GNU bug report logs - #32530
[PATCH] gnu: octave: Fix CA certificate use.

Previous Next

Package: guix-patches;

Reported by: Kei Kebreau <kkebreau <at> posteo.net>

Date: Sun, 26 Aug 2018 00:43:02 UTC

Severity: normal

Tags: patch

Done: Kei Kebreau <kkebreau <at> posteo.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Kei Kebreau <kkebreau <at> posteo.net>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 32530 <at> debbugs.gnu.org
Subject: [bug#32530] [PATCH] gnu: octave: Fix CA certificate use.
Date: Fri, 14 Sep 2018 21:54:35 -0400

Kei Kebreau <kkebreau <at> posteo.net> writes:

> ludo <at> gnu.org (Ludovic Courtès) writes:
>
>> Hi,
>>
>> Kei Kebreau <kkebreau <at> posteo.net> skribis:
>>
>>> * gnu/packages/maths.scm (octave)[arguments]: Add 'wrap-program'
>>> phase to wrap
>>> Octave with the path to system CA certificates.
>>
>> [...]
>>
>>> +         (add-after 'install 'wrap-program
>>> +           (lambda* (#:key outputs #:allow-other-keys)
>>> +             (let ((out (assoc-ref outputs "out")))
>>> +               (wrap-program (string-append out "/bin/octave")
>>> +                 '("CURLOPT_CAPATH" suffix ("/etc/ssl/certs")))
>>
>> Users might want to ignore /etc/ssl/certs altogether and instead only
>> use their own set of certificates, so I’m rather reluctant to such a
>> change.
>>
>> Now, I agree that there’s a usability problem: we don’t want every
>> Octave user to stumble upon a certificate error message.  I can think of
>> several solutions:
>>
>>   1. We could add CURLOPT_CAPATH to the ‘native-search-paths’ of ‘curl’,
>>      assuming that variable is honored by libcurl itself.  It won’t
>>      solve this immediate issue, but it sounds like “the right way.”
>>
>>   2. On GuixSD, we could define CURLOPT_CAPATH=/etc/ssl/certs in
>>      /etc/profile, like we already do for other variables.
>>
>>   3. We could document this variable under “X.509 Certificates” in the
>>      manual.
>>
>> #1 would have to go to ‘core-updates’.  WDYT?
>>
>> Thanks,
>> Ludo’.
>
> I don't mind putting #1 on 'core-updates' assuming it works. I will test
> it locally first. Also, thanks for looking at this!

It looks like solution #1 does not work as expected. In this case,
perhaps #3 would be preferable because the user can more easily control
the environment variable?
This bug report was last modified 6 years and 297 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.