GNU bug report logs - #25200
guix lint throws gnutls error

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25200 in the body.
You can then email your comments to 25200 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: guix lint throws gnutls error
Date: Wed, 14 Dec 2016 09:23:27 -0800

[Message part 1 (text/plain, inline)]

Hello Guix!

I'm using an up-to-date Guix (running directly from the Git tree) and
recently started getting the following gnutls errors when attempting to
run "guix lint some-package". This happens for any package.

The complete error traceback returned on the console looks like:

[Message part 2 (text/plain, inline)]

 guix lint icecat
gnu/packages/gnuzilla.scm:304:2: icecat-45.5.1-gnu1: file names of patches should start with the package name
Backtrace:cecat-45.5.1-gnu1 [cve]...
In ice-9/boot-9.scm:
 160: 17 [catch #t #<catch-closure 2855e20> ...]
In unknown file:
   ?: 16 [apply-smob/1 #<catch-closure 2855e20>]
In ice-9/boot-9.scm:
  66: 15 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 14 [eval # #]
In ice-9/boot-9.scm:
2404: 13 [save-module-excursion #<procedure 2875900 at ice-9/boot-9.scm:4051:3 ()>]
4056: 12 [#<procedure 2875900 at ice-9/boot-9.scm:4051:3 ()>]
1727: 11 [%start-stack load-stack ...]
1732: 10 [#<procedure 2889b70 ()>]
In unknown file:
   ?: 9 [primitive-load "/gnu/store/qxawdi2q9bhr9x4v57wbnj8y5krhhm3p-guix-0.11.0-8.8d12/bin/.guix-real"]
In guix/ui.scm:
1222: 8 [run-guix-command lint "icecat"]
In srfi/srfi-1.scm:
 616: 7 [for-each #<procedure 35c4680 at guix/scripts/lint.scm:1056:20 (spec)> #]
In guix/scripts/lint.scm:
 964: 6 [run-checkers # #]
In srfi/srfi-1.scm:
 616: 5 [for-each #<procedure 3dcf2a0 at guix/scripts/lint.scm:964:14 (checker)> #]
In guix/scripts/lint.scm:
 786: 4 [check-vulnerabilities #]
 781: 3 [#<procedure 35c2b00 at guix/scripts/lint.scm:771:4 (package)> #]
In unknown file:
   ?: 2 [force #<promise #<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>>]
In guix/scripts/lint.scm:
 770: 1 [#<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>]
In ice-9/boot-9.scm:
 160: 0 [catch srfi-34 #<procedure 35c2ce0 at guix/scripts/lint.scm:743:2 ()> ...]

ice-9/boot-9.scm:160:17: In procedure catch:
ice-9/boot-9.scm:160:17: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.

[Message part 3 (text/plain, inline)]

I'm using GuixSD and ran "sudo guix system reconfigure /etc/config.scm"
prior to sending this report, so everything should be current. This
config contains the nss-certs package, which should include gnutls, I
believe. Here's my config, in case:

[config.scm (text/plain, inline)]

;; This is an operating system configuration template
;; for a "desktop" setup without full-blown desktop
;; environments.

(use-modules (gnu) (gnu system nss))
(use-service-modules desktop)
(use-package-modules wm ratpoison certs)

(operating-system
  (host-name "apteryx")
  (timezone "America/Los_Angeles")
  (locale "en_US.UTF-8")

  ;; Assuming /dev/sdX is the target hard disk, and "my-root"
  ;; is the label of the target root file system.
  (bootloader (grub-configuration (device "/dev/sda")))

  (file-systems (cons (file-system
                        (device "my-root")
                        (title 'label)
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  (users (cons (user-account
                (name "maxim")
                (comment "Maxim Cournoyer")
                (group "users")
                (supplementary-groups '("wheel" "netdev"
                                        "audio" "video"))
                (home-directory "/home/maxim"))
               %base-user-accounts))

  ;; Add a bunch of window managers; we can choose one at
  ;; the log-in screen with F1.
  (packages (cons* ratpoison ; i3-wm xmonad  ;window managers
                   nss-certs               ;for HTTPS access
                   %base-packages))

  ;; Use the "desktop" services, which include the X11
  ;; log-in service, networking with Wicd, and more.
  (services %desktop-services)

  ;; Allow resolution of '.local' host names with mDNS.
  (name-service-switch %mdns-host-lookup-nss))

Message #8 received at 25200 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 25200 <at> debbugs.gnu.org
Subject: Re: bug#25200: guix lint throws gnutls error
Date: Thu, 15 Dec 2016 17:15:52 +0100

Hi Maxim!

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:

> I'm using an up-to-date Guix (running directly from the Git tree) and
> recently started getting the following gnutls errors when attempting to
> run "guix lint some-package". This happens for any package.
>
> The complete error traceback returned on the console looks like:
>
>  guix lint icecat
> gnu/packages/gnuzilla.scm:304:2: icecat-45.5.1-gnu1: file names of patches should start with the package name

[...]

> In guix/scripts/lint.scm:
>  786: 4 [check-vulnerabilities #]
>  781: 3 [#<procedure 35c2b00 at guix/scripts/lint.scm:771:4 (package)> #]
> In unknown file:
>    ?: 2 [force #<promise #<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>>]
> In guix/scripts/lint.scm:
>  770: 1 [#<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>]
> In ice-9/boot-9.scm:
>  160: 0 [catch srfi-34 #<procedure 35c2ce0 at guix/scripts/lint.scm:743:2 ()> ...]
>
> ice-9/boot-9.scm:160:17: In procedure catch:
> ice-9/boot-9.scm:160:17: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.

What is the value of SSL_CERT_DIR?  Could it be that the directory it
points to contains dangling symlinks?

The logic for this is in (guix build download); search for “x509”.

Thanks for your report!

Ludo’.

Message #11 received at 25200 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 25200 <at> debbugs.gnu.org
Subject: Re: bug#25200: guix lint throws gnutls error
Date: Thu, 15 Dec 2016 21:38:00 +0000

[Message part 1 (text/plain, inline)]

On 15/12/16 16:15, Ludovic Courtès wrote:
> Hi Maxim!
> 
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> 
>> I'm using an up-to-date Guix (running directly from the Git tree) and
>> recently started getting the following gnutls errors when attempting to
>> run "guix lint some-package". This happens for any package.
>>
>> The complete error traceback returned on the console looks like:
>>
>>  guix lint icecat
>> gnu/packages/gnuzilla.scm:304:2: icecat-45.5.1-gnu1: file names of patches should start with the package name
> 
> [...]
> 
>> In guix/scripts/lint.scm:
>>  786: 4 [check-vulnerabilities #]
>>  781: 3 [#<procedure 35c2b00 at guix/scripts/lint.scm:771:4 (package)> #]
>> In unknown file:
>>    ?: 2 [force #<promise #<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>>]
>> In guix/scripts/lint.scm:
>>  770: 1 [#<procedure 35c2be0 at guix/scripts/lint.scm:769:16 ()>]
>> In ice-9/boot-9.scm:
>>  160: 0 [catch srfi-34 #<procedure 35c2ce0 at guix/scripts/lint.scm:743:2 ()> ...]
>>
>> ice-9/boot-9.scm:160:17: In procedure catch:
>> ice-9/boot-9.scm:160:17: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.

I hit this on Wednesday, I think its a problem in the profile generation
code, related to character encoding, and possibly to do with locales.

It was triggered by the recent nss-certs update, but I don't think that
has anything to do with it, apart from introducing some files with names
including non-ascii characters.

I've filed bug#25213 about this which includes instructions to reproduce it.

[signature.asc (application/pgp-signature, attachment)]

Message #14 received at 25200 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 25200 <at> debbugs.gnu.org
Subject: Re: bug#25200: guix lint throws gnutls error
Date: Fri, 16 Dec 2016 09:57:45 -0800

Hi Ludovic!

ludo <at> gnu.org (Ludovic Courtès) writes:

> What is the value of SSL_CERT_DIR?  Could it be that the directory it
> points to contains dangling symlinks?

The value of SSL_CERT_DIR is "/etc/ssl/certs".

Looking for dangling symlinks, I got:

find /etc/ssl/certs/ -xtype l
/etc/ssl/certs/T??RKTRUST_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??_H6:2.6.125.161.242.101.236.138.pem
/etc/ssl/certs/Certinomis_-_Autorit??_Racine:2.1.1.pem
/etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_Sa??lay??c??s??_-_S??r??m_3:2.1.17.pem
/etc/ssl/certs/T??RKTRUST_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??_H5:2.7.0.142.23.254.36.32.129.pem
/etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny:2.6.73.65.44.228.0.16.pem
/etc/ssl/certs/AC_Ra??z_Certic??mara_S.A.:2.15.7.126.82.147.123.224.21.227.87.240.105.140.203.236.12.pem

It seems this could be related to the non-ascii characters in the
certificates?

Upon further reading of bug 25213 created by Christopher Baines, I'm
pretty sure those are the same issues. I see that a workaround was
committed in 580deec5b44d623e994e59ef07e9e0c5496762fd, which will ignore
the broken symlinks. Shouldn't Guix be able to handle non-ascii
characters in the default install?

And is this what you fixed in 1af0860e8 by having the profiles built in a
UTF-8 locale?

I've rebuilt Guix with the latest commits and can lint packages again.
I guess both these issues (25200, 25213) can me marked as "Fixed" (not
sure how to do that via the email interface yet -- it seems I should read
https://debbugs.gnu.org/server-control.html).

Thanks for the fixes!

Maxim

Message #17 received at 25200 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 25200 <at> debbugs.gnu.org
Subject: Re: bug#25200: guix lint throws gnutls error
Date: Fri, 16 Dec 2016 17:43:03 -0800

[Message part 1 (text/plain, inline)]

Nevermind about my last message, I re-read your reply on the bug 25213
thread and found the answer to all of my questions.

Sorry for my poor reading skills ;)

Maxim

On Fri, Dec 16, 2016 at 9:57 AM, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
wrote:

>
> Hi Ludovic!
>
> ludo <at> gnu.org (Ludovic Courtès) writes:
>
> > What is the value of SSL_CERT_DIR?  Could it be that the directory it
> > points to contains dangling symlinks?
>
> The value of SSL_CERT_DIR is "/etc/ssl/certs".
>
> Looking for dangling symlinks, I got:
>
> find /etc/ssl/certs/ -xtype l
> /etc/ssl/certs/T??RKTRUST_Elektronik_Sertifika_Hizmet_
> Sa??lay??c??s??_H6:2.6.125.161.242.101.236.138.pem
> /etc/ssl/certs/Certinomis_-_Autorit??_Racine:2.1.1.pem
> /etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_
> Sa??lay??c??s??_-_S??r??m_3:2.1.17.pem
> /etc/ssl/certs/T??RKTRUST_Elektronik_Sertifika_Hizmet_
> Sa??lay??c??s??_H5:2.7.0.142.23.254.36.32.129.pem
> /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny:
> 2.6.73.65.44.228.0.16.pem
> /etc/ssl/certs/AC_Ra??z_Certic??mara_S.A.:2.15.7.126.
> 82.147.123.224.21.227.87.240.105.140.203.236.12.pem
>
> It seems this could be related to the non-ascii characters in the
> certificates?
>
> Upon further reading of bug 25213 created by Christopher Baines, I'm
> pretty sure those are the same issues. I see that a workaround was
> committed in 580deec5b44d623e994e59ef07e9e0c5496762fd, which will ignore
> the broken symlinks. Shouldn't Guix be able to handle non-ascii
> characters in the default install?
>
> And is this what you fixed in 1af0860e8 by having the profiles built in a
> UTF-8 locale?
>
> I've rebuilt Guix with the latest commits and can lint packages again.
> I guess both these issues (25200, 25213) can me marked as "Fixed" (not
> sure how to do that via the email interface yet -- it seems I should read
> https://debbugs.gnu.org/server-control.html).
>
> Thanks for the fixes!
>
> Maxim
>

[Message part 2 (text/html, inline)]

Message #22 received at 25200-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 25200-done <at> debbugs.gnu.org
Subject: Re: bug#25200: guix lint throws gnutls error
Date: Sat, 17 Dec 2016 19:50:48 +0100

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:

> Nevermind about my last message, I re-read your reply on the bug 25213
> thread and found the answer to all of my questions.
>
> Sorry for my poor reading skills ;)

No problem!  Closing this bug now.

Thank you,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.