Hi, On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg <[email protected]> wrote:
> Gentoo appears to have fixed this bug by linking julia/cert.pem to the > system's ca-certificates.crt. > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168 This trick is not possible, IIUC. > Is there a way I could rebuild my own slightly modified Julia with a link > like that? Maybe, by adding the package nss-certs as propagated-inputs in the definition of julia. > I understand that there's probably a good reason that Guix's Julia doesn't > by default have cert.pem, but I would be pleased with a hacky custom > solution if it made Jupyter notebooks work. The reason is security. ;-) It’s Julia that does poorly here. As pointed with the upstream package MbedTLS.jl, the fix should come from Julia itself; therefore, it could be worth to open an issue, if it is not already the case. ;-) >From my understanding, the culprit is this [1]: --8<---------------cut here---------------start------------->8--- function __init__() global artifact_dir = dirname(Sys.BINDIR) global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem") end --8<---------------cut here---------------end--------------->8--- And it is not clear for me if NetworkOptions.jl [2] provides the option of not, and I am missing why Julia itself does not depend on it. 1: https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20 2: https://github.com/JuliaLang/NetworkOptions.jl Efraim, do you think it would be possible to patch Julia to point to some certificates via bundled_ca_roots or ca_roots_path? Well, somehow turn back these tests: --8<---------------cut here---------------start------------->8--- ;; julia embeds a certificate, we are not doing that (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl" (("@test isfile\\(MozillaCACerts_jll.cacert\\)") "@test_broken isfile(MozillaCACerts_jll.cacert)")) ;; since certificate is not present some tests are failing in network option (substitute* "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl" (("@test isfile\\(bundled_ca_roots\\(\\)\\)") "@test_broken isfile(bundled_ca_roots())") (("@test ispath\\(ca_roots_path\\(\\)\\)") "@test_broken ispath(ca_roots_path())") (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)") "@test_broken ca_roots_path() != bundled_ca_roots()")) --8<---------------cut here---------------end--------------->8--- Cheers, simon
