bug#61121: Cannot import IJulia in Julia

[Efraim Flashner]

On Tue, Jan 31, 2023 at 12:34:16PM +0100, Simon Tournier wrote:
> Hi,
> 
> On Mon, 30 Jan 2023 at 21:55, Theodore Ehrenborg 
> <theodore.ehrenborg@gmail.com> wrote:
> 
> > Gentoo appears to have fixed this bug by linking julia/cert.pem to the
> > system's ca-certificates.crt.
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b59330b5222996defa4536237e62404bf21168
> 
> This trick is not possible, IIUC.
> 
> > Is there a way I could rebuild my own slightly modified Julia with a link
> > like that?
> 
> Maybe, by adding the package nss-certs as propagated-inputs in the
> definition of julia.

By itself I don't think this would do anything.

> > I understand that there's probably a good reason that Guix's Julia doesn't
> > by default have cert.pem, but I would be pleased with a hacky custom
> > solution if it made Jupyter notebooks work.
> 
> The reason is security. ;-)  It’s Julia that does poorly here.
> 
> As pointed with the upstream package MbedTLS.jl, the fix should come
> from Julia itself; therefore, it could be worth to open an issue, if it
> is not already the case. ;-)
> 
> From my understanding, the culprit is this [1]:
> 
> --8<---------------cut here---------------start------------->8---
> function __init__()
>     global artifact_dir = dirname(Sys.BINDIR)
>     global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", 
> "cert.pem")
> end
> --8<---------------cut here---------------end--------------->8---
> 
> And it is not clear for me if NetworkOptions.jl [2] provides the option
> of not, and I am missing why Julia itself does not depend on it.
> 
> 1: 
> https://github.com/JuliaLang/julia/blob/master/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20
> 2: https://github.com/JuliaLang/NetworkOptions.jl
> 
> 
> Efraim, do you think it would be possible to patch Julia to point to
> some certificates via bundled_ca_roots or ca_roots_path?

In the initial patch for julia-1.8.1 I think there was a substitution to
hardcode /etc/ssl/something instead for 'global cacert' but I took that
out since we don't like hardcoding that.

GIT_SSL_CAINFO=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs
CURL_CA_BUNDLE=/home/efraim/.guix-home/profile/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/run/current-system/profile/etc/ssl/certs/ca-certificates.crt

I think it would be fine to tell Julia to look at SSL_CERT_FILE as the
cacert so it can be overridden as desired, and then we can add a
(native-?)search-path to Julia for SSL_CERT_FILE.

Does anyone know offhand how to get the environment variable? If not
I'll grep the sources and then look online.

> Well, somehow turn back these tests:
> 
> --8<---------------cut here---------------start------------->8---
>              ;; julia embeds a certificate, we are not doing that
>              (substitute* "stdlib/MozillaCACerts_jll/test/runtests.jl"
>                (("@test isfile\\(MozillaCACerts_jll.cacert\\)")
>                 "@test_broken isfile(MozillaCACerts_jll.cacert)"))
>              ;; since certificate is not present some tests are failing in 
> network option
>              (substitute* 
> "usr/share/julia/stdlib/v1.8/NetworkOptions/test/runtests.jl"
>                (("@test isfile\\(bundled_ca_roots\\(\\)\\)")
>                 "@test_broken isfile(bundled_ca_roots())")
>                (("@test ispath\\(ca_roots_path\\(\\)\\)")
>                 "@test_broken ispath(ca_roots_path())")
>                (("@test ca_roots_path\\(\\) \\!= bundled_ca_roots\\(\\)")
>                 "@test_broken ca_roots_path() != bundled_ca_roots()"))
> --8<---------------cut here---------------end--------------->8---

That one might be a little harder, I'd rather not add nss-certs to the
build just for the test suite, but I'll see how it goes. Or at least
update the comment afterward.

> 
> Cheers,
> simon

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature