Remove direct dependencies on the nss-certs certificate store

  • Open
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Mathieu Othacehe
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 21 Dec 2021 01:36
(address . guix-patches@gnu.org)
YcEhjz3Fm6ekOXhs@jasmine.lan
Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6.

This is a problem because certificates expire. When that happens, the
features of these programs that use X.509 certificates will stop
working. Instead, packages should look up certificates at run-time in
unversioned and well-known locations such as /etc/ssl/certs or via
environment variables like $SSL_CERT_DIR.

I'll send a patch removing the dependency from ldns.

pypy3 does not build anyways because its runpath cannot be successfully
validated, but I will investigate anyways after disabling the runpath
validator.

Icedtea6 is a very complex package. I assume it depends on the
certificates directly for a good reason, but I would still appreciate
some feedback on it.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHBIY8ACgkQJkb6MLrK
fwhFrg//RRKMHSBGI7wRv3PGE73PQHjr5BLEG8UOS+9B+L5bCQfNRaRgAC2Qz9w6
YmQahn4eX//CfAcysnmxSsjGbPI+JAMSKT+wPKos7KMJHlpB0bEmEF6JPcHg4FoF
iEgDhRqQu/CVXnhBIHCVa85jqEdjgugkPnO/wbeNqLN/DTg1noXtFSrj/xwwVHud
t+2vvjoBb89p6NXBjDWuw9nNExrVD8XV1Jqz0H6AKRarUSvcEgAcopKbC+Ma816h
f/UBzd/BXlxncNT/8zssq5xW+SsIYxWwVgRVjV6ckX2/707WVJzine6eoe+v4tEn
O6DYbtnIwxOquY0njnvM4lxgnKM3jVeNzVqrWjKuUCKOypgIE8rbkYkwPR4csbaA
W26r7FZXA5kn2cb7RqlalATLoc18n5y/yaSeFSsw+TVMhd46Wx8GjCENvnQvRr2t
1L1xH4FcGcoVs/GmEVN9MOB+z0g8+H48MiWAR73F5CayJVaocrFYN/PWDHShEFcy
WHmecWeyvws9ra+zjKq5opBnzj+QOs/aSP3m7lARvPPta8DlpL11iunDamtWnkDV
A+XTyvauqFPojR5+M2uzHhfl/TC5/RGH9Yr7p1ifCDMb4/TxbrMgFJLIjzprnHyI
czfGQnonIcPvT6lhMzCKRch+lWeuwCAsGCPUs18Gk8CyJkuSYIg=
=19Um
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 21 Dec 2021 01:37
[PATCH] gnu: ldns: Do not depend directly on nss-certs.
(address . 52690@debbugs.gnu.org)
f5ff2224e85326d0eabc80014ff8a448052204d9.1640047061.git.leo@famulari.name
If ldns depends on a particular version of nss-certs, the features that use the
certificates will eventually stop working as the certificates expire. Instead,
the certificates should be found at run-time.

* gnu/packages/dns.scm (ldns)[inputs]: Remove nss-certs.
[arguments]: Adjust the value of "--with-ca-path" in #:configure-flags.
---
gnu/packages/dns.scm | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

Toggle diff (34 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 5c5f95537b..269d312487 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -40,7 +40,6 @@ (define-module (gnu packages dns)
#:use-module (gnu packages autotools)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
- #:use-module (gnu packages certs)
#:use-module (gnu packages check)
#:use-module (gnu packages curl)
#:use-module (gnu packages databases)
@@ -178,9 +177,7 @@ (define-public ldns
;; "--with-p5-dns-ldns"
(string-append "--with-ssl="
(assoc-ref %build-inputs "openssl"))
- (string-append "--with-ca-path="
- (assoc-ref %build-inputs "nss-certs")
- "/etc/ssl/certs"))
+ (string-append "--with-ca-path=/etc/ssl/certs"))
#:make-flags
(list
(string-append "drillbindir="
@@ -210,7 +207,7 @@ (define-public ldns
("python" ,python-wrapper)
("swig" ,swig)))
(inputs
- (list libpcap nss-certs openssl))
+ (list libpcap openssl))
(synopsis "DNS library that facilitates DNS tool programming")
(description "LDNS aims to simplify DNS programming, it supports recent
RFCs like the DNSSEC documents, and allows developers to easily create
--
2.34.0
L
L
Leo Famulari wrote on 21 Dec 2021 03:48
[PATCH] gnu: pypy3: Prohibit references to nss-certs.
(address . 52690@debbugs.gnu.org)
5742fb16c598572330f273d8259e1ccfab5b1b03.1640054899.git.leo@famulari.name
Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/python.scm (pypy3)[arguments]: Add nss-certs
to #:disallowed-references.
---
gnu/packages/python.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index f0d2fd6eb8..23f188c6f9 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -780,6 +780,7 @@ (define-public pypy3
`(#:tests? #f ;FIXME: 43 out of 364 tests are failing
#:modules ((ice-9 ftw) (ice-9 match)
(guix build utils) (guix build gnu-build-system))
+ #:disallowed-references (,nss-certs)
#:phases (modify-phases %standard-phases
(delete 'configure)
(add-after 'unpack 'patch-source
--
2.34.0
M
M
Mathieu Othacehe wrote on 26 Dec 2021 18:37
Re: bug#52690: Remove direct dependencies on the nss-certs certificate store
(name . Leo Famulari)(address . leo@famulari.name)(address . 52690@debbugs.gnu.org)
87a6gnp8r3.fsf@gnu.org
Hello Leo,

Toggle quote (6 lines)
> I'll send a patch removing the dependency from ldns.
>
> pypy3 does not build anyways because its runpath cannot be successfully
> validated, but I will investigate anyways after disabling the runpath
> validator.

The ldns and pypy3 patches make sense to me.

Thanks,

Mathieu
L
L
Leo Famulari wrote on 26 Dec 2021 22:32
[PATCH] gnu: IcedTea: Prohibit references to nss-certs.
(address . 52690@debbugs.gnu.org)
6fca92dfa3101c383f62c2569d87ff4e48e63764.1640554102.git.leo@famulari.name
I checked, and neither of these packages keep references to nss-certs.
So, although this change will cause rebuilds, it shouldn't cause any
functional changes.

However, my understanding is that the IcedTea packages actually copy the
NSS certificate store, so there wouldn't be a reference anyways, but we
would have the problem of "software that expires".

Built packages should not refer to nss-certs, to prevent errant hard-coding of a
certificate store version.

* gnu/packages/java.scm (icedtea-7, icedtea-8)[arguments]: Add nss-certs
to #:disallowed-references.
---
gnu/packages/java.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 0a757b2391..91a16bb53d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -812,6 +812,8 @@ (define-public icedtea-7
;; gremlin) doesn't support it yet, so skip this phase.
#:validate-runpath? #f
+ #:disallowed-references (,nss-certs)
+
#:modules ((guix build utils)
(guix build gnu-build-system)
(ice-9 match)
@@ -1376,7 +1378,8 @@ (define-public icedtea-8
(guix build syscalls)
,@%gnu-build-system-modules)
- #:disallowed-references ,(list (gexp-input icedtea-7 "jdk"))
+ #:disallowed-references ,(list (gexp-input icedtea-7 "jdk")
+ nss-certs)
,@(substitute-keyword-arguments (package-arguments icedtea-7)
((#:modules modules)
--
2.34.0
L
L
Leo Famulari wrote on 26 Dec 2021 21:55
Re: bug#52690: Remove direct dependencies on the nss-certs certificate store
(name . Mathieu Othacehe)(address . othacehe@gnu.org)(address . 52690@debbugs.gnu.org)
YcjWt78nb1XN3oqC@jasmine.lan
On Sun, Dec 26, 2021 at 06:37:52PM +0100, Mathieu Othacehe wrote:
Toggle quote (11 lines)
>
> Hello Leo,
>
> > I'll send a patch removing the dependency from ldns.
> >
> > pypy3 does not build anyways because its runpath cannot be successfully
> > validated, but I will investigate anyways after disabling the runpath
> > validator.
>
> The ldns and pypy3 patches make sense to me.

Thanks, pushed.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 52690@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 52690
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch