From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49313)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0bIL-0003ni-Mo
	for guix-patches@gnu.org; Thu, 13 Sep 2018 19:45:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0bIE-0006ws-Dz
	for guix-patches@gnu.org; Thu, 13 Sep 2018 19:45:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:35551)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g0bIE-0006wP-2O
	for guix-patches@gnu.org; Thu, 13 Sep 2018 19:45:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0bID-0002kB-St
	for guix-patches@gnu.org; Thu, 13 Sep 2018 19:45:01 -0400
Subject: [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
Resent-Message-ID: <handler.32530.B32530.153688226410487@debbugs.gnu.org>
From: Kei Kebreau <kkebreau@posteo.net>
References: <20180826004231.19350-1-kkebreau@posteo.net>
	<87tvmtpz2r.fsf@gnu.org>
Date: Thu, 13 Sep 2018 19:44:12 -0400
In-Reply-To: <87tvmtpz2r.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Thu, 13 Sep 2018 10:43:24 +0200")
Message-ID: <87h8it7yk3.fsf@posteo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 32530@debbugs.gnu.org

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> Hi,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase t=
o wrap
>> Octave with the path to system CA certificates.
>
> [...]
>
>> +         (add-after 'install 'wrap-program
>> +           (lambda* (#:key outputs #:allow-other-keys)
>> +             (let ((out (assoc-ref outputs "out")))
>> +               (wrap-program (string-append out "/bin/octave")
>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>
> Users might want to ignore /etc/ssl/certs altogether and instead only
> use their own set of certificates, so I=E2=80=99m rather reluctant to suc=
h a
> change.
>
> Now, I agree that there=E2=80=99s a usability problem: we don=E2=80=99t w=
ant every
> Octave user to stumble upon a certificate error message.  I can think of
> several solutions:
>
>   1. We could add CURLOPT_CAPATH to the =E2=80=98native-search-paths=E2=
=80=99 of =E2=80=98curl=E2=80=99,
>      assuming that variable is honored by libcurl itself.  It won=E2=80=
=99t
>      solve this immediate issue, but it sounds like =E2=80=9Cthe right wa=
y.=E2=80=9D
>
>   2. On GuixSD, we could define CURLOPT_CAPATH=3D/etc/ssl/certs in
>      /etc/profile, like we already do for other variables.
>
>   3. We could document this variable under =E2=80=9CX.509 Certificates=E2=
=80=9D in the
>      manual.
>
> #1 would have to go to =E2=80=98core-updates=E2=80=99.  WDYT?
>
> Thanks,
> Ludo=E2=80=99.

I don't mind putting #1 on 'core-updates' assuming it works. I will test
it locally first. Also, thanks for looking at this!