Guix and clamav, freshclam doesn't dowload

Guix and clamav, freshclam doesn't dowload

[白い熊]

Hi Guix:

Anyone using clamav? I installed it, edited the config files copied them to location where “clamconf” sees them.

Now, running freshclam, I get:

ClamAV update process started at Fri Apr 3 14:28:23 2020
daily database available for download (remote version: 25770)
WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
WARNING: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
daily database available for download (remote version: 25770)
WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
WARNING: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
daily database available for download (remote version: 25770)
ERROR: Download failed (60) ERROR: Message: SSL peer certificate or SSH remote key was not OK
ERROR: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Giving up on https://database.clamav.net...
ERROR: Update failed for database: daily
WARNING: fc_update_databases: fc_update_database failed: Connection failed (5)
ERROR: Database update process failed: Connection failed (5)
ERROR: Update failed.

The only page I've found with a relevant similar situation is here¹. It's on Windows — but similar SSL error. I tried sending a HEAD request as he comments:

curl -I https://database.clamav.net

Completes fine, but freshclam won't download anyway.

Anyone using clamav successfully? What could this be?
—
[1] https://serverfault.com/questions/1007935/why-does-calling-head-on-this-url-prevent-the-following-error-error-message-s


-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊

Re: Guix and clamav, freshclam doesn't dowload

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]

白い熊,

白い熊 写道：
> Now, running freshclam, I get:
>
> ClamAV update process started at Fri Apr 3 14:28:23 2020
> daily database available for download (remote version: 25770)
> WARNING: Download failed (60) WARNING: Message: SSL peer 
> certificate or SSH remote key was not OK

This means that (lib)curl couldn't local trust store against which 
to verify the server's certificate.

freshclam uses libcurl to download files, and the libcurl authors 
have for better or worse decreed that every user has to take care 
of pointing libcurl to the local store (instead of honouring 
CURL_CA_BUNDLE in the library).

On most systems this isn't a problem because the default (/etc/…) 
location exists.  Not so on Guix: we rely entirely on 
CURL_CA_BUNDLE being set to the correct location in /gnu/store.

Let's see how we can patch freshclam to point libcurl in the right 
direction…

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Guix and clamav, freshclam doesn't dowload

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Let's see how we can patch freshclam to point libcurl in the right 
> direction…

FWIW this problem has been fixed on the 'core-updates' branch with
commit a76a343082d61d5303b61a9e4cbde4ab8515a1e7.  Now all libcurl users
will respect the same search paths.

ClamAV can be pulled from that branch through an inferior or with
'guix time-machine --branch=core-updates -- install clamav'.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Guix and clamav, freshclam doesn't dowload

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]

Marius,

Marius Bakke 写道：
> FWIW this problem has been fixed on the 'core-updates' branch 
> with
> commit a76a343082d61d5303b61a9e4cbde4ab8515a1e7.  Now all 
> libcurl users
> will respect the same search paths.
>
> ClamAV can be pulled from that branch through an inferior or 
> with
> 'guix time-machine --branch=core-updates -- install clamav'.

Wond'rous news!  Thanks for saving me from reading C today ♥

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Guix and clamav, freshclam doesn't dowload

[白い熊]

Apr 3, 2020 18:53:25 Marius Bakke <mbakke@fastmail.com>:


> ClamAV can be pulled from that branch through an inferior or with
> 'guix time-machine --branch=core-updates -- install clamav'.
> 
> 

I have clamav installed in its own profile using a manifest file. How can I specify the above in the manifest?


-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊

Re: Guix and clamav, freshclam doesn't dowload

[白い熊]

Apr 3, 2020 19:51:25 白い熊 <help-guix_gnu.org@sumou.com>:

> Apr 3, 2020 18:53:25 Marius Bakke <mbakke@fastmail.com>:
>
> > ClamAV can be pulled from that branch through an inferior or with
> > 'guix time-machine --branch=core-updates -- install clamav'.
> >
> I have clamav installed in its own profile using a manifest file. How can I specify the above in the manifest?

It seems to me that I need to somehow specify the git branch along the guidelines example in ¹, however I'm not advanced enough to do this.

Can anyone help me write the manifest file to specify clamav from the above?
—
[1] http://guix.gnu.org/manual/en/html_node/Version-Numbers.html#Version-Numbers


-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊

Re: Guix and clamav, freshclam doesn't dowload

[Marius Bakke]

[-- Attachment #1.1: Type: text/plain, Size: 572 bytes --]

白い熊 <help-guix_gnu.org@sumou.com> writes:

> Apr 3, 2020 18:53:25 Marius Bakke <mbakke@fastmail.com>:
>
>
>> ClamAV can be pulled from that branch through an inferior or with
>> 'guix time-machine --branch=core-updates -- install clamav'.
>> 
>> 
>
> I have clamav installed in its own profile using a manifest file. How can I specify the above in the manifest?

You will have to use an "inferior"[0].  Here is an untested manifest
that should create a profile where HTTPS is working (note that you need
to source the <profile>/etc/profile script).


[-- Attachment #1.2: clamav.scm --]
[-- Type: text/plain, Size: 720 bytes --]

(use-modules (guix inferior)
             (guix channels))

(define channels
  ;; A channel with the "core-updates" branch.
  (list (channel
         (name 'guix)
         (url "https://git.savannah.gnu.org/git/guix.git")
         (branch "core-updates"))))

(define inferior
  ;; An inferior representing the above channel.
  (inferior-for-channels channels))

;; Create a manifest with ClamAV from the 'core-updates' branch, and
;; cURL + nss-certs to access HTTPS URLs.
(packages->manifest
 (append (lookup-inferior-packages inferior "clamav")
         (map specification->package
              '("curl"               ;to get the SSL_CERT_DIR variable
                "nss-certs"))))      ;to verify TLS certificates

[-- Attachment #1.3: Type: text/plain, Size: 56 bytes --]



0: https://guix.gnu.org/manual/en/guix.html#Inferiors

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Guix and clamav, freshclam doesn't dowload

[白い熊]

Apr 4, 2020 13:53:51 Marius Bakke <mbakke@fastmail.com>:

> You will have to use an "inferior"[0]. Here is an untested manifest

Thank you!

Unfortunately, this fails to install with:

Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
1.2 MB will be downloaded:
/gnu/store/p5qdvijyl3vmq2phzmbgcka6jk7pbmmm-module-import
/gnu/store/adkz4x95qy12z7d0s4146prx2hcz46y4-module-import-compiled
/gnu/store/y2q7305gyh01nmngkfkq9gdz8zs3zfi1-compute-guix-derivation
Backtrace:
1 (primitive-load "/home/shiroikuma/.config/guix/current/bin/guix")
In guix/ui.scm:
1936:12 0 (run-guix-command _ . _)

guix/ui.scm:1936:12: In procedure run-guix-command:
In procedure put-bytevector: Wrong type argument in position 1 (expecting open output port): #<closed: file 7f3ed8efba80>


-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊

Re: Guix and clamav, freshclam doesn't dowload

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1011 bytes --]

Hi 白い熊,

白い熊 <help-guix_gnu.org@sumou.com> writes:

> Unfortunately, this fails to install with:
>
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
> 1.2 MB will be downloaded:
> /gnu/store/p5qdvijyl3vmq2phzmbgcka6jk7pbmmm-module-import
> /gnu/store/adkz4x95qy12z7d0s4146prx2hcz46y4-module-import-compiled
> /gnu/store/y2q7305gyh01nmngkfkq9gdz8zs3zfi1-compute-guix-derivation
> Backtrace:
> 1 (primitive-load "/home/shiroikuma/.config/guix/current/bin/guix")
> In guix/ui.scm:
> 1936:12 0 (run-guix-command _ . _)
>
> guix/ui.scm:1936:12: In procedure run-guix-command:
> In procedure put-bytevector: Wrong type argument in position 1 (expecting open output port): #<closed: file 7f3ed8efba80>

This was actually a bug in Guix that was fixed just now:
<https://bugs.gnu.org/40428>.  Please try again after a 'guix pull', it
should work better now!  :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Guix and clamav, freshclam doesn't dowload

[白い熊]

Apr 4, 2020 19:36:19 Marius Bakke <mbakke@fastmail.com>:

> This was actually a bug in Guix that was fixed just now:
> <https://bugs.gnu.org/40428>. Please try again after a 'guix pull', it
> should work better now! :-)

Yes — it works now! Many thanks. :@)

-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊

Re: Guix and clamav, freshclam doesn't dowload

[白い熊]

Apr 5, 2020 07:29:53 白い熊 <help-guix_gnu.org@sumou.com>:

> Apr 4, 2020 19:36:19 Marius Bakke <mbakke@fastmail.com>:
>
>
> > This was actually a bug in Guix that was fixed just now:
> > <https://bugs.gnu.org/40428>. Please try again after a 'guix pull', it
> > should work better now! :-)
> >
>
> Yes — it works now! Many thanks. :@)

I'm trying to build on aarch64, it fails while building git-minimal, my question is — I don't understand how these inferiors work — why is it building git-minimal to download the git checkout?

I have git installed in the profile, shouldn't it just be relying on the full git to do the repo pull? Should it be specified somehow in the manifest?

-- 
Best regards / 宜しく御願い致します / S pozdravem / C уважением / Z poważaniem /
Mit freundlichen Grüßen
白い熊