Re: wip/gnurl: Request for review

To: tech-pkg%netbsd.org@localhost
Subject: Re: wip/gnurl: Request for review
From: ng0%n0.is@localhost
Date: Mon, 21 Jan 2019 18:49:29 +0000

Leonardo Taccari transcribed 2.6K bytes:
> ng0%n0.is@localhost writes:
> > Just tried that and it keeps producing negative results.
> > What we have on other systems is CURL_CA_BUNDLE as a environment variable.
> > in practice this works out rather unreliable, at least the way it is
> > approached for curl and gnurl in Guix (ensure that every application packaged
> > respects this variable and if not, patch the application to do so if it uses
> > curl).
> 
> The attached patch seems to do the trick. Can you please test it?
> If it works feel free to directly commit it!

Works here, commited!

> > Is setting $sslcert a problem? I'm trying to understand the implications,
> > I've packaged software for some time this is just my first with pkgsrc.
> 
> Maybe something similarly to SSLCERTS for gnutls can be added but
> I do not think it is needed because since gnutls-3.5.6nb1 the CA
> fallback mechanisms should work.

Oh, there was the problem!
I had 3.6.4 of gnuntls here. I just upgraded and can confirm your patch works.
Do we need to set a
gnutls version requirement or is this implied by the cvs commit this package
will be introduced in?

> gnurl: Use --with-ca-fallback to automatically pickup gnutls CA certificates
> 
> Avoid to include openssl bl3 for SSLCERTS, pass --without-ca-{bundle,path}
> to avoid possible automagically (and difficult to predict) CA
> bundle/paths pick ups and just fallback to preferred gnutls ones
> (supported since gnutls-3.6.5nb1).
>
> diff --git a/gnurl/Makefile b/gnurl/Makefile
> index 51d92d2ec3..92bf23c52e 100644
> --- a/gnurl/Makefile
> +++ b/gnurl/Makefile
> @@ -27,12 +27,13 @@ TEST_TARGET=		check
>  CONFIGURE_ARGS+=	--with-zlib=${BUILDLINK_PREFIX.zlib}
>  CONFIGURE_ARGS+=	--disable-ntml-wb
>  CONFIGURE_ARGS+=	--enable-ipv6
> -# We need this for gnurl to know the certificate location out of the box
> -CONFIGURE_ARGS+=	--with-ca-path=${SSLCERTS}
> -# CONFIGURE_ARGS+=	--with-ssl=${BUILDLINK_PREFIX.openssl}
>  # Optionally, We want GnuTLS with Dane.
>  CONFIGURE_ARGS+=	--with-gnutls
>  CONFIGURE_ARGS+=	--with-libidn2
> +# Fallback to gnutls preferred CA certificates
> +CONFIGURE_ARGS+=	--without-ca-bundle
> +CONFIGURE_ARGS+=	--without-ca-path
> +CONFIGURE_ARGS+=	--with-ca-fallback
>  # Do not pick up GSS, should be fixed in upstream.
>  CONFIGURE_ARGS+=	--without-gssapi
>  
> @@ -46,7 +47,6 @@ post-install:
>  .include "../../devel/libidn2/buildlink3.mk"
>  .include "../../security/gnutls/libgnutls-config.mk"
>  .include "../../security/gnutls/buildlink3.mk"
> -.include "../../security/openssl/buildlink3.mk"
>  .include "../../devel/gettext-lib/buildlink3.mk"
>  .include "../../devel/zlib/buildlink3.mk"
>  .include "../../mk/bsd.pkg.mk"

References:
- wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Santhosh Raju
- Re: wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Santhosh Raju
- Re: wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Leonardo Taccari
- Re: wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Leonardo Taccari

Prev by Date: Re: wip/gnurl: Request for review
Next by Date: Re: wip/gnurl: Request for review
Previous by Thread: Re: wip/gnurl: Request for review
Next by Thread: Re: wip/gnurl: Request for review
Indexes:

Home | Main Index | Thread Index | Old Index