From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43496)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0NEL-0003vt-C0
	for guix-patches@gnu.org; Thu, 13 Sep 2018 04:44:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0NEI-0000in-5p
	for guix-patches@gnu.org; Thu, 13 Sep 2018 04:44:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:34469)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g0NEI-0000ij-2G
	for guix-patches@gnu.org; Thu, 13 Sep 2018 04:44:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g0NEH-0002Tc-Ue
	for guix-patches@gnu.org; Thu, 13 Sep 2018 04:44:02 -0400
Subject: [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
Resent-Message-ID: <handler.32530.B32530.15368282209476@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20180826004231.19350-1-kkebreau@posteo.net>
Date: Thu, 13 Sep 2018 10:43:24 +0200
In-Reply-To: <20180826004231.19350-1-kkebreau@posteo.net> (Kei Kebreau's
	message of "Sat, 25 Aug 2018 20:42:31 -0400")
Message-ID: <87tvmtpz2r.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Kei Kebreau <kkebreau@posteo.net>
Cc: 32530@debbugs.gnu.org

Hi,

Kei Kebreau <kkebreau@posteo.net> skribis:

> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to=
 wrap
> Octave with the path to system CA certificates.

[...]

> +         (add-after 'install 'wrap-program
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let ((out (assoc-ref outputs "out")))
> +               (wrap-program (string-append out "/bin/octave")
> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))

Users might want to ignore /etc/ssl/certs altogether and instead only
use their own set of certificates, so I=E2=80=99m rather reluctant to such a
change.

Now, I agree that there=E2=80=99s a usability problem: we don=E2=80=99t wan=
t every
Octave user to stumble upon a certificate error message.  I can think of
several solutions:

  1. We could add CURLOPT_CAPATH to the =E2=80=98native-search-paths=E2=80=
=99 of =E2=80=98curl=E2=80=99,
     assuming that variable is honored by libcurl itself.  It won=E2=80=99t
     solve this immediate issue, but it sounds like =E2=80=9Cthe right way.=
=E2=80=9D

  2. On GuixSD, we could define CURLOPT_CAPATH=3D/etc/ssl/certs in
     /etc/profile, like we already do for other variables.

  3. We could document this variable under =E2=80=9CX.509 Certificates=E2=
=80=9D in the
     manual.

#1 would have to go to =E2=80=98core-updates=E2=80=99.  WDYT?

Thanks,
Ludo=E2=80=99.