Re: [bug#30165] [PATCH] gnu: gnurl: Add '--with-ca-bundle' path to configure-flags.

[Adam Van Ymeren]

address@hidden writes:

>
> Out of curiosity: Where do you use gnURL in the system? For
> normal user experience it was never intended (though it would
> work). It would be nice to know if another project depends on it,
> as we've started looking into wget2 as a successor to cURL for
> GNUnet.

I don't actually use it directly, but it's an input for gnunet which I
like to play with from time to time, so I need gnurl to build for gnunet
to build.

>
>> I think an env. variable solution makes sense.  We already have
>> machinery for this in place with how packages can provide "search paths"
>> for other environment variables.  Perhaps the same should be applied to
>> SSL certificates.
>
> https://curl.haxx.se/docs/sslcerts.html what applies is this +
> some grepping through the cURL source and reading it.
>
> probably useful TIL of this whole issue: cURL could suffer the
> same issue if we try this, and I need to test all the options.

I think the patch you did of setting
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt is reasonable as it
lets gnURL use the operating system level cert store..

I think the root problem is that the gnURL tests the gnURL/cURL tests
are not self contained and depend upon this setting rather for tests
rather than using an embedded cert store during testing.

>
>> Referencing some file on the root filesystem does not feel very
>> functional to me.  That becomes system specific mutable state, which
>> certainly shouldn't be an input to the build/test process.  For the
>> purposes of the test, gnurl should be providing an embedded certificate
>> store inside its own package that it runs tests against, otherwise the
>> tests are going to be prone to flaky failure like this.
>
> That really is a cURL specific bug though. I wouldn't mind
> extending gnURL where it makes sense, but due to the high speed
> chase with cURL it is difficult.

Yes this is definitely a bug with upstream cURL tests, and a fix for
that should be submitted upstream if anyone makes one.

>
>> If we want to refernce /etc/ssl/certs for use on non GuixSD distros,
>> then I think we should make sure that that directory is populated on
>> startup from the operating system profile on activation.
>
> ... with the only problem that operating-system profile
> activation does not exist (yet ;)?) for other systems, iirc.

I may not have been clear.  I meant if we want to have gnURL reference
this directory so that it works nicely on non GuixSD systems, then we
should also make sure that it _is_ provided on GuixSD systems.  And I
think it should be provided on GuixSD at operating system activation
time, so it remains a part of the purely functional system rather than
some mutable state that could get out of date or corrupted.

>> It's pretty concerning that we're getting different results for building
>> gnurl, such a thing should be impossible or at least incredibly rare
>> with a purely function package manager.
>>
>> Checking hydra.gnu.org, gnurl is failing there as well for i686 and
>> x86_64 but for different reasons.  It's failing because unbound is
>> failing which is an input to gnutls-dane which is an input to gnurl.
>>
>> https://hydra.gnu.org/build/2453496
>
> Damn. I'll look into it as soon (or slow) as I can. Time is
> limited atm.

No rush, I can work around it for now :).  Thanks for your hard work
maintaining this.

>
> Thanks for your reply so far. I'll also look into spinning up
> some addition gitlab CI jobs to see if I can replicate what we
> encountered.
> We don't have GuixSD runners yet, but some people on our side are
> working on it.
>
> If you have more, like build logs etc would you like to send them
> in here, open a bug on our (GNUnet) Mantis instance or send them
> to the gnunet bugs list?

I've attached a build log to this message in case it helps :).

yp9k0ykw5phh6w9i3cwms2mhjlgswl-gnurl-7.57.0.drv.bz2
Description: log of guix build gnurl