Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates.

[Ricardo Wurmus <rekado@elephly.net>]

Carlo Zancanaro <carlo@zancanaro.id.au> writes:

> But then I wondered, could we just change the generate-keystore phase of
> the icedtea-6 package to log a failed certificate import without failing
> the build? Then we could move the permissions change there, too, which
> would give us a smaller patch that should accomplish a similar result
> (attached).

Hmm, I have a slight preference to have the build fail in those cases,
because that prompts us to fix the underlying problem.  Roel’s fix seems
more direct, even though it results in more lines of code.

> From b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001
> From: Carlo Zancanaro <carlo@zancanaro.id.au>
> Date: Sun, 26 Feb 2017 11:34:44 +1100
> Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for
>  icedtea-8.
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase to
>   not fail the build when attempting to import unsupported certificate
>   types (which occur with icedtea-8, which inherits from icedtea-6). Also
>   ensure that the keystore is able to be written to before copying it.
> ---
>  gnu/packages/java.scm | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index e7479e1b0..c7f9b9aad 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
>                                             "-file" temp)))
>                       (display "yes\n" port)
>                       (when (not (zero? (status:exit-val (close-pipe port))))
> -                       (error "failed to import" cert)))
> +                       (format #t "failed to import ~a\n" cert)))
>                     (delete-file temp)))
>
>                 ;; This is necessary because the certificate directory contains
> @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses Makefile format.")
>                                         "/lib/security"))
>                 (mkdir-p (string-append (assoc-ref outputs "jdk")
>                                         "/jre/lib/security"))
> +
> +               ;; The cacerts files we are going to overwrite are chmod'ed as
> +               ;; read-only (444) in icedtea-8 (which derives from this
> +               ;; package).  We have to change this so we can overwrite them.
> +               (chmod (string-append (assoc-ref outputs "out")
> +                                     "/lib/security/" keystore) #o644)
> +               (chmod (string-append (assoc-ref outputs "jdk")
> +                                     "/jre/lib/security/" keystore) #o644)
> +

I don’t understand this.  It also seems inelegant to make a change in
“icedtea-6” for the sake of “icedtea-8”.  Could this be done in
“icedtea-8” instead?

Also note that icedtea-6 will eventually be removed (as it will no
longer receive upstream updates) and the other icedtea* packages should
no longer use inheritance to make that possible.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net