all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Efraim Flashner <efraim@flashner.co.il>
To: Simon Tournier <zimon.toutoune@gmail.com>
Cc: 61121@debbugs.gnu.org, Theodore Ehrenborg <theodore.ehrenborg@gmail.com>
Subject: bug#61121: Cannot import IJulia in Julia
Date: Thu, 9 Feb 2023 11:29:53 +0200	[thread overview]
Message-ID: <Y+S9Ed+J3eJNsGGQ@3900XT> (raw)
In-Reply-To: <86o7qfuedj.fsf@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4198 bytes --]

On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote:
> Hi,
> 
> On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg <theodore.ehrenborg@gmail.com> wrote:
> 
> > Gentoo appears to have fixed this bug by linking julia/cert.pem to the
> > system's ca-certificates.crt.
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168
> 
> This trick is not possible, IIUC.
> 
> > Is there a way I could rebuild my own slightly modified Julia with a link
> > like that?
> 
> Maybe, by adding the package nss-certs as propagated-inputs in the
> definition of julia.

By itself I don't think this would do anything.

> > I understand that there's probably a good reason that Guix's Julia doesn't
> > by default have cert.pem, but I would be pleased with a hacky custom
> > solution if it made Jupyter notebooks work.
> 
> The reason is security. ;-)  It’s Julia that does poorly here.
> 
> As pointed with the upstream package MbedTLS.jl, the fix should come
> from Julia itself; therefore, it could be worth to open an issue, if it
> is not already the case. ;-)
> 
> From my understanding, the culprit is this [1]:
> 
> --8<---------------cut here---------------start------------->8---
> function __init__()
>     global artifact_dir = dirname(Sys.BINDIR)
>     global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem")
> end
> --8<---------------cut here---------------end--------------->8---
> 
> And it is not clear for me if NetworkOptions.jl [2] provides the option
> of not, and I am missing why Julia itself does not depend on it.
> 
> 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20
> 2: https://github.com/JuliaLang/NetworkOptions.jl
> 
> 
> Efraim, do you think it would be possible to patch Julia to point to
> some certificates via bundled_ca_roots or ca_roots_path?

In the initial patch for julia-1.8.1 I think there was a substitution to
hardcode /etc/ssl/something instead for 'global cacert' but I took that
out since we don't like hardcoding that.

GIT_SSL_CAINFO=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs
CURL_CA_BUNDLE=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/run/current-system/profile/etc/ssl/certs/ca-certificates.crt

I think it would be fine to tell Julia to look at SSL_CERT_FILE as the
cacert so it can be overridden as desired, and then we can add a
(native-?)search-path to Julia for SSL_CERT_FILE.

Does anyone know offhand how to get the environment variable? If not
I'll grep the sources and then look online.

> Well, somehow turn back these tests:
> 
> --8<---------------cut here---------------start------------->8---
>              ;; julia embeds a certificate, we are not doing that
>              (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl"
>                (("@test isfile\\(MozillaCACerts_jll.cacert\\)")
>                 "@test_broken isfile(MozillaCACerts_jll.cacert)"))
>              ;; since certificate is not present some tests are failing in network option
>              (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl"
>                (("@test isfile\\(bundled_ca_roots\\(\\)\\)")
>                 "@test_broken isfile(bundled_ca_roots())")
>                (("@test ispath\\(ca_roots_path\\(\\)\\)")
>                 "@test_broken ispath(ca_roots_path())")
>                (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)")
>                 "@test_broken ca_roots_path() != bundled_ca_roots()"))
> --8<---------------cut here---------------end--------------->8---

That one might be a little harder, I'd rather not add nss-certs to the
build just for the test suite, but I'll see how it goes. Or at least
update the comment afterward.

> 
> Cheers,
> simon

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2023-02-09  9:31 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-28 13:45 bug#61121: Cannot import IJulia in Julia Theodore Ehrenborg
2023-01-30 12:27 ` Simon Tournier
2023-01-30 21:55   ` Theodore Ehrenborg
2023-01-31 11:34     ` Simon Tournier
2023-02-09  9:29       ` Efraim Flashner [this message]
2023-02-09 14:53       ` Efraim Flashner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y+S9Ed+J3eJNsGGQ@3900XT \
    --to=efraim@flashner.co.il \
    --cc=61121@debbugs.gnu.org \
    --cc=theodore.ehrenborg@gmail.com \
    --cc=zimon.toutoune@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.