Carlo Zancanaro writes: > On Fri, Feb 10 2017, Roel Janssen wrote >> [ ... ] > > I was getting frustrated at not having certificates with java 8 (it's > surprisingly annoying to have to use one environment with java 7 to > download dependencies with maven, then a different environment with java > 8 to actually run your program), so I downloaded and tried out your > patch. It seems to work!
Thanks for picking up the patch! > But then I wondered, could we just change the generate-keystore phase of > the icedtea-6 package to log a failed certificate import without failing > the build? Then we could move the permissions change there, too, which > would give us a smaller patch that should accomplish a similar result > (attached). Great idea. This is also a more durable solution for when certificates change in nss-certs. > From b1ed0d53a72f95fdc42fa3741ae16726782ad414 Mon Sep 17 00:00:00 2001 > From: Carlo Zancanaro <ca...@zancanaro.id.au> > Date: Sun, 26 Feb 2017 11:34:44 +1100 > Subject: [PATCH] gnu: icedtea-6: Modify certificate import to not fail for > icedtea-8. > > * gnu/packages/java.scm (icedtea-6)[arguments]: Fix install-keystore phase to > not fail the build when attempting to import unsupported certificate > types (which occur with icedtea-8, which inherits from icedtea-6). Also > ensure that the keystore is able to be written to before copying it. > --- > gnu/packages/java.scm | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm > index e7479e1b0..c7f9b9aad 100644 > --- a/gnu/packages/java.scm > +++ b/gnu/packages/java.scm > @@ -706,7 +706,7 @@ build process and its dependencies, whereas Make uses > Makefile format.") > "-file" temp))) > (display "yes\n" port) > (when (not (zero? (status:exit-val (close-pipe port)))) > - (error "failed to import" cert))) > + (format #t "failed to import ~a\n" cert))) > (delete-file temp))) > > ;; This is necessary because the certificate directory > contains > @@ -719,6 +719,15 @@ build process and its dependencies, whereas Make uses > Makefile format.") > "/lib/security")) > (mkdir-p (string-append (assoc-ref outputs "jdk") > "/jre/lib/security")) > + > + ;; The cacerts files we are going to overwrite are chmod'ed as > + ;; read-only (444) in icedtea-8 (which derives from this > + ;; package). We have to change this so we can overwrite them. > + (chmod (string-append (assoc-ref outputs "out") > + "/lib/security/" keystore) #o644) > + (chmod (string-append (assoc-ref outputs "jdk") > + "/jre/lib/security/" keystore) #o644) > + > (install-file keystore > (string-append (assoc-ref outputs "out") > "/lib/security")) I checked to see if the keystore is actually chmod'ed back to #o444, and it is! So this looks fine to me as well. > @@ -1023,9 +1032,6 @@ build process and its dependencies, whereas Make uses > Makefile format.") > (find-files "openjdk.src/jdk/src/solaris/native" > "\\.c|\\.h")) > #t))) > - ;; FIXME: This phase is needed but fails with this version of > - ;; IcedTea. > - (delete 'install-keystore) > (replace 'install > (lambda* (#:key outputs #:allow-other-keys) > (let ((doc (string-append (assoc-ref outputs "doc") I tried this patch and it works fine. I think we should add ourselves to the copyright notice. Other than that, I think this patch is good to be pushed. Kind regards, Roel Janssen