On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote:
Toggle quote (16 lines)
> Hi,
>
> On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg <theodore.ehrenborg@gmail.com> wrote:
>
> > Gentoo appears to have fixed this bug by linking julia/cert.pem to the
> > system's ca-certificates.crt.
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168
>
> This trick is not possible, IIUC.
>
> > Is there a way I could rebuild my own slightly modified Julia with a link
> > like that?
>
> Maybe, by adding the package nss-certs as propagated-inputs in the
> definition of julia.
By itself I don't think this would do anything.
Toggle quote (29 lines)
> > I understand that there's probably a good reason that Guix's Julia doesn't
> > by default have cert.pem, but I would be pleased with a hacky custom
> > solution if it made Jupyter notebooks work.
>
> The reason is security. ;-) It’s Julia that does poorly here.
>
> As pointed with the upstream package MbedTLS.jl, the fix should come
> from Julia itself; therefore, it could be worth to open an issue, if it
> is not already the case. ;-)
>
> From my understanding, the culprit is this [1]:
>
> --8<---------------cut here---------------start------------->8---
> function __init__()
> global artifact_dir = dirname(Sys.BINDIR)
> global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem")
> end
> --8<---------------cut here---------------end--------------->8---
>
> And it is not clear for me if NetworkOptions.jl [2] provides the option
> of not, and I am missing why Julia itself does not depend on it.
>
> 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20
> 2: https://github.com/JuliaLang/NetworkOptions.jl
>
>
> Efraim, do you think it would be possible to patch Julia to point to
> some certificates via bundled_ca_roots or ca_roots_path?
In the initial patch for julia-1.8.1 I think there was a substitution to
hardcode /etc/ssl/something instead for 'global cacert' but I took that
out since we don't like hardcoding that.
GIT_SSL_CAINFO=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs
CURL_CA_BUNDLE=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/run/current-system/profile/etc/ssl/certs/ca-certificates.crt
I think it would be fine to tell Julia to look at SSL_CERT_FILE as the
cacert so it can be overridden as desired, and then we can add a
(native-?)search-path to Julia for SSL_CERT_FILE.
Does anyone know offhand how to get the environment variable? If not
I'll grep the sources and then look online.
Toggle quote (17 lines)
> Well, somehow turn back these tests:
>
> --8<---------------cut here---------------start------------->8---
> ;; julia embeds a certificate, we are not doing that
> (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl"
> (("@test isfile\\(MozillaCACerts_jll.cacert\\)")
> "@test_broken isfile(MozillaCACerts_jll.cacert)"))
> ;; since certificate is not present some tests are failing in network option
> (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl"
> (("@test isfile\\(bundled_ca_roots\\(\\)\\)")
> "@test_broken isfile(bundled_ca_roots())")
> (("@test ispath\\(ca_roots_path\\(\\)\\)")
> "@test_broken ispath(ca_roots_path())")
> (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)")
> "@test_broken ca_roots_path() != bundled_ca_roots()"))
> --8<---------------cut here---------------end--------------->8---
That one might be a little harder, I'd rather not add nss-certs to the
build just for the test suite, but I'll see how it goes. Or at least
update the comment afterward.
Toggle quote (4 lines)
>
> Cheers,
> simon
--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
