GNU bug report logs - #49867
[PATCH 00/29] gnu: Add ocaml-cohttp-lwt-unix.

Previous Next

Full log

Message #263 received at 49867 <at> debbugs.gnu.org (full text, mbox):

From: Xinglu Chen <public <at> yoctocell.xyz>
To: pukkamustard <pukkamustard <at> posteo.net>
Cc: 49867 <at> debbugs.gnu.org
Subject: Re: [bug#49867] [PATCH 24/29] gnu: Add ocaml-ca-certs.
Date: Mon, 09 Aug 2021 11:30:50 +0200

[Message part 1 (text/plain, inline)]

On Sun, Aug 08 2021, pukkamustard wrote:

> Xinglu Chen <public <at> yoctocell.xyz> writes:
>
>>> +                 ;; Tests are failing as they require 
>>> certificates to be in /etc/ssl/certs
>>> +                 #:tests? #f))
>>
>> The same issue has been mentioned by NixOS people on their bug
>> tracker[1], they solved[2] it by reading the NIX_SSL_CERT_FILE
>> environment variable, which automatically gets set in the build
>> environment if the ‘cacert’ package is specified as an input.  I 
>> don’t
>> know if Guix does something similar.
>>
>> [1]: <https://github.com/mirage/ca-certs/issues/16>
>> [2]: <https://github.com/mirage/ca-certs/pull/17>
>>
>
> Thanks for the pointers.
>
> Inspired by the package definition for curl, I tried setting 
> NIX_SSL_CERT_FILE with native-search-paths:
>
> ```
>     (native-search-paths
>      (list
>       (search-path-specification
>        (variable "NIX_SSL_CERT_FILE")
>        (file-type 'regular)
>        (separator #f)                   ;single entry
>        (files '("/etc/ssl/certs/ca-certificates.crt")))))
> ```
>
> and adding `nss-certs` to the native-inputs.
>
> However, this does not work. Some observations/questions:
>
> - The NIX_SSL_CERT_FILE does not appear in the 
>   `environment-variables` file when running `guix build -K`. I 
>   would have expected it to be set there.
> - `nss-certs` does not provide the `ca-certificates.crt` file. It 
>   is built when creating a profile with the 
>   `ca-certificate-bundle` hook. Is this run when creating a build 
>   environment?
>
> I seem to be not understanding a lot of things about the build 
> environment ... Pointers very welcome!

Maybe the environment variables in ‘native-search-paths’ are only set if
the package is installed in a profile (in ~/.guix-profile/etc/profile)?  

I don’t think profile hooks are run in the build environment, so that’s
probably why.

In Nix, the bundle is created during the build phase[1], not sure if we
should do this too.

I think it’s fine to disable tests for now, but it would be great to see
what other people think too.

[1]: https://github.com/nixos/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L53

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.