From 907f939b9bc43202519e2d6607013da06323f362 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= Date: Fri, 14 Aug 2015 18:10:10 +0800 Subject: [PATCH] gnu: glib-networking: Prefer 'SSL_CERT_FILE' as TLS CA file. This is an improvement over commit af6100f. * gnu/packages/gnome.scm (glib-networking)[source](patches): New field. [arguments]: Pass '/etc/ssl/certs/ca-certificates.crt' to configure. Set 'SSL_CERT_FILE' to '/dev/null' in 'use-empty-ssl-cert-file' phase. (libsoup)[arguments]: Set 'SSL_CERT_FILE' to '/dev/null' in 'pre-check' phase. * gnu/packages/patches/glib-networking-ssl-cert-file.patch: New patch. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/gnome.scm | 24 ++++++++++----- .../glib-networking-ssl-cert-file.patch | 29 +++++++++++++++++++ 3 files changed, 47 insertions(+), 7 deletions(-) create mode 100644 gnu/packages/patches/glib-networking-ssl-cert-file.patch diff --git a/gnu-system.am b/gnu-system.am index 849b93f064..9f46f7b7e4 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -456,6 +456,7 @@ dist_patch_DATA = \ gnu/packages/patches/ghostscript-CVE-2015-3228.patch \ gnu/packages/patches/ghostscript-runpath.patch \ gnu/packages/patches/gitolite-openssh-6.8-compat.patch \ + gnu/packages/patches/glib-networking-ssl-cert-file.patch \ gnu/packages/patches/glib-tests-desktop.patch \ gnu/packages/patches/glib-tests-homedir.patch \ gnu/packages/patches/glib-tests-prlimit.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index e510eb55ac..80c13dccb0 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -1872,12 +1872,13 @@ (define-public glib-networking name "-" version ".tar.xz")) (sha256 (base32 - "0ij33bhvn7y5gagx4sbrw906dsjjjs9dllxn73pzv6x97c6k92lg")))) + "0ij33bhvn7y5gagx4sbrw906dsjjjs9dllxn73pzv6x97c6k92lg")) + (patches + (list (search-patch "glib-networking-ssl-cert-file.patch"))))) (build-system gnu-build-system) (arguments `(#:configure-flags - ;; FIXME: ca-certificates.crt is not available in the build environment. - '("--with-ca-certificates=no") + '("--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt") #:phases (modify-phases %standard-phases (add-before 'configure 'patch-giomoduledir @@ -1886,7 +1887,13 @@ (define-public glib-networking (substitute* "configure" (("GIO_MODULE_DIR=.*") (string-append "GIO_MODULE_DIR=" %output - "/lib/gio/modules\n")))))))) + "/lib/gio/modules\n"))))) + (add-before 'check 'use-empty-ssl-cert-file + (lambda _ + ;; The ca-certificates.crt is not available in the build + ;; environment. + (setenv "SSL_CERT_FILE" "/dev/null") + #t))))) (native-inputs `(("pkg-config" ,pkg-config) ("intltool" ,intltool))) @@ -1968,11 +1975,14 @@ (define-public libsoup (substitute* "tests/socket-test.c" ((".*/sockets/unconnected.*") "")) #t)) - (add-before 'check 'unset-LC_ALL - ;; The 'check-local' target runs 'env LANG=C sort -u', - ;; unset 'LC_ALL' to make 'LANG' working. + (add-before 'check 'pre-check (lambda _ + ;; The 'check-local' target runs 'env LANG=C sort -u', + ;; unset 'LC_ALL' to make 'LANG' working. (unsetenv "LC_ALL") + ;; The ca-certificates.crt is not available in the build + ;; environment. + (setenv "SSL_CERT_FILE" "/dev/null") #t))))) (native-inputs `(("glib:bin" ,glib "bin") ; for glib-mkenums diff --git a/gnu/packages/patches/glib-networking-ssl-cert-file.patch b/gnu/packages/patches/glib-networking-ssl-cert-file.patch new file mode 100644 index 0000000000..32bdd0790f --- /dev/null +++ b/gnu/packages/patches/glib-networking-ssl-cert-file.patch @@ -0,0 +1,29 @@ +From b010e41346d418220582c20ab8d7f3971e4fb78a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= +Date: Fri, 14 Aug 2015 17:28:36 +0800 +Subject: [PATCH] gnutls: Allow overriding the anchor file location by + 'SSL_CERT_FILE' + +--- + tls/gnutls/gtlsbackend-gnutls.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c +index 55ec1a5..217d3c8 100644 +--- a/tls/gnutls/gtlsbackend-gnutls.c ++++ b/tls/gnutls/gtlsbackend-gnutls.c +@@ -101,8 +101,10 @@ g_tls_backend_gnutls_real_create_database (GTlsBackendGnutls *self, + GError **error) + { + const gchar *anchor_file = NULL; ++ anchor_file = g_getenv ("SSL_CERT_FILE"); + #ifdef GTLS_SYSTEM_CA_FILE +- anchor_file = GTLS_SYSTEM_CA_FILE; ++ if (!anchor_file) ++ anchor_file = GTLS_SYSTEM_CA_FILE; + #endif + return g_tls_file_database_new (anchor_file, error); + } +-- +2.4.3 +