guix refresh/download backtrace error when missing nss-certs

  • Open
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • swedebugia
Owner
unassigned
Submitted by
swedebugia
Severity
normal
S
S
swedebugia wrote on 5 Nov 2018 12:16
(address . bug-guix@gnu.org)
c3452987-de4e-fc70-ef01-c0c717141561@riseup.net
In a qemu VM based on the image for 0.15 and pulled once I get:

sdb@komputilo ~$ git clone https://git.savannah.gnu.org/git/guix.gittest
Cloning into 'test'...
Problem with the SSL CA cert (path? access rights?)

fails nicely in contrast to:

sdb@komputilo ~$ guix refresh artanis
Backtrace:
          13 (primitive-load "/home/sdb/.config/guix/current/bin/guix")
In guix/ui.scm:
  1578:12 12 (run-guix-command _ . _)
In ice-9/boot-9.scm:
    829:9 11 (catch srfi-34 #<procedure 28dd540 at guix/ui.scm:610:…> …)
    829:9 10 (catch system-error #<procedure 262fe10 at guix/script…> …)
In guix/scripts/refresh.scm:
   449:12  9 (_)
In srfi/srfi-1.scm:
    640:9  8 (for-each #<procedure 28e3f20 at guix/scripts/refresh.…> …)
In guix/scripts/refresh.scm:
    236:2  7 (check-for-package-update #<package artanis@0.2.1-3 gn…> …)
In guix/gnu-maintenance.scm:
   472:21  6 (latest-gnu-release _)
   457:16  5 (_)
In ice-9/boot-9.scm:
    829:9  4 (catch srfi-34 #<procedure 262fdc0 at guix/http-client…> …)
In guix/http-client.scm:
   182:20  3 (_)
    88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
    398:4  1 (open-connection-for-uri _ #:timeout _ # _)
    296:6  0 (tls-wrap #<closed: file 2641c40> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'ftp.gnu.org' could not be verified:
  signer-not-found
  invalid


I suggest we change it to fail nicely. I am willing to create a patch.
Would somebody be willing to mentor me?

As a start:

How do I check if nss-certs is installed?

This is the first thing we should do when handling https-URIs

(define tls-wrap is a quite complicated procedure, maybe an extra (if at
the body (of the let) will do?

something like

(if package-available? nss-certs

    true; continue

    false-> error nicely

--
Cheers
Swedebugia
L
L
Leo Famulari wrote on 5 Nov 2018 21:26
(name . swedebugia)(address . swedebugia@riseup.net)(address . 33272@debbugs.gnu.org)
20181105202650.GB19298@jasmine.lan
On Mon, Nov 05, 2018 at 12:16:08PM +0100, swedebugia wrote:
Toggle quote (20 lines)
> I suggest we change it to fail nicely. I am willing to create a patch. Would
> somebody be willing to mentor me?
>
> As a start:
>
> How do I check if nss-certs is installed?
>
> This is the first thing we should do when handling https-URIs
>
> (define tls-wrap is a quite complicated procedure, maybe an extra (if at the
> body (of the let) will do?
>
> something like
>
> (if package-available? nss-certs
>
>     true; continue
>
>     false-> error nicely

IMO a better solution is to catch the error and print an informative
message. Already, the error message at the end is coming from Guix, but
we should hide the backtrace and add a hint towards a solution.

I think handling the TLS error gracefully is orthogonal to whether or
not nss-certs is installed.

There are other X.509 certificate collections available on the systems
that Guix supports, and even some Guix packages use their own
collections. Also, programs that need to look up certificates tend to
find them via environment variables, so if one wanted to use nss-certs,
it's not enough just to install it.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvgp4oACgkQJkb6MLrK
fwinqw/+Ni6+Kgbx2g+brP2DLqfobOWFRfSnnDCDqyeVWWUXpdFcdI2rYpP79n6v
fBVh/XrM3Wx7Ey3TnEs5SX4glmmmoSErpbynNWwJvyqkAWP5mb7+ZXx0Z7DYOPlk
VHAc5AeZARLW1/XKDc+6StS63BwTRZdq79Qas4Ys3HLTHSND3e9hZMbXcoAeQS41
zpyI/PEsqo9URUcABxY4u/nUl0pPnCX/RJr7rz0IADVY9kgy3+G0TepNLGc0woyN
DTEvcFnVzbC1yhETil89Hz3xdXFtpBtRXbbH2pLsNsaX2Z+9/sZx5H2WcD1hmB5f
KhoAKxBD7e/4L+ifIuT8ovwiT8lOINi+9IoM0kgrCRoBPghANrCO0YO+vAPgGpi3
s37zeZOgR3PYhz/6kwlgeqa0RQgK22r5UF02zL/gWehlFLcY3KmWYEQMthBey82Y
4AZl1U60bF0kLQ505HDsOyDeSL/8LcVLRyydo8DR64GzXHIVDo6oAR91KlTtXCuW
pZLA1EF1ZR+Cose++srKFbjAOC5nd2LXPW93wfN3VsLgH5UZg3blHbo7KqgMspcg
XvTPf7MmKx2btlHGpK9oMQA7FtGhAT6zbeuDPABzUzXp4DWEzmqiLdRyUDxjlCOP
zNS+Vnx2/8hJmgAqf3sR05C+IXpjsP1jOeECAEkz9+dYqvFscQQ=
=Q6NI
-----END PGP SIGNATURE-----


S
S
swedebugia wrote on 5 Nov 2018 21:39
f700a2d4-7f80-e342-ce84-20a38add0f83@riseup.net
Hi

On 2018-11-05 21:26, Leo Famulari wrote:
Toggle quote (7 lines)
> On Mon, Nov 05, 2018 at 12:16:08PM +0100, swedebugia wrote:
> IMO a better solution is to catch the error and print an informative
> message. Already, the error message at the end is coming from Guix, but
> we should hide the backtrace and add a hint towards a solution.
>
> I think handling the TLS error gracefully is orthogonal to whether or
> not nss-certs is installed.
Agreed.
Toggle quote (9 lines)
>
> There are other X.509 certificate collections available on the systems
> that Guix supports, and even some Guix packages use their own
> collections. Also, programs that need to look up certificates tend to
> find them via environment variables, so if one wanted to use nss-certs,
> it's not enough just to install it.
>
> https://www.gnu.org/software/guix/manual/en/html_node/X_002e509-Certificates.html

Sounds like a good idea.

How do we catch the error?

--
Cheers
Swedebugia
L
L
Leo Famulari wrote on 5 Nov 2018 21:48
(name . swedebugia)(address . swedebugia@riseup.net)(address . 33272@debbugs.gnu.org)
20181105204802.GD19298@jasmine.lan
On Mon, Nov 05, 2018 at 09:39:15PM +0100, swedebugia wrote:
Toggle quote (2 lines)
> How do we catch the error?

I am basically a novice Schemer still, so you will have to figure out
most of this on your own, unless someone else brings more advice :)

In general, dealing with exceptions in Guile:


There are lots of examples of how to use those mechanisms in the Guix
source code — the error message in your original email comes from a
caught exception in (guix build download).

You'll need to find out what is crashing and generating the backtrace,
and then decide what counts as a failure mode that we want to catch in
that context.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvgrIIACgkQJkb6MLrK
fwhSxxAAltxSMyI6uq4FJ3LwFgr55ZNxGWLPGfVw8T/IVkB+86J2ZzaYDR1mADRZ
67Luqu4wqUrzWKbN/0XabZnuGpniyinIJuU+V/uxgynmfY/SeU8PKwseh+zHaKTd
TYBpF4oqa69IepDXjflepL3839PpRrjgX0KUTq2lSGMjfeBKJsrWSWI9q++FG6Y3
PfBKUPPLpDZ5zXZIumsnegqleQeGd8tRUU2UPFwCPEd0lJ2b0X4oob6+JLiGWzGh
IcGdHVBnJCVnCcA16eUUTZufDn4pWOYVOhalIQkXaaWybtSfJAXPUgGA+ZwCamxG
b4jK5XxTyTUZyiDsRcmpggibrZDrEP1j8VtMKLBWvZG/+r6IeB8U34/wwc8hlOAA
NzcaCmb2uzxsEkuTtNhadgv78gIdyvMKWahHSMpnM7P9hwFnA1JRVq3mnOxytqeR
OiuhCKATBSGCgYT9aqQAgHifzimHjw7DxDmmhjULOXwiDlKd4zk6CvjeEk6+QfUl
NeQ1H9sBaFLhqBPG6r7tVbE9SMXOO7OceUuBKljdoK+U/1PiiEoYbJ2c8F+DeFHU
Ke3djrHVq1sXp05PCt3t5bmRYgyBLw7ug2oxvMODydT2haZLICpwe4/y+R8IvUHN
nwKBrix0SX1jF/BxPkRuDDhQcuYyi6TezqDwfqHiDhPKqcPDYVA=
=1+gX
-----END PGP SIGNATURE-----


S
S
swedebugia wrote on 6 Nov 2018 12:42
(name . Leo Famulari)(address . leo@famulari.name)(address . 33272@debbugs.gnu.org)
a76aa405-f804-587c-85c9-ff6cbc4f5835@riseup.net
Hi

On 2018-11-05 21:48, Leo Famulari wrote:
Toggle quote (5 lines)
> On Mon, Nov 05, 2018 at 09:39:15PM +0100, swedebugia wrote:
>> How do we catch the error?
> I am basically a novice Schemer still, so you will have to figure out
> most of this on your own, unless someone else brings more advice :)

Me too

Toggle quote (11 lines)
> In general, dealing with exceptions in Guile:
>
> https://www.gnu.org/software/guile/manual/html_node/Exceptions.html
>
> There are lots of examples of how to use those mechanisms in the Guix
> source code — the error message in your original email comes from a
> caught exception in (guix build download).
>
> You'll need to find out what is crashing and generating the backtrace,
> and then decide what counts as a failure mode that we want to catch in
> that context.
Thank you for the tips. This sounds too complicated for me to bite at my
current skill level.

--
Cheers
Swedebugia
L
L
Leo Famulari wrote on 6 Nov 2018 18:36
(name . swedebugia)(address . swedebugia@riseup.net)(address . 33272@debbugs.gnu.org)
20181106173642.GC3232@jasmine.lan
On Tue, Nov 06, 2018 at 12:42:07PM +0100, swedebugia wrote:
Toggle quote (3 lines)
> Thank you for the tips. This sounds too complicated for me to bite at my
> current skill level.

Perhaps, but you may be surprised what you can achieve with a few hours
of focused reading and trial-and-error experimentation. If you find the
time and motivation I recommend you give it a shot!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvh0SoACgkQJkb6MLrK
fwjVWhAAsdP9TF5CltUpC7grJHUJSKDvRmDwMhlsh6OSHpYsAvgjLPCKzdTwghH9
EU/j5j/XLKkwzacR4V3OIFnA8b8Xee2QlTL3n+jmnk0DL1crng60zNcUFM6kaZk2
mkym6W1BLhmLN7IwoSVuy+dwI0yDHoRX1xd6vpyj4eaWdhvFObhn18z0MfRKjhsb
NmXbRN74o2eRcAxuhYqSAKXN4qDh0XipzGruJfEgzgjZcKjCmcQwRR7R+H32Nao+
7SuXODNs0Txyz8ObsOtaOv5nxtfcfrbKWpIu7/JiimTeZT2AVXGNk2NrwwNR/LdL
Dd4fkygnLp6Xdn5KanLX29D+imysNAx1eArPYL1rRtJKTLzQBCxBB7H4x5z1qxFA
Wc6egWWWp/LryOYY0jW8LbRpk52ezFtF/x+kCEHOYe6xMMjkmOASa6bNqZe7oGtw
2ZJagbwlgC7K5q62p+9+4cu2sf4mNcio5uvHLx6vDWS0Dmljw/lYieW6GDZVdEig
ETdTh0qf1S5BUzgP5G9UB4UdU/4jkcztCXWzLjSOmwlojWVIX1s5TuoFuSCppahG
IqK8kyx0t4tQN3NNSX5HiwYRc8VUmLdJFt83Gpq24chUSRhdkCjVp/RG1erJi15j
dAGD7pnfpAvNSJOhZ4JpDuFsa056YfazCQt2n+8BYj1VRLSxy+0=
=RpiR
-----END PGP SIGNATURE-----


?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 33272@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33272
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch