From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58439) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g2inb-0002Nv-HA for guix-patches@gnu.org; Wed, 19 Sep 2018 16:10:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g2inV-0000Ve-Pb for guix-patches@gnu.org; Wed, 19 Sep 2018 16:10:10 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:41784) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g2inS-0000SA-J9 for guix-patches@gnu.org; Wed, 19 Sep 2018 16:10:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1g2inS-0006TP-Bv for guix-patches@gnu.org; Wed, 19 Sep 2018 16:10:02 -0400 Subject: [bug#32530] [PATCH] gnu: octave: Fix CA certificate use. Resent-Message-ID: From: Marius Bakke In-Reply-To: <87k1nhfenz.fsf@gnu.org> References: <20180826004231.19350-1-kkebreau@posteo.net> <87o9czqhpo.fsf@fastmail.com> <87r2huzk8c.fsf@posteo.net> <87va74krsy.fsf@posteo.net> <875zz4oxil.fsf@fastmail.com> <87k1nhfenz.fsf@gnu.org> Date: Wed, 19 Sep 2018 22:09:30 +0200 Message-ID: <87musdntad.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Kei Kebreau , 32530@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Hello, > > Marius Bakke skribis: > >> Kei Kebreau writes: > > [...] > >>> Here's the search path patch. With this, I needed both nss-certs and >>> cURL installed alongside Octave to get certificates working. > > This is expected (see ), which is > why I wrote it wouldn=E2=80=99t quite solve the issue; still, it=E2=80=99= s a step in the > right direction. :-) > >>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm >>> index 6d45dc0cc..8bdba8655 100644 >>> --- a/gnu/packages/curl.scm >>> +++ b/gnu/packages/curl.scm >>> @@ -83,7 +83,10 @@ >>> (variable "CURL_CA_BUNDLE") >>> (file-type 'regular) >>> (separator #f) ;single entry >>> - (files '("etc/ssl/certs/ca-certificates.crt"))))) >>> + (files '("etc/ssl/certs/ca-certificates.crt"))) >>> + (search-path-specification >>> + (variable "CURLOPT_CAPATH") >>> + (files '("etc/ssl/certs"))))) >> >> Adding this native-search-path to the "octave" package should be >> sufficient. > > I think we should avoid doing this though, because conceptually > CURLOPT_CAPATH =E2=80=9Cbelongs=E2=80=9D to cURL, not to Octave. Conceptually maybe, but to my knowledge libcurl itself does not support run-time search paths (due to thread safety concerns IIRC). This search path does seem to be Octave specific. From the ChangeLog: =2D-8<---------------cut here---------------start------------->8--- 2018-04-18 John W. Eaton allow users to set path to CA certificates for cURL * url-transfer.cc (curl_transfer::curl_transfer): Check for CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, u= se them to set the corresponding options for the cURL library. Files: liboctave/util/url-transfer.cc =2D-8<---------------cut here---------------end--------------->8--- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAluirPoACgkQoqBt8qM6 VPpbtAgAh+mX4WIDduADOgwtwBexUoYsd2mUAU34ribqpnvYLTGDsOUAe1CKihcP g8h9eutwYgdqNzisjn+1jIynWa7d1M8Ht0JBPGA8SbHiYSP8BXs8W7RIOjoatWTq 5mC4qh9ek/e5BngWn1TWqUDqEo0T8AlH23pnCvR6+ldy3MtKJ0SThAZ3/Up9Husu MKwt9lNdGO2XV4v4MdhvzI+B9bCF5YB/WevC5rvjehffyQVhJUnoaZ5BBl4q4xTb YEaBDyJ/vf3EiJ+Ecr1q52EUWW1OAfKx42rvO2i9xjpx2LkxbNf1gOx9RW/WGqI2 RbqJSnaYHQj6cqV25yuQ6jbe3I/mzQ== =WDCx -----END PGP SIGNATURE----- --=-=-=--