GNU bug report logs - #49867
[PATCH 00/29] gnu: Add ocaml-cohttp-lwt-unix.

Previous Next

Package: guix-patches;

Reported by: pukkamustard <pukkamustard <at> posteo.net>

Date: Wed, 4 Aug 2021 07:12:01 UTC

Severity: normal

Tags: patch

Done: pukkamustard <pukkamustard <at> posteo.net>

Bug is archived. No further changes may be made.

Full log

Message #143 received at 49867 <at> debbugs.gnu.org (full text, mbox):

From: pukkamustard <pukkamustard <at> posteo.net>
To: Xinglu Chen <public <at> yoctocell.xyz>
Cc: 49867 <at> debbugs.gnu.org
Subject: Re: [bug#49867] [PATCH 24/29] gnu: Add ocaml-ca-certs.
Date: Sun, 08 Aug 2021 12:36:27 +0000

Xinglu Chen <public <at> yoctocell.xyz> writes:

>> +                 ;; Tests are failing as they require 
>> certificates to be in /etc/ssl/certs
>> +                 #:tests? #f))
>
> The same issue has been mentioned by NixOS people on their bug
> tracker[1], they solved[2] it by reading the NIX_SSL_CERT_FILE
> environment variable, which automatically gets set in the build
> environment if the ‘cacert’ package is specified as an input.  I 
> don’t
> know if Guix does something similar.
>
> [1]: <https://github.com/mirage/ca-certs/issues/16>
> [2]: <https://github.com/mirage/ca-certs/pull/17>
>

Thanks for the pointers.

Inspired by the package definition for curl, I tried setting 
NIX_SSL_CERT_FILE with native-search-paths:

```
   (native-search-paths
    (list
     (search-path-specification
      (variable "NIX_SSL_CERT_FILE")
      (file-type 'regular)
      (separator #f)                   ;single entry
      (files '("/etc/ssl/certs/ca-certificates.crt")))))
```

and adding `nss-certs` to the native-inputs.

However, this does not work. Some observations/questions:

- The NIX_SSL_CERT_FILE does not appear in the 
 `environment-variables` file when running `guix build -K`. I 
 would have expected it to be set there.
- `nss-certs` does not provide the `ca-certificates.crt` file. It 
 is built when creating a profile with the 
 `ca-certificate-bundle` hook. Is this run when creating a build 
 environment?

I seem to be not understanding a lot of things about the build 
environment ... Pointers very welcome!

>> +    (propagated-inputs
>> +     `(("ocaml-astring" ,ocaml-astring)
>> +       ("ocaml-bos" ,ocaml-bos)
>> +       ("ocaml-fpath" ,ocaml-fpath)
>> +       ("ocaml-rresult" ,ocaml-rresult)
>> +       ("ocaml-ptime" ,ocaml-ptime)
>> +       ("ocaml-logs" ,ocaml-logs)
>> +       ("ocaml-mirage-crypto" ,ocaml-mirage-crypto)
>> +       ("ocaml-x509" ,ocaml-x509)))
>> +    (native-inputs
>> +     `(("ocaml-alcotest" ,ocaml-alcotest)))
>> +    (synopsis
>> +     "Detect root CA certificates from the operating system")
>> +    (description
>> +     "TLS requires a set of root anchors (Certificate 
>> Authorities) to
>> +authenticate servers. This library exposes this list so that 
>> it can be
>                         ^
> Double spacing.

Fixed in V2.
This bug report was last modified 3 years and 251 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.