On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote: > Hi, > > On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg wrote: > > > Gentoo appears to have fixed this bug by linking julia/cert.pem to the > > system's ca-certificates.crt. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168 > > This trick is not possible, IIUC. > > > Is there a way I could rebuild my own slightly modified Julia with a link > > like that? > > Maybe, by adding the package nss-certs as propagated-inputs in the > definition of julia. By itself I don't think this would do anything. > > I understand that there's probably a good reason that Guix's Julia doesn't > > by default have cert.pem, but I would be pleased with a hacky custom > > solution if it made Jupyter notebooks work. > > The reason is security. ;-) It’s Julia that does poorly here. > > As pointed with the upstream package MbedTLS.jl, the fix should come > from Julia itself; therefore, it could be worth to open an issue, if it > is not already the case. ;-) > > From my understanding, the culprit is this [1]: > > --8<---------------cut here---------------start------------->8--- > function __init__() > global artifact_dir = dirname(Sys.BINDIR) > global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem") > end > --8<---------------cut here---------------end--------------->8--- > > And it is not clear for me if NetworkOptions.jl [2] provides the option > of not, and I am missing why Julia itself does not depend on it. > > 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20 > 2: https://github.com/JuliaLang/NetworkOptions.jl > > > Efraim, do you think it would be possible to patch Julia to point to > some certificates via bundled_ca_roots or ca_roots_path? In the initial patch for julia-1.8.1 I think there was a substitution to hardcode /etc/ssl/something instead for 'global cacert' but I took that out since we don't like hardcoding that. GIT_SSL_CAINFO=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs CURL_CA_BUNDLE=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt SSL_CERT_FILE=/run/current-system/profile/etc/ssl/certs/ca-certificates.crt I think it would be fine to tell Julia to look at SSL_CERT_FILE as the cacert so it can be overridden as desired, and then we can add a (native-?)search-path to Julia for SSL_CERT_FILE. Does anyone know offhand how to get the environment variable? If not I'll grep the sources and then look online. > Well, somehow turn back these tests: > > --8<---------------cut here---------------start------------->8--- > ;; julia embeds a certificate, we are not doing that > (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl" > (("@test isfile\\(MozillaCACerts_jll.cacert\\)") > "@test_broken isfile(MozillaCACerts_jll.cacert)")) > ;; since certificate is not present some tests are failing in network option > (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl" > (("@test isfile\\(bundled_ca_roots\\(\\)\\)") > "@test_broken isfile(bundled_ca_roots())") > (("@test ispath\\(ca_roots_path\\(\\)\\)") > "@test_broken ispath(ca_roots_path())") > (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)") > "@test_broken ca_roots_path() != bundled_ca_roots()")) > --8<---------------cut here---------------end--------------->8--- That one might be a little harder, I'd rather not add nss-certs to the build just for the test suite, but I'll see how it goes. Or at least update the comment afterward. > > Cheers, > simon -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted