Re: wip/gnurl: Request for review

To: tech-pkg%netbsd.org@localhost
Subject: Re: wip/gnurl: Request for review
From: Leonardo Taccari <leot%NetBSD.org@localhost>
Date: Mon, 21 Jan 2019 16:50:57 +0100

ng0%n0.is@localhost writes:
> Just tried that and it keeps producing negative results.
> What we have on other systems is CURL_CA_BUNDLE as a environment variable.
> in practice this works out rather unreliable, at least the way it is
> approached for curl and gnurl in Guix (ensure that every application packaged
> respects this variable and if not, patch the application to do so if it uses
> curl).

The attached patch seems to do the trick. Can you please test it?
If it works feel free to directly commit it!

> Is setting $sslcert a problem? I'm trying to understand the implications,
> I've packaged software for some time this is just my first with pkgsrc.

Maybe something similarly to SSLCERTS for gnutls can be added but
I do not think it is needed because since gnutls-3.5.6nb1 the CA
fallback mechanisms should work.

gnurl: Use --with-ca-fallback to automatically pickup gnutls CA certificates

Avoid to include openssl bl3 for SSLCERTS, pass --without-ca-{bundle,path}
to avoid possible automagically (and difficult to predict) CA
bundle/paths pick ups and just fallback to preferred gnutls ones
(supported since gnutls-3.6.5nb1).

diff --git a/gnurl/Makefile b/gnurl/Makefile
index 51d92d2ec3..92bf23c52e 100644
--- a/gnurl/Makefile
+++ b/gnurl/Makefile
@@ -27,12 +27,13 @@ TEST_TARGET=		check
 CONFIGURE_ARGS+=	--with-zlib=${BUILDLINK_PREFIX.zlib}
 CONFIGURE_ARGS+=	--disable-ntml-wb
 CONFIGURE_ARGS+=	--enable-ipv6
-# We need this for gnurl to know the certificate location out of the box
-CONFIGURE_ARGS+=	--with-ca-path=${SSLCERTS}
-# CONFIGURE_ARGS+=	--with-ssl=${BUILDLINK_PREFIX.openssl}
 # Optionally, We want GnuTLS with Dane.
 CONFIGURE_ARGS+=	--with-gnutls
 CONFIGURE_ARGS+=	--with-libidn2
+# Fallback to gnutls preferred CA certificates
+CONFIGURE_ARGS+=	--without-ca-bundle
+CONFIGURE_ARGS+=	--without-ca-path
+CONFIGURE_ARGS+=	--with-ca-fallback
 # Do not pick up GSS, should be fixed in upstream.
 CONFIGURE_ARGS+=	--without-gssapi
 
@@ -46,7 +47,6 @@ post-install:
 .include "../../devel/libidn2/buildlink3.mk"
 .include "../../security/gnutls/libgnutls-config.mk"
 .include "../../security/gnutls/buildlink3.mk"
-.include "../../security/openssl/buildlink3.mk"
 .include "../../devel/gettext-lib/buildlink3.mk"
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

Follow-Ups:
- Re: wip/gnurl: Request for review
  - From: ng0

References:
- wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Santhosh Raju
- Re: wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Santhosh Raju
- Re: wip/gnurl: Request for review
  - From: ng0
- Re: wip/gnurl: Request for review
  - From: Leonardo Taccari
- Re: wip/gnurl: Request for review
  - From: ng0

Prev by Date: Re: wip/gnurl: Request for review
Next by Date: Re: wip/gnurl: Request for review
Previous by Thread: Re: wip/gnurl: Request for review
Next by Thread: Re: wip/gnurl: Request for review
Indexes:

Home | Main Index | Thread Index | Old Index