bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Leo Famulari  skribis:

> On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
>> Could you type ‘bt’ (backtrace) at the GDB prompt?
>
> It goes like this:
>
> --
> Using host libthread_db library 
> "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
> Core was generated by 
> `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile 
> ./build-aux/updat'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x in ?? ()
> [Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
> (gdb) bt
> #0  0x in ?? ()
> #1  0x7eff61d9d4c4 in git_buf_try_grow () from 
> /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #2  0x7eff61d9d7a5 in git_buf_set () from 
> /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #3  0x7eff61deffe7 in git_path_prettify () from 
> /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #4  0x7eff61e043ad in find_repo () from 
> /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #5  0x7eff61e0528b in git_repository_discover () from 
> /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #6  0x7eff7de6166d in ffi_call_unix64 () from 
> /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #7  0x7eff7de5fac0 in ffi_call_int () from 
> /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #8  0x7eff7df4efbe in scm_i_foreign_call () from 
> /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1

BTW, this must be fixed by 5b35c9adc899749a0bd96a0e6d2c3bbf88e38963.

Ludo'.

bug#46829: Fresh install of 1.2.0 can't guix pull

[François]

Hello,

On Tue, Apr 13, 2021 at 09:08:20PM -0400, Leo Famulari wrote:
> There's nothing we can do for the 1.2.0 release artifacts at this point.

Is there any place were we could document the problem and the suggested
workaround by Ludo (--url=http://)? Perhaps on the "Installation"
chapter of the manual, near the line documenting "guix pull"?

Cheers,
François

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from 
> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 
> ...
>  le-certs-0  4KiB 
>   
> 1.8MiB/s 00:00 [##] 100.0%
> 
> Updating channel 'guix' from Git repository at 
> 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

This should be fixed with commit
a758a8a3c20052c5f1228e1ec80068652bbc3849, which updates the Guix package
to include commit 15de49e60b255b98a53c6de4780e1ae95a8beada.

There's nothing we can do for the 1.2.0 release artifacts at this point.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
> Could you type ‘bt’ (backtrace) at the GDB prompt?

It goes like this:

--
Using host libthread_db library 
"/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by 
`/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile 
./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
(gdb) bt
#0  0x in ?? ()
#1  0x7eff61d9d4c4 in git_buf_try_grow () from 
/gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#2  0x7eff61d9d7a5 in git_buf_set () from 
/gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#3  0x7eff61deffe7 in git_path_prettify () from 
/gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#4  0x7eff61e043ad in find_repo () from 
/gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#5  0x7eff61e0528b in git_repository_discover () from 
/gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#6  0x7eff7de6166d in ffi_call_unix64 () from 
/gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#7  0x7eff7de5fac0 in ffi_call_int () from 
/gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#8  0x7eff7df4efbe in scm_i_foreign_call () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#9  0x7eff7dfbd904 in foreign_call () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#10 0x7eff7dfc4118 in vm_regular_engine () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#11 0x7eff7dfc55b5 in scm_call_n () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#12 0x7eff7df42d27 in scm_primitive_eval () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#13 0x7eff7df42d83 in scm_eval () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#14 0x7eff7df9b830 in scm_shell () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#15 0x7eff7df5a73d in invoke_main_func () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#16 0x7eff7df3cb0a in c_body () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#17 0x7eff7dfc4149 in vm_regular_engine () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#18 0x7eff7dfc55b5 in scm_call_n () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#19 0x7eff7df41bba in scm_call_2 () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#20 0x7eff7df433ba in scm_c_with_exception_handler () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#21 0x7eff7dfbac3d in scm_c_catch () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#22 0x7eff7df3d0b3 in scm_i_with_continuation_barrier () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#23 0x7eff7df3d145 in scm_c_with_continuation_barrier () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#24 0x7eff7dfb96df in with_guile () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#25 0x7eff7de97c78 in GC_call_with_stack_base () from 
/gnu/store/zg126cjicrpm2p6zc08ra5vh4ddag7ww-libgc-8.0.4/lib/libgc.so.1
#26 0x7eff7dfb99f8 in scm_with_guile () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#27 0x7eff7df5a8b2 in scm_boot_guile () from 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#28 0x00401100 in main ()
--

By the way, I can no longer reproduce the crash, now that I am using
`make update-guix-package` with a commit that has been pushed to
Savannah.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 02:26:47PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> > On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > > In the meantime, you could also update the ‘guix’ package by hand for
> > > testing purposes.
> > 
> > I tried this, but I can't figure out how to actually build the updated
> > Guix package, since the source code isn't added to the store.
> 
> Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
> the Guix package, and then a VM image sans nss-certs.

I've pushed the update patch as
15de49e60b255b98a53c6de4780e1ae95a8beada.

Now, we just need to update Guix package for it to take effect for
users, IIUC.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi,

Leo Famulari  skribis:

> I ran your command, and this is the output:

Could you type ‘bt’ (backtrace) at the GDB prompt?

Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > In the meantime, you could also update the ‘guix’ package by hand for
> > testing purposes.
> 
> I tried this, but I can't figure out how to actually build the updated
> Guix package, since the source code isn't added to the store.

Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
the Guix package, and then a VM image sans nss-certs.

I confirm that updating the le-certs package fixes this bug.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 01:15:11PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> > Could you grab a backtrace, with:
> > 
> >   gdb $(which guile) core
> 
> I don't know where to find this 'core' file. I'm on Guix System (the
> Berlin server).

I did `ulimit -c unlimited`, and then the core file was created at
/tmp/core.

I ran your command, and this is the output:

--
gdb $(which guile) /tmp/core

  
GNU gdb (GDB) 10.1  


Copyright (C) 2020 Free Software Foundation, Inc.   


License GPLv3+: GNU GPL version 3 or later    


This is free software: you are free to change and redistribute it.  


There is NO WARRANTY, to the extent permitted by law.   


Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from 
/gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile...
(No debugging symbols found in 
/gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile)

warning: Can't open file 
/home/lfam/.cache/guile/ccache/3.0-LE-8-4.4/home/lfam/guix/gnu/packages/package-management.scm.go
 (deleted) during file-backed mapping note processing
[New LWP 70404]
[New LWP 70409]
[New LWP 70408]
[New LWP 70412]
[New LWP 70411]
[New LWP 70413]
[New LWP 70410]
[New LWP 70417]
[New LWP 70414]
[New LWP 70416]
[New LWP 70415]
[New LWP 70418]
[New LWP 70419]
[New LWP 70421]
[New LWP 70422]
[New LWP 70420]
[New LWP 70423]
[New LWP 70424]
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
"/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by 
`/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile 
./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
;;;   or pass the --no-auto-compile argument to disable.
;;; compiling 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm
;;; 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:293:20:
 warning: possibly unbound variable `program-debug-info-name'
;;; 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:9:
 warning: possibly unbound variable `find-source-for-addr'
;;; 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:31:
 warning: possibly unbound variable `program-debug-info-addr'
;;; 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:327:31:
 warning: possibly unbound variable `program-debug-info-context'
;;; compiled 
/home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm.go
;;; compiling 
/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm
;;; compiled 
/home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm.go
--


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> Could you grab a backtrace, with:
> 
>   gdb $(which guile) core

I don't know where to find this 'core' file. I'm on Guix System (the
Berlin server).

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> In the meantime, you could also update the ‘guix’ package by hand for
> testing purposes.

I tried this, but I can't figure out how to actually build the updated
Guix package, since the source code isn't added to the store.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi Leo,

Leo Famulari  skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari 
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi Leo,

Leo Famulari  skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari 
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Mon, Apr 12, 2021 at 02:42:07AM -0400, Leo Famulari wrote:
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...

I couldn't figure out how to test an update of the Guix package, but
here is my patch updating le-certs.

`make update-guix-package` segfaults for me, sometime after it updates
the source tree but before adding the source checkout to the store.

I did `guix build guix --with-git-url=guix=$PWD`, which succeeded, but
using --with-git-url changes the derivation, so I couldn't test this in
a VM sans nss-certs.
From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
From: Leo Famulari 
Date: Mon, 12 Apr 2021 02:19:33 -0400
Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.

* gnu/packages/certs.scm (le-certs): Update the certificate store.
[inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
letsencryptauthorityx4.pem.
[arguments]: Adjust the builder accordingly.
---
 gnu/packages/certs.scm | 76 ++
 1 file changed, 55 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index b72d927c0d..9dcd733ffe 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -147,7 +147,7 @@ taken from the NSS package and thus ultimately from the 
Mozilla project.")
 (define-public le-certs
   (package
 (name "le-certs")
-(version "0")
+(version "1")
 (source #f)
 (build-system trivial-build-system)
 (arguments
@@ -155,9 +155,12 @@ taken from the NSS package and thus ultimately from the 
Mozilla project.")
#:builder
(begin
  (use-modules (guix build utils))
- (let ((root (assoc-ref %build-inputs "isrgrootx1.pem"))
-   (intermediate (assoc-ref %build-inputs 
"letsencryptauthorityx3.pem"))
-   (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem"))
+ (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
+   (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
+   (intermediate-rsa (assoc-ref %build-inputs 
"letsencryptauthorityr3.pem"))
+   (intermediate-ecdsa (assoc-ref %build-inputs 
"letsencryptauthoritye1.pem"))
+   (backup-rsa (assoc-ref %build-inputs 
"letsencryptauthorityr4.pem"))
+   (backup-ecdsa (assoc-ref %build-inputs 
"letsencryptauthoritye2.pem"))
(out (string-append (assoc-ref %outputs "out") 
"/etc/ssl/certs"))
(openssl (assoc-ref %build-inputs "openssl"))
(perl (assoc-ref %build-inputs "perl")))
@@ -166,7 +169,9 @@ taken from the NSS package and thus ultimately from the 
Mozilla project.")
  (lambda (cert)
(copy-file cert (string-append out "/"
   (strip-store-file-name cert
- (list root intermediate backup))
+ (list root-rsa root-ecdsa
+   intermediate-rsa intermediate-ecdsa
+   backup-rsa backup-ecdsa))
 
;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
;; similar.)
@@ -186,26 +191,55 @@ taken from the NSS package and thus ultimately from the 
Mozilla project.")
(sha256
 (base32
  "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"
-   ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate
-   ;; certificate.
-   ("letsencryptauthorityx3.pem"
+  ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
+  ; Let's Encrypt describes it as "Active, limited availability"
+  ("isrgrootx2.pem"
 ,(origin
(method url-fetch)
-   (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem;)
+   (uri "https://letsencrypt.org/certs/isrg-root-x2.pem;)
(sha256
 (base32
- "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2"
-   ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate
-   ;; certificate.  This will be used for disaster recovery and will only 
be
-   ;; used should Let's Encrypt lose the ability to issue with "Let’s
-   ;; Encrypt Authority X3".
-   ("letsencryptauthorityx4.pem"
-,(origin
-   (method url-fetch)
-   (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem;)
-   (sha256
-(base32
- "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m"))
+ "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"
+  ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
+  ;; RSA certificate.
+  ("letsencryptauthorityr3.pem"
+   ,(origin
+  (method url-fetch)
+  (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem;)

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote:
> I checked and, although there have been some changes upstream at Let's
> Encrypt [0], our le-certs still works for contacting Savannah with TLS.

I checked wrong; le-certs needs to be updated. I'm testing the update
now...

> [0] Some new root and intermediate certificates:
> 
> https://letsencrypt.org/certificates/

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Apr 11, 2021 at 04:41:11PM -0400, Leo Famulari wrote:
> On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
> >   (define (honor-x509-certificates store)
> > "Use the right X.509 certificates for Git checkouts over HTTPS."
> > (unless (honor-system-x509-certificates!)
> >   (honor-lets-encrypt-certificates! store)))
> > 
> > By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> > installations are unaffected, right?
> 
> So, the bug here is that `guix pull` is using the wrong certificate
> store. It should use le-certs, but is instead ignoring le-certs, and
> looking for a system-wide store that doesn't exist.
> 
> I tested with an installer image from current master, and the bug still
> exists.

I checked and, although there have been some changes upstream at Let's
Encrypt [0], our le-certs still works for contacting Savannah with TLS.

[0] Some new root and intermediate certificates:

https://letsencrypt.org/certificates/

Once we fix this bug, we should look into updating the le-certs package.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
>   (define (honor-x509-certificates store)
> "Use the right X.509 certificates for Git checkouts over HTTPS."
> (unless (honor-system-x509-certificates!)
>   (honor-lets-encrypt-certificates! store)))
> 
> By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> installations are unaffected, right?

So, the bug here is that `guix pull` is using the wrong certificate
store. It should use le-certs, but is instead ignoring le-certs, and
looking for a system-wide store that doesn't exist.

I tested with an installer image from current master, and the bug still
exists.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
> root@horna ~# wget https://git.savannah.gnu.org/git/guix.git
> --2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
> Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 
> 2001:470:142:5::201
> Connecting to git.savannah.gnu.org 
> (git.savannah.gnu.org)|209.51.188.201|:443... connected.
> ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
> ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.

By the way, it's expected that wget would fail here, if you had not
installed and configured nss-certs as directed in the manual.

`guix pull` uses its own certificate store (le-certs), and it's
suppposed to happen automatically.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
> downloading from 
> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 
> ...

I downloaded this file, un-lzipped it, and extracted the nar. The
results are bit-identical to the le-certs from ci.guix.gnu.org.

Maybe there was a momentary misconfiguration on Savannah? Or something
like that?


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sat, Apr 10, 2021 at 10:21:35PM +0100, Christopher Baines wrote:
> Maybe it just doesn't work for the root user... I encountered this when
> running guix pull as the root user on a headless machine.

I logged in as root from the console, and `guix pull` worked there too.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Christopher Baines]

Leo Famulari  writes:

> On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
>> Okay, I'm testing this now, in a VM.
>> 
>> I wonder if it's the same thing as
>> ?
>
> I followed the instructions in the manual section Installing Guix in a
> VM.
>
> Then, I booted the new system, opened a terminal emulator in the XFCE
> desktop environment, and ran `guix pull`. It succeeded.

Maybe it just doesn't work for the root user... I encountered this when
running guix pull as the root user on a headless machine.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
> Okay, I'm testing this now, in a VM.
> 
> I wonder if it's the same thing as
> ?

I followed the instructions in the manual section Installing Guix in a
VM.

Then, I booted the new system, opened a terminal emulator in the XFCE
desktop environment, and ran `guix pull`. It succeeded.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sat, Apr 10, 2021 at 08:45:22PM +0100, Christopher Baines wrote:
> 
> Leo Famulari  writes:
> 
> > On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
> >> I believe there's TLS issues with pulling for the current 1.2.0 release.
> >
> > On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> > instructions in the manual section Binary Installation.
> >
> > Then, `guix pull` succeeded for me, no problem.
> >
> > Can anyone reproduce still reproduce this bug?
> 
> I'm pretty sure I experienced this with a fresh install of Guix System,
> I should have given more information in the initial report.

Okay, I'm testing this now, in a VM.

I wonder if it's the same thing as
?

bug#46829: Fresh install of 1.2.0 can't guix pull

[Christopher Baines]

Leo Famulari  writes:

> On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> instructions in the manual section Binary Installation.
>
> Then, `guix pull` succeeded for me, no problem.
>
> Can anyone reproduce still reproduce this bug?

I'm pretty sure I experienced this with a fresh install of Guix System,
I should have given more information in the initial report.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Leo Famulari]

On Sun, Feb 28, 2021 at 10:27:02AM +, Christopher Baines wrote:
> I believe there's TLS issues with pulling for the current 1.2.0 release.

On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
instructions in the manual section Binary Installation.

Then, `guix pull` succeeded for me, no problem.

Can anyone reproduce still reproduce this bug?

> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from 
> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 
> ...
>  le-certs-0  4KiB 
>   
> 1.8MiB/s 00:00 [##] 100.0%

If it's still around, maybe you can share this store item? I wonder if
it got corrupted.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi,

Ludovic Courtès  skribis:

> Christopher Baines  skribis:
>
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>>
>> root@horna ~# guix pull
>> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
>> 0.0 MB will be downloaded
>> downloading from 
>> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0
>>  ...
>>  le-certs-0  4KiB
>>  
>>   1.8MiB/s 00:00 [##] 100.0%
>>
>> Updating channel 'guix' from Git repository at 
>> 'https://git.savannah.gnu.org/git/guix.git'...
>> guix pull: error: Git error: the SSL certificate is invalid
>
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Looking at (guix scripts pull), I think that is the case:

  (define (honor-x509-certificates store)
"Use the right X.509 certificates for Git checkouts over HTTPS."
(unless (honor-system-x509-certificates!)
  (honor-lets-encrypt-certificates! store)))

By default, 1.2.0 installs ‘nss-certs’, so I would assume such
installations are unaffected, right?

> I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
> certification verification altogether for the ‘guix’ channel?

In hindsight, it seems preferable to keep X.509 authentication for now,
because there are still unauthenticated channels out there and because
it’s a bit tedious to work around it in (guix channels) and (guix git).

I checked the ‘le-certs’ package like so:

--8<---cut here---start->8---
$ guix gc --references $(guix build -d le-certs) |grep pem
/gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv
/gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
/gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
$ guix build --check -v1 $(guix gc --references $(guix build -d le-certs) |grep 
pem)
La jenaj derivoj estos konstruataj:
   /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
   /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
   /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv

building /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem ...
|warning: rewriting hashes in 
`/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem'; cross fingers
building 
/gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem ...
\warning: rewriting hashes in 
`/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem'; cross 
fingers
building 
/gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx4.pem ...
|warning: rewriting hashes in 
`/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem'; cross 
fingers
/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem
/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem
/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem
--8<---cut here---end--->8---

AFAICS, everything is up-to-date here.  So I don’t get where the ‘guix
pull’ error above comes from.

Ideas?

Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Christopher Baines]

zimoun  writes:

> Hi Chris,
>
> On Sun, 28 Feb 2021 at 10:27, Christopher Baines  wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0
>> release.
>
> Is this bug different from ?
>
> And fixes are also discussed here:
> .

Yes, this bug is about a problem with guix pull, whereas #44559 relates
to a specific issue building the gnutls package.


signature.asc
Description: PGP signature

bug#46829: Fresh install of 1.2.0 can't guix pull

[Andreas Enge]

Am Mon, Mar 01, 2021 at 11:19:08AM +0100 schrieb Ludovic Courtès:
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Yes, I installed nss-certs into the profiles from which I wanted to do
the "guix pull".

Andreas

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi,

Christopher Baines  skribis:

> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> root@horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from 
> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 
> ...
>  le-certs-0  4KiB 
>   
> 1.8MiB/s 00:00 [##] 100.0%
>
> Updating channel 'guix' from Git repository at 
> 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

That’s on an installation without ‘nss-certs’ in the system profile,
right?

I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
certification verification altogether for the ‘guix’ channel?

Thanks,
Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[Ludovic Courtès]

Hi,

Andreas Enge  skribis:

> This works, thanks for sharing! But it prints a nonsensical warning message:
> Updating channel 'guix' from Git repository at 
> 'http://git.savannah.gnu.org/git/guix.git'...
> Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new 
> commits)...
> guix pull: warning: pulled channel 'guix' from a mirror of 
> https://git.savannah.gnu.org/git/guix.git, which might be stale
> Building from this channel:
>   guix  http://git.savannah.gnu.org/git/guix.git  bebfe06
>
> It is weird to call the https location a potentially stale mirror of the
> http location.

There’s no way to know that the two URLs point to the same thing, hence
the message.

Thanks,
Ludo’.

bug#46829: Fresh install of 1.2.0 can't guix pull

[zimoun]

Hi Chris,

On Sun, 28 Feb 2021 at 10:27, Christopher Baines  wrote:
> I believe there's TLS issues with pulling for the current 1.2.0
> release.

Is this bug different from ?

And fixes are also discussed here:
.


Cheers,
simon

bug#46829: Fresh install of 1.2.0 can't guix pull

[Andreas Enge]

Am Sun, Feb 28, 2021 at 10:27:02AM + schrieb Christopher Baines:
> This is probably possible to work around by doing:
>   guix pull --url=http://git.savannah.gnu.org/git/guix.git

This works, thanks for sharing! But it prints a nonsensical warning message:
Updating channel 'guix' from Git repository at 
'http://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new commits)...
guix pull: warning: pulled channel 'guix' from a mirror of 
https://git.savannah.gnu.org/git/guix.git, which might be stale
Building from this channel:
  guix  http://git.savannah.gnu.org/git/guix.gitbebfe06

It is weird to call the https location a potentially stale mirror of the
http location.

Andreas

bug#46829: Fresh install of 1.2.0 can't guix pull

[Andreas Enge]

Am Sun, Feb 28, 2021 at 10:27:02AM + schrieb Christopher Baines:
> I believe there's TLS issues with pulling for the current 1.2.0 release.
> Updating channel 'guix' from Git repository at 
> 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

I noticed the same for the following, slightly older version:
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 0939462e3f81bc98b38bdb7610e6a80ca1cbaa1b

And it also occurs with the current master checkout using
   ./pre-inst-env guix pull

I tried again after updating my nss-certs package, but it did not make
any difference.

This is on dover, an aarch64 machine. I successfully did "guix pull"
on other machines, however.

Andreas

bug#46829: Fresh install of 1.2.0 can't guix pull

[Christopher Baines]

I believe there's TLS issues with pulling for the current 1.2.0 release.

root@horna ~# guix pull
substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
0.0 MB will be downloaded
downloading from 
https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 
...
 le-certs-0  4KiB   

1.8MiB/s 00:00 [##] 100.0%

Updating channel 'guix' from Git repository at 
'https://git.savannah.gnu.org/git/guix.git'...
guix pull: error: Git error: the SSL certificate is invalid

root@horna ~# wget https://git.savannah.gnu.org/git/guix.git
--2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 
2001:470:142:5::201
Connecting to git.savannah.gnu.org 
(git.savannah.gnu.org)|209.51.188.201|:443... connected.
ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.


This is probably possible to work around by doing:

  guix pull --url=http://git.savannah.gnu.org/git/guix.git

As the commit signatures are checked, the risk of not using HTTPS should
be reduced.


signature.asc
Description: PGP signature