From mboxrd@z Thu Jan  1 00:00:00 1970
From: Roel Janssen <roel@gnu.org>
Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey
	certificates.
Date: Sun, 26 Feb 2017 18:02:08 +0100
Message-ID: <87fuj03my7.fsf@gnu.org>
References: <rbuwpcycmd1.fsf@gnu.org> <877f4d3hnt.fsf@zancanaro.id.au>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47941)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <roel@gnu.org>) id 1ci2DH-0008K8-M4
	for guix-devel@gnu.org; Sun, 26 Feb 2017 12:02:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <roel@gnu.org>) id 1ci2DE-0002bC-Jo
	for guix-devel@gnu.org; Sun, 26 Feb 2017 12:02:23 -0500
In-reply-to: <877f4d3hnt.fsf@zancanaro.id.au>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Carlo Zancanaro <carlo@zancanaro.id.au>
Cc: guix-devel@gnu.org


Carlo Zancanaro writes:

> On Fri, Feb 10 2017, Roel Janssen wrote
>> [ ... ]
>
> I was getting frustrated at not having certificates with java 8 (it's
> surprisingly annoying to have to use one environment with java 7 to
> download dependencies with maven, then a different environment with java
> 8 to actually run your program), so I downloaded and tried out your
> patch. It seems to work!

Thanks for picking up the patch!

> But then I wondered, could we just change the generate-keystore phase of
> the icedtea-6 package to log a failed certificate import without failing
> the build? Then we could move the permissions change there, too, which
> would give us a smaller patch that should accomplish a similar result
> (attached).

Great idea.  This is also a more durable solution for when certificates
change in nss-certs.

> From b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001
> From: Carlo Zancanaro <carlo@zancanaro.id.au>
> Date: Sun, 26 Feb 2017 11:34:44 +1100
> Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for
>  icedtea-8.
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase to
>   not fail the build when attempting to import unsupported certificate
>   types (which occur with icedtea-8, which inherits from icedtea-6). Also
>   ensure that the keystore is able to be written to before copying it.
> ---
>  gnu/packages/java.scm | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index e7479e1b0..c7f9b9aad 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
>                                             "-file" temp)))
>                       (display "yes\n" port)
>                       (when (not (zero? (status:exit-val (close-pipe port))))
> -                       (error "failed to import" cert)))
> +                       (format #t "failed to import ~a\n" cert)))
>                     (delete-file temp)))
>  
>                 ;; This is necessary because the certificate directory contains
> @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses Makefile format.")
>                                         "/lib/security"))
>                 (mkdir-p (string-append (assoc-ref outputs "jdk")
>                                         "/jre/lib/security"))
> +
> +               ;; The cacerts files we are going to overwrite are chmod'ed as
> +               ;; read-only (444) in icedtea-8 (which derives from this
> +               ;; package).  We have to change this so we can overwrite them.
> +               (chmod (string-append (assoc-ref outputs "out")
> +                                     "/lib/security/" keystore) #o644)
> +               (chmod (string-append (assoc-ref outputs "jdk")
> +                                     "/jre/lib/security/" keystore) #o644)
> +
>                 (install-file keystore
>                               (string-append (assoc-ref outputs "out")
>                                              "/lib/security"))

I checked to see if the keystore is actually chmod'ed back to #o444, and
it is!  So this looks fine to me as well.

> @@ -1023,9 +1032,6 @@ build process and its dependencies, whereas Make uses Makefile format.")
>                      (find-files "openjdk.src/jdk/src/solaris/native"
>                                  "\\.c|\\.h"))
>                     #t)))
> -             ;; FIXME: This phase is needed but fails with this version of
> -             ;; IcedTea.
> -             (delete 'install-keystore)
>               (replace 'install
>                 (lambda* (#:key outputs #:allow-other-keys)
>                   (let ((doc (string-append (assoc-ref outputs "doc")

I tried this patch and it works fine.

I think we should add ourselves to the copyright notice.
Other than that, I think this patch is good to be pushed.

Kind regards,
Roel Janssen