houge@Gentoo-Musl ~ $ doas cat /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/build.log doas (houge@Gentoo-Musl) password: * Package: app-misc/ca-certificates-20211016.3.72 * Repository: gentoo * Maintainer: base-system@gentoo.org * USE: abi_x86_64 amd64 elibc_musl kernel_linux userland_GNU * FEATURES: network-sandbox preserve-libs sandbox userpriv usersandbox >>> Unpacking source... >>> Unpacking ca-certificates_20211016.tar.xz to /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work >>> Unpacking nss-3.72.tar.gz to /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work >>> Source unpacked in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work >>> Preparing source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ... * Applying ca-certificates-20150426-root.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ... >>> Source configured. >>> Compiling source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ... * Using python3.10 to build make -j40 -C /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla make: Entering directory '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla' python3 certdata2pem.py Traceback (most recent call last): File "/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla/certdata2pem.py", line 31, in <module> from cryptography import x509 ModuleNotFoundError: No module named 'cryptography' make: *** [Makefile:6: all] Error 1 make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla' * ERROR: app-misc/ca-certificates-20211016.3.72::gentoo failed (compile phase): * emake failed * * If you need support, post the output of `emerge --info '=app-misc/ca-certificates-20211016.3.72::gentoo'`, * the complete build log and the output of `emerge -pqv '=app-misc/ca-certificates-20211016.3.72::gentoo'`. * The complete build log is located at '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/environment'. * Working directory: '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/image' * S: '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work' Reproducible: Always
Created attachment 748653 [details] emerge --info
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7c9880325c44bde2b3ffbc54f5e5c865a526709 commit f7c9880325c44bde2b3ffbc54f5e5c865a526709 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-11-04 19:07:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-04 19:07:38 +0000 app-misc/ca-certificates: fix Python dependencies Closes: https://bugs.gentoo.org/821706 Signed-off-by: Sam James <sam@gentoo.org> .../ca-certificates/ca-certificates-20211016.3.72.ebuild | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
So, the dependency is fixed, but dev-python/cryptography will soon (not yet) need Rust (bug 769482). What do we do then? Always ship precompiled ca-certs?
imo just patch it out. the only practical effect is adding three lines about expired dst root which only affects openssl 1.0.2 in a log which basically no gentoo users will read. --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -28,8 +28,6 @@ import textwrap import io -from cryptography import x509 - objects = [] @@ -122,12 +120,6 @@ if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: continue - cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) - if cert.not_valid_after < datetime.datetime.now(): - print('!'*74) - print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) - print('!'*74) - bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ .replace(' ', '_')\ .replace('(', '=')\ WFM with this patch.
You could also catch ImportError and make the code gracefully handle missing cryptography.
(In reply to Michał Górny from comment #5) > You could also catch ImportError and make the code gracefully handle missing > cryptography. ok either way with me. i leave it up to base-system@.
The original issue is fixed, so let's use the other bug: bug 827354.