out "/bin/octave")
> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
> + #t))))))
Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
(as with CURL_CA_BUNDLE for `curl`). That way installing certificates
to the profile should be sufficient.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-15 8:37 ` Marius Bakke
@ 2018-09-15 18:30 ` Kei Kebreau
2018-09-17 16:33 ` Kei Kebreau
0 siblings, 1 reply; 16+ messages in thread
From: Kei Kebreau @ 2018-09-15 18:30 UTC (permalink / raw)
To: Marius Bakke; +Cc: 32530
[-- Attachment #1: Type: text/plain, Size: 1405 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>> ---
>> gnu/packages/maths.scm | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>> index 3d571e8cc..b0caff0f5 100644
>> --- a/gnu/packages/maths.scm
>> +++ b/gnu/packages/maths.scm
>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>> (string-append "Vmakeinfo_program = \""
>> (assoc-ref inputs "texinfo")
>> "/bin/makeinfo\"")))
>> - #t)))))
>> + #t))
>> + (add-after 'install 'wrap-program
>> + (lambda* (#:key outputs #:allow-other-keys)
>> + (let ((out (assoc-ref outputs "out")))
>> + (wrap-program (string-append out "/bin/octave")
>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>> + #t))))))
>
> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
> to the profile should be sufficient.
Ah! Yes, this works when I add curl to the profile. I didn't do this the
first time. I'll upload a patch here soon.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-15 18:30 ` Kei Kebreau
@ 2018-09-17 16:33 ` Kei Kebreau
2018-09-17 17:16 ` Marius Bakke
0 siblings, 1 reply; 16+ messages in thread
From: Kei Kebreau @ 2018-09-17 16:33 UTC (permalink / raw)
To: Marius Bakke, ludo; +Cc: 32530
[-- Attachment #1.1: Type: text/plain, Size: 1616 bytes --]
Kei Kebreau <kkebreau@posteo.net> writes:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>> Octave with the path to system CA certificates.
>>> ---
>>> gnu/packages/maths.scm | 8 +++++++-
>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>> index 3d571e8cc..b0caff0f5 100644
>>> --- a/gnu/packages/maths.scm
>>> +++ b/gnu/packages/maths.scm
>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>> (string-append "Vmakeinfo_program = \""
>>> (assoc-ref inputs "texinfo")
>>> "/bin/makeinfo\"")))
>>> - #t)))))
>>> + #t))
>>> + (add-after 'install 'wrap-program
>>> + (lambda* (#:key outputs #:allow-other-keys)
>>> + (let ((out (assoc-ref outputs "out")))
>>> + (wrap-program (string-append out "/bin/octave")
>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>> + #t))))))
>>
>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>> to the profile should be sufficient.
>
> Ah! Yes, this works when I add curl to the profile. I didn't do this the
> first time. I'll upload a patch here soon.
Here's the search path patch. With this, I needed both nss-certs and
cURL installed alongside Octave to get certificates working.
[-- Attachment #1.2: 0001-gnu-curl-Add-a-search-path-for-CURLOPT_CAPATH.patch --]
[-- Type: text/plain, Size: 1103 bytes --]
From 99614c73d5156ded2e865b7daf0955c9ff4eaaf4 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kkebreau@posteo.net>
Date: Sun, 16 Sep 2018 22:17:06 -0400
Subject: [PATCH] gnu: curl: Add a search path for CURLOPT_CAPATH.
* gnu/packages/curl.scm (curl)[native-search-paths]: New field.
---
gnu/packages/curl.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 6d45dc0cc..8bdba8655 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -83,7 +83,10 @@
(variable "CURL_CA_BUNDLE")
(file-type 'regular)
(separator #f) ;single entry
- (files '("etc/ssl/certs/ca-certificates.crt")))))
+ (files '("etc/ssl/certs/ca-certificates.crt")))
+ (search-path-specification
+ (variable "CURLOPT_CAPATH")
+ (files '("etc/ssl/certs")))))
(arguments
`(#:configure-flags '("--with-gnutls" "--with-gssapi")
;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
--
2.19.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-17 16:33 ` Kei Kebreau
@ 2018-09-17 17:16 ` Marius Bakke
2018-09-18 20:57 ` Kei Kebreau
2018-09-19 19:52 ` Ludovic Courtès
0 siblings, 2 replies; 16+ messages in thread
From: Marius Bakke @ 2018-09-17 17:16 UTC (permalink / raw)
To: Kei Kebreau, ludo; +Cc: 32530
[-- Attachment #1: Type: text/plain, Size: 2516 bytes --]
Kei Kebreau <kkebreau@posteo.net> writes:
> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> Marius Bakke <mbakke@fastmail.com> writes:
>>
>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>
>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>> Octave with the path to system CA certificates.
>>>> ---
>>>> gnu/packages/maths.scm | 8 +++++++-
>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>> index 3d571e8cc..b0caff0f5 100644
>>>> --- a/gnu/packages/maths.scm
>>>> +++ b/gnu/packages/maths.scm
>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>> (string-append "Vmakeinfo_program = \""
>>>> (assoc-ref inputs "texinfo")
>>>> "/bin/makeinfo\"")))
>>>> - #t)))))
>>>> + #t))
>>>> + (add-after 'install 'wrap-program
>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>> + (let ((out (assoc-ref outputs "out")))
>>>> + (wrap-program (string-append out "/bin/octave")
>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>> + #t))))))
>>>
>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>> to the profile should be sufficient.
>>
>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>> first time. I'll upload a patch here soon.
>
> Here's the search path patch. With this, I needed both nss-certs and
> cURL installed alongside Octave to get certificates working.
[...]
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 6d45dc0cc..8bdba8655 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -83,7 +83,10 @@
> (variable "CURL_CA_BUNDLE")
> (file-type 'regular)
> (separator #f) ;single entry
> - (files '("etc/ssl/certs/ca-certificates.crt")))))
> + (files '("etc/ssl/certs/ca-certificates.crt")))
> + (search-path-specification
> + (variable "CURLOPT_CAPATH")
> + (files '("etc/ssl/certs")))))
Adding this native-search-path to the "octave" package should be
sufficient. Then you won't need curl in the profile, nor do we need to
rebuild all the things that depend on curl. Can you try that?
Thanks for fixing this issue :-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-17 17:16 ` Marius Bakke
@ 2018-09-18 20:57 ` Kei Kebreau
2018-09-19 17:27 ` Marius Bakke
2018-09-19 19:52 ` Ludovic Courtès
1 sibling, 1 reply; 16+ messages in thread
From: Kei Kebreau @ 2018-09-18 20:57 UTC (permalink / raw)
To: Marius Bakke; +Cc: 32530
[-- Attachment #1.1: Type: text/plain, Size: 2692 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> Marius Bakke <mbakke@fastmail.com> writes:
>>>
>>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>>
>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>> Octave with the path to system CA certificates.
>>>>> ---
>>>>> gnu/packages/maths.scm | 8 +++++++-
>>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>> --- a/gnu/packages/maths.scm
>>>>> +++ b/gnu/packages/maths.scm
>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>> (string-append "Vmakeinfo_program = \""
>>>>> (assoc-ref inputs "texinfo")
>>>>> "/bin/makeinfo\"")))
>>>>> - #t)))))
>>>>> + #t))
>>>>> + (add-after 'install 'wrap-program
>>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>>> + (let ((out (assoc-ref outputs "out")))
>>>>> + (wrap-program (string-append out "/bin/octave")
>>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>> + #t))))))
>>>>
>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>>> to the profile should be sufficient.
>>>
>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>> first time. I'll upload a patch here soon.
>>
>> Here's the search path patch. With this, I needed both nss-certs and
>> cURL installed alongside Octave to get certificates working.
>
> [...]
>
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>> (variable "CURL_CA_BUNDLE")
>> (file-type 'regular)
>> (separator #f) ;single entry
>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>> + (search-path-specification
>> + (variable "CURLOPT_CAPATH")
>> + (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient. Then you won't need curl in the profile, nor do we need to
> rebuild all the things that depend on curl. Can you try that?
Adding the native-search-path to the "octave" package works!
>
> Thanks for fixing this issue :-)
[-- Attachment #1.2: 0001-gnu-octave-Add-a-search-path-for-CURLOPT_CAPATH.patch --]
[-- Type: text/plain, Size: 932 bytes --]
From df88f083f8974b1cb17d03ede300505ec3ecabc1 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kkebreau@posteo.net>
Date: Sun, 16 Sep 2018 22:17:06 -0400
Subject: [PATCH] gnu: octave: Add a search path for CURLOPT_CAPATH.
* gnu/packages/maths.scm (octave)[native-search-paths]: New field.
---
gnu/packages/maths.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index d3e72128c..7389f972b 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1397,6 +1397,10 @@ can solve two kinds of problems:
("less" ,less)
("ghostscript" ,ghostscript)
("gnuplot" ,gnuplot)))
+ (native-search-paths
+ (list (search-path-specification
+ (variable "CURLOPT_CAPATH")
+ (files '("etc/ssl/certs")))))
(arguments
`(#:configure-flags
(list (string-append "--with-shell="
--
2.19.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-18 20:57 ` Kei Kebreau
@ 2018-09-19 17:27 ` Marius Bakke
0 siblings, 0 replies; 16+ messages in thread
From: Marius Bakke @ 2018-09-19 17:27 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 32530
[-- Attachment #1: Type: text/plain, Size: 3267 bytes --]
Kei Kebreau <kkebreau@posteo.net> writes:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>
>>>> Marius Bakke <mbakke@fastmail.com> writes:
>>>>
>>>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>>>
>>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>>> Octave with the path to system CA certificates.
>>>>>> ---
>>>>>> gnu/packages/maths.scm | 8 +++++++-
>>>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>>> --- a/gnu/packages/maths.scm
>>>>>> +++ b/gnu/packages/maths.scm
>>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>>> (string-append "Vmakeinfo_program = \""
>>>>>> (assoc-ref inputs "texinfo")
>>>>>> "/bin/makeinfo\"")))
>>>>>> - #t)))))
>>>>>> + #t))
>>>>>> + (add-after 'install 'wrap-program
>>>>>> + (lambda* (#:key outputs #:allow-other-keys)
>>>>>> + (let ((out (assoc-ref outputs "out")))
>>>>>> + (wrap-program (string-append out "/bin/octave")
>>>>>> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>>> + #t))))))
>>>>>
>>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>>> (as with CURL_CA_BUNDLE for `curl`). That way installing certificates
>>>>> to the profile should be sufficient.
>>>>
>>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>>> first time. I'll upload a patch here soon.
>>>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>>
>> [...]
>>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>> (variable "CURL_CA_BUNDLE")
>>> (file-type 'regular)
>>> (separator #f) ;single entry
>>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>>> + (search-path-specification
>>> + (variable "CURLOPT_CAPATH")
>>> + (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient. Then you won't need curl in the profile, nor do we need to
>> rebuild all the things that depend on curl. Can you try that?
>
> Adding the native-search-path to the "octave" package works!
Excellent! :-)
[...]
> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index d3e72128c..7389f972b 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1397,6 +1397,10 @@ can solve two kinds of problems:
> ("less" ,less)
> ("ghostscript" ,ghostscript)
> ("gnuplot" ,gnuplot)))
> + (native-search-paths
> + (list (search-path-specification
> + (variable "CURLOPT_CAPATH")
> + (files '("etc/ssl/certs")))))
LGTM.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-17 17:16 ` Marius Bakke
2018-09-18 20:57 ` Kei Kebreau
@ 2018-09-19 19:52 ` Ludovic Courtès
2018-09-19 20:09 ` Marius Bakke
1 sibling, 1 reply; 16+ messages in thread
From: Ludovic Courtès @ 2018-09-19 19:52 UTC (permalink / raw)
To: Marius Bakke; +Cc: Kei Kebreau, 32530
Hello,
Marius Bakke <mbakke@fastmail.com> skribis:
> Kei Kebreau <kkebreau@posteo.net> writes:
[...]
>> Here's the search path patch. With this, I needed both nss-certs and
>> cURL installed alongside Octave to get certificates working.
This is expected (see <https://issues.guix.info/issue/22138>), which is
why I wrote it wouldn’t quite solve the issue; still, it’s a step in the
right direction. :-)
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>> (variable "CURL_CA_BUNDLE")
>> (file-type 'regular)
>> (separator #f) ;single entry
>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>> + (search-path-specification
>> + (variable "CURLOPT_CAPATH")
>> + (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient.
I think we should avoid doing this though, because conceptually
CURLOPT_CAPATH “belongs” to cURL, not to Octave.
> Then you won't need curl in the profile, nor do we need to rebuild all
> the things that depend on curl. Can you try that?
The patch above can go to the next ‘core-updates’ IMO.
Kei, what about the two other options we discussed? Namely:
> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
> /etc/profile, like we already do for other variables.
>
> 3. We could document this variable under “X.509 Certificates” in the
> manual.
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-19 19:52 ` Ludovic Courtès
@ 2018-09-19 20:09 ` Marius Bakke
2018-09-19 20:18 ` Ludovic Courtès
0 siblings, 1 reply; 16+ messages in thread
From: Marius Bakke @ 2018-09-19 20:09 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Kei Kebreau, 32530
[-- Attachment #1: Type: text/plain, Size: 2043 bytes --]
ludo@gnu.org (Ludovic Courtès) writes:
> Hello,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>
> [...]
>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>
> This is expected (see <https://issues.guix.info/issue/22138>), which is
> why I wrote it wouldn’t quite solve the issue; still, it’s a step in the
> right direction. :-)
>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>> (variable "CURL_CA_BUNDLE")
>>> (file-type 'regular)
>>> (separator #f) ;single entry
>>> - (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> + (files '("etc/ssl/certs/ca-certificates.crt")))
>>> + (search-path-specification
>>> + (variable "CURLOPT_CAPATH")
>>> + (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient.
>
> I think we should avoid doing this though, because conceptually
> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
Conceptually maybe, but to my knowledge libcurl itself does not support
run-time search paths (due to thread safety concerns IIRC).
This search path does seem to be Octave specific. From the ChangeLog:
--8<---------------cut here---------------start------------->8---
2018-04-18 John W. Eaton <jwe@octave.org>
allow users to set path to CA certificates for cURL
* url-transfer.cc (curl_transfer::curl_transfer): Check for
CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
them to set the corresponding options for the cURL library.
Files: liboctave/util/url-transfer.cc
--8<---------------cut here---------------end--------------->8---
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-19 20:09 ` Marius Bakke
@ 2018-09-19 20:18 ` Ludovic Courtès
2018-09-20 18:03 ` Kei Kebreau
0 siblings, 1 reply; 16+ messages in thread
From: Ludovic Courtès @ 2018-09-19 20:18 UTC (permalink / raw)
To: Marius Bakke; +Cc: Kei Kebreau, 32530
Marius Bakke <mbakke@fastmail.com> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
[...]
>>> Adding this native-search-path to the "octave" package should be
>>> sufficient.
>>
>> I think we should avoid doing this though, because conceptually
>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>
> Conceptually maybe, but to my knowledge libcurl itself does not support
> run-time search paths (due to thread safety concerns IIRC).
>
> This search path does seem to be Octave specific. From the ChangeLog:
>
> 2018-04-18 John W. Eaton <jwe@octave.org>
>
> allow users to set path to CA certificates for cURL
>
> * url-transfer.cc (curl_transfer::curl_transfer): Check for
> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
> them to set the corresponding options for the cURL library.
>
> Files: liboctave/util/url-transfer.cc
Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
that those variables are actually Octave-specific. :-)
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-19 20:18 ` Ludovic Courtès
@ 2018-09-20 18:03 ` Kei Kebreau
2018-09-24 9:02 ` Ludovic Courtès
0 siblings, 1 reply; 16+ messages in thread
From: Kei Kebreau @ 2018-09-20 18:03 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 32530
ludo@gnu.org (Ludovic Courtès) writes:
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>
> [...]
>
>>>> Adding this native-search-path to the "octave" package should be
>>>> sufficient.
>>>
>>> I think we should avoid doing this though, because conceptually
>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>
>> Conceptually maybe, but to my knowledge libcurl itself does not support
>> run-time search paths (due to thread safety concerns IIRC).
>>
>> This search path does seem to be Octave specific. From the ChangeLog:
>>
>> 2018-04-18 John W. Eaton <jwe@octave.org>
>>
>> allow users to set path to CA certificates for cURL
>>
>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
>> them to set the corresponding options for the cURL library.
>>
>> Files: liboctave/util/url-transfer.cc
>
> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
> that those variables are actually Octave-specific. :-)
>
> Thank you!
>
> Ludo’.
Is it really Octave-specific? It's defined in the libcurl API [0], so
other software could make use of the variable.
[0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
2018-09-20 18:03 ` Kei Kebreau
@ 2018-09-24 9:02 ` Ludovic Courtès
2018-09-25 1:43 ` bug#32530: " Kei Kebreau
0 siblings, 1 reply; 16+ messages in thread
From: Ludovic Courtès @ 2018-09-24 9:02 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 32530
Hello Kei,
Kei Kebreau <kkebreau@posteo.net> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Marius Bakke <mbakke@fastmail.com> skribis:
>>
>>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>> [...]
>>
>>>>> Adding this native-search-path to the "octave" package should be
>>>>> sufficient.
>>>>
>>>> I think we should avoid doing this though, because conceptually
>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>
>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>> run-time search paths (due to thread safety concerns IIRC).
>>>
>>> This search path does seem to be Octave specific. From the ChangeLog:
>>>
>>> 2018-04-18 John W. Eaton <jwe@octave.org>
>>>
>>> allow users to set path to CA certificates for cURL
>>>
>>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use
>>> them to set the corresponding options for the cURL library.
>>>
>>> Files: liboctave/util/url-transfer.cc
>>
>> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
>> that those variables are actually Octave-specific. :-)
>>
>> Thank you!
>>
>> Ludo’.
>
> Is it really Octave-specific? It's defined in the libcurl API [0], so
> other software could make use of the variable.
>
> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
I think you’re both right. :-)
The ‘url-transfer.cc’ file in Octave mentioned above does this:
std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");
if (! cainfo.empty ())
SETOPT (CURLOPT_CAINFO, cainfo.c_str ());
std::string capath = sys::env::getenv ("CURLOPT_CAPATH");
if (! capath.empty ())
SETOPT (CURLOPT_CAPATH, capath.c_str ());
Based on that, I think it’s perfectly fine to add these two variables in
the ‘native-search-paths’ of Octave itself, probably with a comment
explaining that Octave really honors these variables by itself.
Feel free to push such a change!
Thank you,
Ludo’.
^ permalink raw reply [flat|nested] 16+ messages in thread
* bug#32530: [PATCH] gnu: octave: Fix CA certificate use.
2018-09-24 9:02 ` Ludovic Courtès
@ 2018-09-25 1:43 ` Kei Kebreau
0 siblings, 0 replies; 16+ messages in thread
From: Kei Kebreau @ 2018-09-25 1:43 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 32530-done
ludo@gnu.org (Ludovic Courtès) writes:
> Hello Kei,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Marius Bakke <mbakke@fastmail.com> skribis:
>>>
>>>> ludo@gnu.org (Ludovic Courtès) writes:
>>>
>>> [...]
>>>
>>>>>> Adding this native-search-path to the "octave" package should be
>>>>>> sufficient.
>>>>>
>>>>> I think we should avoid doing this though, because conceptually
>>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>>
>>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>>> run-time search paths (due to thread safety concerns IIRC).
>>>>
>>>> This search path does seem to be Octave specific. From the ChangeLog:
>>>>
>>>> 2018-04-18 John W. Eaton <jwe@octave.org>
>>>>
>>>> allow users to set path to CA certificates for cURL
>>>>
>>>> * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>>> CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.
>>>> If set, use
>>>> them to set the corresponding options for the cURL library.
>>>>
>>>> Files: liboctave/util/url-transfer.cc
>>>
>>> Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying
>>> that those variables are actually Octave-specific. :-)
>>>
>>> Thank you!
>>>
>>> Ludo’.
>>
>> Is it really Octave-specific? It's defined in the libcurl API [0], so
>> other software could make use of the variable.
>>
>> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
>
> I think you’re both right. :-)
>
> The ‘url-transfer.cc’ file in Octave mentioned above does this:
>
> std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");
> if (! cainfo.empty ())
> SETOPT (CURLOPT_CAINFO, cainfo.c_str ());
>
> std::string capath = sys::env::getenv ("CURLOPT_CAPATH");
> if (! capath.empty ())
> SETOPT (CURLOPT_CAPATH, capath.c_str ());
>
> Based on that, I think it’s perfectly fine to add these two variables in
> the ‘native-search-paths’ of Octave itself, probably with a comment
> explaining that Octave really honors these variables by itself.
>
> Feel free to push such a change!
>
> Thank you,
> Ludo’.
Finally pushed to master! Thanks to both of you for reviewing this.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2018-09-25 1:47 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-26 0:42 [bug#32530] [PATCH] gnu: octave: Fix CA certificate use Kei Kebreau
2018-09-13 8:43 ` Ludovic Courtès
2018-09-13 23:44 ` Kei Kebreau
2018-09-15 1:54 ` Kei Kebreau
2018-09-15 8:37 ` Marius Bakke
2018-09-15 18:30 ` Kei Kebreau
2018-09-17 16:33 ` Kei Kebreau
2018-09-17 17:16 ` Marius Bakke
2018-09-18 20:57 ` Kei Kebreau
2018-09-19 17:27 ` Marius Bakke
2018-09-19 19:52 ` Ludovic Courtès
2018-09-19 20:09 ` Marius Bakke
2018-09-19 20:18 ` Ludovic Courtès
2018-09-20 18:03 ` Kei Kebreau
2018-09-24 9:02 ` Ludovic Courtès
2018-09-25 1:43 ` bug#32530: " Kei Kebreau
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).