[PATCH] gnu: octave: Fix CA certificate use.

Done

Details

3 participants

Kei Kebreau
Ludovic Courtès
Marius Bakke

Owner: unassigned

Submitted by: Kei Kebreau

Severity: normal

Kei Kebreau wrote on 26 Aug 2018 02:42

Recipients:(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:20180826004231.19350-1-kkebreau@posteo.net

* gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
Octave with the path to system CA certificates.
---
 gnu/packages/maths.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Toggle diff (21 lines)diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 3d571e8cc..b0caff0f5 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1417,7 +1417,13 @@ can solve two kinds of problems:
                 (string-append "Vmakeinfo_program = \""
                                (assoc-ref inputs "texinfo")
                                "/bin/makeinfo\"")))
-             #t)))))
+             #t))
+         (add-after 'install 'wrap-program
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (wrap-program (string-append out "/bin/octave")
+                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
+               #t))))))
     (home-page "https://www.gnu.org/software/octave/")
     (synopsis "High-level language for numerical computation")
     (description "GNU Octave is a high-level interpreted language that is
-- 
2.18.0

Ludovic Courtès wrote on 13 Sep 2018 10:43

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 32530@debbugs.gnu.org)

Message-ID:87tvmtpz2r.fsf@gnu.org

Hi,

Kei Kebreau <kkebreau@posteo.net> skribis:

Toggle quote (3 lines)

> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap

> Octave with the path to system CA certificates.

[...]

Toggle quote (6 lines)

> + (add-after 'install 'wrap-program

> + (lambda* (#:key outputs #:allow-other-keys)

> + (let ((out (assoc-ref outputs "out")))

> + (wrap-program (string-append out "/bin/octave")

> + '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))

Users might want to ignore /etc/ssl/certs altogether and instead only

use their own set of certificates, so I’m rather reluctant to such a

change.

Now, I agree that there’s a usability problem: we don’t want every

Octave user to stumble upon a certificate error message. I can think of

several solutions:

1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,

assuming that variable is honored by libcurl itself. It won’t

solve this immediate issue, but it sounds like “the right way.”

2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in

/etc/profile, like we already do for other variables.

3. We could document this variable under “X.509 Certificates” in the

manual.

#1 would have to go to ‘core-updates’. WDYT?

Thanks,

Ludo’.

Kei Kebreau wrote on 14 Sep 2018 01:44

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 32530@debbugs.gnu.org)

Message-ID:87h8it7yk3.fsf@posteo.net

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (38 lines)> Hi,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>
> [...]
>
>> +         (add-after 'install 'wrap-program
>> +           (lambda* (#:key outputs #:allow-other-keys)
>> +             (let ((out (assoc-ref outputs "out")))
>> +               (wrap-program (string-append out "/bin/octave")
>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>
> Users might want to ignore /etc/ssl/certs altogether and instead only
> use their own set of certificates, so I’m rather reluctant to such a
> change.
>
> Now, I agree that there’s a usability problem: we don’t want every
> Octave user to stumble upon a certificate error message.  I can think of
> several solutions:
>
>   1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
>      assuming that variable is honored by libcurl itself.  It won’t
>      solve this immediate issue, but it sounds like “the right way.”
>
>   2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
>      /etc/profile, like we already do for other variables.
>
>   3. We could document this variable under “X.509 Certificates” in the
>      manual.
>
> #1 would have to go to ‘core-updates’.  WDYT?
>
> Thanks,
> Ludo’.

I don't mind putting #1 on 'core-updates' assuming it works. I will test

it locally first. Also, thanks for looking at this!

Kei Kebreau wrote on 15 Sep 2018 03:54

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 32530@debbugs.gnu.org)

Message-ID:87va77zfs4.fsf@posteo.net

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (44 lines)> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Hi,
>>
>> Kei Kebreau <kkebreau@posteo.net> skribis:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program'
>>> phase to wrap
>>> Octave with the path to system CA certificates.
>>
>> [...]
>>
>>> +         (add-after 'install 'wrap-program
>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>> +             (let ((out (assoc-ref outputs "out")))
>>> +               (wrap-program (string-append out "/bin/octave")
>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>
>> Users might want to ignore /etc/ssl/certs altogether and instead only
>> use their own set of certificates, so I’m rather reluctant to such a
>> change.
>>
>> Now, I agree that there’s a usability problem: we don’t want every
>> Octave user to stumble upon a certificate error message.  I can think of
>> several solutions:
>>
>>   1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
>>      assuming that variable is honored by libcurl itself.  It won’t
>>      solve this immediate issue, but it sounds like “the right way.”
>>
>>   2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
>>      /etc/profile, like we already do for other variables.
>>
>>   3. We could document this variable under “X.509 Certificates” in the
>>      manual.
>>
>> #1 would have to go to ‘core-updates’.  WDYT?
>>
>> Thanks,
>> Ludo’.
>
> I don't mind putting #1 on 'core-updates' assuming it works. I will test
> it locally first. Also, thanks for looking at this!

It looks like solution #1 does not work as expected. In this case,
perhaps #3 would be preferable because the user can more easily control
the environment variable?

Marius Bakke wrote on 15 Sep 2018 10:37

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:87o9czqhpo.fsf@fastmail.com

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (23 lines)> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
> Octave with the path to system CA certificates.
> ---
>  gnu/packages/maths.scm | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index 3d571e8cc..b0caff0f5 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>                  (string-append "Vmakeinfo_program = \""
>                                 (assoc-ref inputs "texinfo")
>                                 "/bin/makeinfo\"")))
> -             #t)))))
> +             #t))
> +         (add-after 'install 'wrap-program
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let ((out (assoc-ref outputs "out")))
> +               (wrap-program (string-append out "/bin/octave")
> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
> +               #t))))))

Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
(as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
to the profile should be sufficient.

Kei Kebreau wrote on 15 Sep 2018 20:30

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32530@debbugs.gnu.org)

Message-ID:87r2huzk8c.fsf@posteo.net

Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (29 lines)> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>> Octave with the path to system CA certificates.
>> ---
>>  gnu/packages/maths.scm | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>> index 3d571e8cc..b0caff0f5 100644
>> --- a/gnu/packages/maths.scm
>> +++ b/gnu/packages/maths.scm
>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>                  (string-append "Vmakeinfo_program = \""
>>                                 (assoc-ref inputs "texinfo")
>>                                 "/bin/makeinfo\"")))
>> -             #t)))))
>> +             #t))
>> +         (add-after 'install 'wrap-program
>> +           (lambda* (#:key outputs #:allow-other-keys)
>> +             (let ((out (assoc-ref outputs "out")))
>> +               (wrap-program (string-append out "/bin/octave")
>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>> +               #t))))))
>
> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
> (as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
> to the profile should be sufficient.

Ah! Yes, this works when I add curl to the profile. I didn't do this the

first time. I'll upload a patch here soon.

Kei Kebreau wrote on 17 Sep 2018 18:33

Recipients:(address . 32530@debbugs.gnu.org)

Message-ID:87va74krsy.fsf@posteo.net

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (34 lines)> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>> Octave with the path to system CA certificates.
>>> ---
>>>  gnu/packages/maths.scm | 8 +++++++-
>>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>> index 3d571e8cc..b0caff0f5 100644
>>> --- a/gnu/packages/maths.scm
>>> +++ b/gnu/packages/maths.scm
>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>                  (string-append "Vmakeinfo_program = \""
>>>                                 (assoc-ref inputs "texinfo")
>>>                                 "/bin/makeinfo\"")))
>>> -             #t)))))
>>> +             #t))
>>> +         (add-after 'install 'wrap-program
>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>> +             (let ((out (assoc-ref outputs "out")))
>>> +               (wrap-program (string-append out "/bin/octave")
>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>> +               #t))))))
>>
>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>> (as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
>> to the profile should be sufficient.
>
> Ah! Yes, this works when I add curl to the profile. I didn't do this the
> first time. I'll upload a patch here soon.

Here's the search path patch. With this, I needed both nss-certs and

cURL installed alongside Octave to get certificates working.

From 99614c73d5156ded2e865b7daf0955c9ff4eaaf4 Mon Sep 17 00:00:00 2001

* gnu/packages/curl.scm (curl)[native-search-paths]: New field.

---

gnu/packages/curl.scm | 5 ++++-

1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (18 lines)diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 6d45dc0cc..8bdba8655 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -83,7 +83,10 @@
            (variable "CURL_CA_BUNDLE")
            (file-type 'regular)
            (separator #f)                         ;single entry
-           (files '("etc/ssl/certs/ca-certificates.crt")))))
+           (files '("etc/ssl/certs/ca-certificates.crt")))
+          (search-path-specification
+           (variable "CURLOPT_CAPATH")
+           (files '("etc/ssl/certs")))))
    (arguments
     `(#:configure-flags '("--with-gnutls" "--with-gssapi")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
-- 
2.19.0

Marius Bakke wrote on 17 Sep 2018 19:16

Recipients:(address . 32530@debbugs.gnu.org)

Message-ID:875zz4oxil.fsf@fastmail.com

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (39 lines)> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> Marius Bakke <mbakke@fastmail.com> writes:
>>
>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>
>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>> Octave with the path to system CA certificates.
>>>> ---
>>>>  gnu/packages/maths.scm | 8 +++++++-
>>>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>> index 3d571e8cc..b0caff0f5 100644
>>>> --- a/gnu/packages/maths.scm
>>>> +++ b/gnu/packages/maths.scm
>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>                  (string-append "Vmakeinfo_program = \""
>>>>                                 (assoc-ref inputs "texinfo")
>>>>                                 "/bin/makeinfo\"")))
>>>> -             #t)))))
>>>> +             #t))
>>>> +         (add-after 'install 'wrap-program
>>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>>> +             (let ((out (assoc-ref outputs "out")))
>>>> +               (wrap-program (string-append out "/bin/octave")
>>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>> +               #t))))))
>>>
>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>> (as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
>>> to the profile should be sufficient.
>>
>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>> first time. I'll upload a patch here soon.
>
> Here's the search path patch. With this, I needed both nss-certs and
> cURL installed alongside Octave to get certificates working.

[...]

Toggle quote (14 lines)> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 6d45dc0cc..8bdba8655 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -83,7 +83,10 @@
>             (variable "CURL_CA_BUNDLE")
>             (file-type 'regular)
>             (separator #f)                         ;single entry
> -           (files '("etc/ssl/certs/ca-certificates.crt")))))
> +           (files '("etc/ssl/certs/ca-certificates.crt")))
> +          (search-path-specification
> +           (variable "CURLOPT_CAPATH")
> +           (files '("etc/ssl/certs")))))

Adding this native-search-path to the "octave" package should be

sufficient. Then you won't need curl in the profile, nor do we need to

rebuild all the things that depend on curl. Can you try that?

Thanks for fixing this issue :-)

Kei Kebreau wrote on 18 Sep 2018 22:57

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)

Message-ID:87efdqttfu.fsf@posteo.net

Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (61 lines)> Kei Kebreau <kkebreau@posteo.net> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> Marius Bakke <mbakke@fastmail.com> writes:
>>>
>>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>>
>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>> Octave with the path to system CA certificates.
>>>>> ---
>>>>>  gnu/packages/maths.scm | 8 +++++++-
>>>>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>> --- a/gnu/packages/maths.scm
>>>>> +++ b/gnu/packages/maths.scm
>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>>                  (string-append "Vmakeinfo_program = \""
>>>>>                                 (assoc-ref inputs "texinfo")
>>>>>                                 "/bin/makeinfo\"")))
>>>>> -             #t)))))
>>>>> +             #t))
>>>>> +         (add-after 'install 'wrap-program
>>>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>>>> +             (let ((out (assoc-ref outputs "out")))
>>>>> +               (wrap-program (string-append out "/bin/octave")
>>>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>> +               #t))))))
>>>>
>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>> (as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
>>>> to the profile should be sufficient.
>>>
>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>> first time. I'll upload a patch here soon.
>>
>> Here's the search path patch. With this, I needed both nss-certs and
>> cURL installed alongside Octave to get certificates working.
>
> [...]
>
>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>>             (variable "CURL_CA_BUNDLE")
>>             (file-type 'regular)
>>             (separator #f)                         ;single entry
>> -           (files '("etc/ssl/certs/ca-certificates.crt")))))
>> +           (files '("etc/ssl/certs/ca-certificates.crt")))
>> +          (search-path-specification
>> +           (variable "CURLOPT_CAPATH")
>> +           (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient.  Then you won't need curl in the profile, nor do we need to
> rebuild all the things that depend on curl.  Can you try that?

Adding the native-search-path to the "octave" package works!

Toggle quote (2 lines)

> Thanks for fixing this issue :-)

From df88f083f8974b1cb17d03ede300505ec3ecabc1 Mon Sep 17 00:00:00 2001

* gnu/packages/maths.scm (octave)[native-search-paths]: New field.

---

gnu/packages/maths.scm | 4 ++++

1 file changed, 4 insertions(+)

Toggle diff (17 lines)diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index d3e72128c..7389f972b 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1397,6 +1397,10 @@ can solve two kinds of problems:
        ("less" ,less)
        ("ghostscript" ,ghostscript)
        ("gnuplot" ,gnuplot)))
+    (native-search-paths
+     (list (search-path-specification
+            (variable "CURLOPT_CAPATH")
+            (files '("etc/ssl/certs")))))
     (arguments
      `(#:configure-flags
        (list (string-append "--with-shell="
-- 
2.19.0

Marius Bakke wrote on 19 Sep 2018 19:27

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:8736u5pfcv.fsf@fastmail.com

Kei Kebreau <kkebreau@posteo.net> writes:

Toggle quote (65 lines)> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>>
>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>
>>>> Marius Bakke <mbakke@fastmail.com> writes:
>>>>
>>>>> Kei Kebreau <kkebreau@posteo.net> writes:
>>>>>
>>>>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program' phase to wrap
>>>>>> Octave with the path to system CA certificates.
>>>>>> ---
>>>>>>  gnu/packages/maths.scm | 8 +++++++-
>>>>>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
>>>>>> index 3d571e8cc..b0caff0f5 100644
>>>>>> --- a/gnu/packages/maths.scm
>>>>>> +++ b/gnu/packages/maths.scm
>>>>>> @@ -1417,7 +1417,13 @@ can solve two kinds of problems:
>>>>>>                  (string-append "Vmakeinfo_program = \""
>>>>>>                                 (assoc-ref inputs "texinfo")
>>>>>>                                 "/bin/makeinfo\"")))
>>>>>> -             #t)))))
>>>>>> +             #t))
>>>>>> +         (add-after 'install 'wrap-program
>>>>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>>>>> +             (let ((out (assoc-ref outputs "out")))
>>>>>> +               (wrap-program (string-append out "/bin/octave")
>>>>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>>>>> +               #t))))))
>>>>>
>>>>> Instead of wrapping you can add a native-search-path for CURLOPT_CAPATH
>>>>> (as with CURL_CA_BUNDLE for `curl`).  That way installing certificates
>>>>> to the profile should be sufficient.
>>>>
>>>> Ah! Yes, this works when I add curl to the profile. I didn't do this the
>>>> first time. I'll upload a patch here soon.
>>>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>>
>> [...]
>>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>>             (variable "CURL_CA_BUNDLE")
>>>             (file-type 'regular)
>>>             (separator #f)                         ;single entry
>>> -           (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> +           (files '("etc/ssl/certs/ca-certificates.crt")))
>>> +          (search-path-specification
>>> +           (variable "CURLOPT_CAPATH")
>>> +           (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient.  Then you won't need curl in the profile, nor do we need to
>> rebuild all the things that depend on curl.  Can you try that?
>
> Adding the native-search-path to the "octave" package works!

Excellent! :-)

[...]

Toggle quote (13 lines)> diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
> index d3e72128c..7389f972b 100644
> --- a/gnu/packages/maths.scm
> +++ b/gnu/packages/maths.scm
> @@ -1397,6 +1397,10 @@ can solve two kinds of problems:
>         ("less" ,less)
>         ("ghostscript" ,ghostscript)
>         ("gnuplot" ,gnuplot)))
> +    (native-search-paths
> +     (list (search-path-specification
> +            (variable "CURLOPT_CAPATH")
> +            (files '("etc/ssl/certs")))))

LGTM.

Ludovic Courtès wrote on 19 Sep 2018 21:52

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)

Message-ID:87k1nhfenz.fsf@gnu.org

Hello,

Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (2 lines)

> Kei Kebreau <kkebreau@posteo.net> writes:

[...]

Toggle quote (3 lines)

>> Here's the search path patch. With this, I needed both nss-certs and

>> cURL installed alongside Octave to get certificates working.

This is expected (see https://issues.guix.info/issue/22138), which is

why I wrote it wouldn’t quite solve the issue; still, it’s a step in the

right direction. :-)

Toggle quote (17 lines)>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>> index 6d45dc0cc..8bdba8655 100644
>> --- a/gnu/packages/curl.scm
>> +++ b/gnu/packages/curl.scm
>> @@ -83,7 +83,10 @@
>>             (variable "CURL_CA_BUNDLE")
>>             (file-type 'regular)
>>             (separator #f)                         ;single entry
>> -           (files '("etc/ssl/certs/ca-certificates.crt")))))
>> +           (files '("etc/ssl/certs/ca-certificates.crt")))
>> +          (search-path-specification
>> +           (variable "CURLOPT_CAPATH")
>> +           (files '("etc/ssl/certs")))))
>
> Adding this native-search-path to the "octave" package should be
> sufficient.

I think we should avoid doing this though, because conceptually

CURLOPT_CAPATH “belongs” to cURL, not to Octave.

Toggle quote (3 lines)

> Then you won't need curl in the profile, nor do we need to rebuild all

> the things that depend on curl. Can you try that?

The patch above can go to the next ‘core-updates’ IMO.

Kei, what about the two other options we discussed? Namely:

Toggle quote (6 lines)

> 2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in

> /etc/profile, like we already do for other variables.

> 3. We could document this variable under “X.509 Certificates” in the

> manual.

Thank you!

Ludo’.

Marius Bakke wrote on 19 Sep 2018 22:09

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87musdntad.fsf@fastmail.com

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (35 lines)> Hello,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Kei Kebreau <kkebreau@posteo.net> writes:
>
> [...]
>
>>> Here's the search path patch. With this, I needed both nss-certs and
>>> cURL installed alongside Octave to get certificates working.
>
> This is expected (see <https://issues.guix.info/issue/22138>), which is
> why I wrote it wouldn’t quite solve the issue; still, it’s a step in the
> right direction.  :-)
>
>>> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
>>> index 6d45dc0cc..8bdba8655 100644
>>> --- a/gnu/packages/curl.scm
>>> +++ b/gnu/packages/curl.scm
>>> @@ -83,7 +83,10 @@
>>>             (variable "CURL_CA_BUNDLE")
>>>             (file-type 'regular)
>>>             (separator #f)                         ;single entry
>>> -           (files '("etc/ssl/certs/ca-certificates.crt")))))
>>> +           (files '("etc/ssl/certs/ca-certificates.crt")))
>>> +          (search-path-specification
>>> +           (variable "CURLOPT_CAPATH")
>>> +           (files '("etc/ssl/certs")))))
>>
>> Adding this native-search-path to the "octave" package should be
>> sufficient.
>
> I think we should avoid doing this though, because conceptually
> CURLOPT_CAPATH “belongs” to cURL, not to Octave.

Conceptually maybe, but to my knowledge libcurl itself does not support

run-time search paths (due to thread safety concerns IIRC).

This search path does seem to be Octave specific. From the ChangeLog:

Toggle snippet (10 lines)

2018-04-18 John W. Eaton <jwe@octave.org>

allow users to set path to CA certificates for cURL

* url-transfer.cc (curl_transfer::curl_transfer): Check for

CURLOPT_CAINFO and CURLOPT_CAPATH environment variables. If set, use

them to set the corresponding options for the cURL library.

Files: liboctave/util/url-transfer.cc

Ludovic Courtès wrote on 19 Sep 2018 22:18

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)

Message-ID:871s9pfdgm.fsf@gnu.org

Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (2 lines)

> ludo@gnu.org (Ludovic Courtès) writes:

[...]

Toggle quote (21 lines)>>> Adding this native-search-path to the "octave" package should be
>>> sufficient.
>>
>> I think we should avoid doing this though, because conceptually
>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>
> Conceptually maybe, but to my knowledge libcurl itself does not support
> run-time search paths (due to thread safety concerns IIRC).
>
> This search path does seem to be Octave specific.  From the ChangeLog:
>
> 2018-04-18  John W. Eaton  <jwe@octave.org>
>
>         allow users to set path to CA certificates for cURL
>
>         * url-transfer.cc (curl_transfer::curl_transfer): Check for
>         CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.  If set, use
>         them to set the corresponding options for the cURL library.
>
>         Files: liboctave/util/url-transfer.cc

Oh, I stand corrected! Then the patch LGTM, maybe with a comment saying

that those variables are actually Octave-specific. :-)

Thank you!

Ludo’.

Kei Kebreau wrote on 20 Sep 2018 20:03

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87a7oct5av.fsf@posteo.net

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (34 lines)> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>
> [...]
>
>>>> Adding this native-search-path to the "octave" package should be
>>>> sufficient.
>>>
>>> I think we should avoid doing this though, because conceptually
>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>
>> Conceptually maybe, but to my knowledge libcurl itself does not support
>> run-time search paths (due to thread safety concerns IIRC).
>>
>> This search path does seem to be Octave specific.  From the ChangeLog:
>>
>> 2018-04-18  John W. Eaton  <jwe@octave.org>
>>
>>         allow users to set path to CA certificates for cURL
>>
>>         * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>         CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.  If set, use
>>         them to set the corresponding options for the cURL library.
>>
>>         Files: liboctave/util/url-transfer.cc
>
> Oh, I stand corrected!  Then the patch LGTM, maybe with a comment saying
> that those variables are actually Octave-specific.  :-)
>
> Thank you!
>
> Ludo’.

Is it really Octave-specific? It's defined in the libcurl API [0], so

other software could make use of the variable.

[0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html

Ludovic Courtès wrote on 24 Sep 2018 11:02

Recipients:(name . Kei Kebreau)(address . kkebreau@posteo.net)

Message-ID:871s9jxo7o.fsf@gnu.org

Hello Kei,

Kei Kebreau <kkebreau@posteo.net> skribis:

Toggle quote (41 lines)> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Marius Bakke <mbakke@fastmail.com> skribis:
>>
>>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>> [...]
>>
>>>>> Adding this native-search-path to the "octave" package should be
>>>>> sufficient.
>>>>
>>>> I think we should avoid doing this though, because conceptually
>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>
>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>> run-time search paths (due to thread safety concerns IIRC).
>>>
>>> This search path does seem to be Octave specific.  From the ChangeLog:
>>>
>>> 2018-04-18  John W. Eaton  <jwe@octave.org>
>>>
>>>         allow users to set path to CA certificates for cURL
>>>
>>>         * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>>         CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.  If set, use
>>>         them to set the corresponding options for the cURL library.
>>>
>>>         Files: liboctave/util/url-transfer.cc
>>
>> Oh, I stand corrected!  Then the patch LGTM, maybe with a comment saying
>> that those variables are actually Octave-specific.  :-)
>>
>> Thank you!
>>
>> Ludo’.
>
> Is it really Octave-specific? It's defined in the libcurl API [0], so
> other software could make use of the variable.
>
> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html

I think you’re both right. :-)

The ‘url-transfer.cc’ file in Octave mentioned above does this:

std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");

if (! cainfo.empty ())

SETOPT (CURLOPT_CAINFO, cainfo.c_str ());

std::string capath = sys::env::getenv ("CURLOPT_CAPATH");

if (! capath.empty ())

SETOPT (CURLOPT_CAPATH, capath.c_str ());

Based on that, I think it’s perfectly fine to add these two variables in

the ‘native-search-paths’ of Octave itself, probably with a comment

explaining that Octave really honors these variables by itself.

Feel free to push such a change!

Thank you,

Ludo’.

Kei Kebreau wrote on 25 Sep 2018 03:43

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87in2utkqz.fsf@posteo.net

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (67 lines)> Hello Kei,
>
> Kei Kebreau <kkebreau@posteo.net> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Marius Bakke <mbakke@fastmail.com> skribis:
>>>
>>>> ludo@gnu.org (Ludovic Courtès) writes:
>>>
>>> [...]
>>>
>>>>>> Adding this native-search-path to the "octave" package should be
>>>>>> sufficient.
>>>>>
>>>>> I think we should avoid doing this though, because conceptually
>>>>> CURLOPT_CAPATH “belongs” to cURL, not to Octave.
>>>>
>>>> Conceptually maybe, but to my knowledge libcurl itself does not support
>>>> run-time search paths (due to thread safety concerns IIRC).
>>>>
>>>> This search path does seem to be Octave specific.  From the ChangeLog:
>>>>
>>>> 2018-04-18  John W. Eaton  <jwe@octave.org>
>>>>
>>>>         allow users to set path to CA certificates for cURL
>>>>
>>>>         * url-transfer.cc (curl_transfer::curl_transfer): Check for
>>>>         CURLOPT_CAINFO and CURLOPT_CAPATH environment variables.
>>>> If set, use
>>>>         them to set the corresponding options for the cURL library.
>>>>
>>>>         Files: liboctave/util/url-transfer.cc
>>>
>>> Oh, I stand corrected!  Then the patch LGTM, maybe with a comment saying
>>> that those variables are actually Octave-specific.  :-)
>>>
>>> Thank you!
>>>
>>> Ludo’.
>>
>> Is it really Octave-specific? It's defined in the libcurl API [0], so
>> other software could make use of the variable.
>>
>> [0]: https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html
>
> I think you’re both right.  :-)
>
> The ‘url-transfer.cc’ file in Octave mentioned above does this:
>
>       std::string cainfo = sys::env::getenv ("CURLOPT_CAINFO");
>       if (! cainfo.empty ())
>         SETOPT (CURLOPT_CAINFO, cainfo.c_str ());
>
>       std::string capath = sys::env::getenv ("CURLOPT_CAPATH");
>       if (! capath.empty ())
>         SETOPT (CURLOPT_CAPATH, capath.c_str ());
>
> Based on that, I think it’s perfectly fine to add these two variables in
> the ‘native-search-paths’ of Octave itself, probably with a comment
> explaining that Octave really honors these variables by itself.
>
> Feel free to push such a change!
>
> Thank you,
> Ludo’.

Finally pushed to master! Thanks to both of you for reviewing this.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 32530@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 32530

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date