curl-ca-certs (#121)

2024-11-10 02:25:18 +03:00 · 2022-09-06 20:33:51 -04:00 · 2022-09-06 20:33:51 -04:00 · 5a3069888c
parent f92b037388
commit 5a3069888c
5 changed files with 86 additions and 8 deletions
--- a/projects/curl.se/package.yml
+++ b/projects/curl.se/package.yml
@ -14,8 +14,13 @@ build:
    tea.xyz/gx/cc: c99
    tea.xyz/gx/make: '*'
  script: |
-    ./configure --prefix={{prefix}} --with-openssl
+    ./configure $ARGS
    make --jobs {{ hw.concurrency }} install
+  env:
+    ARGS:
+    - --prefix={{prefix}}
+    - --with-openssl
+    - --with-ca-fallback  # uses openssl’s certs (which we control)
  test:
    make test

--- a/projects/openssl.org/package.yml
+++ b/projects/openssl.org/package.yml
@ -17,15 +17,21 @@ build:
    tea.xyz/gx/cc: c99
    tea.xyz/gx/make: '*'
    perl.org: 5
-    curl.se: '*'
+    curl.se: '*'  # to download ca-certs on linux
  script: |
    ./Configure --prefix={{ prefix }} $ARCH no-tests
    make --jobs {{ hw.concurrency }}
    make install_sw  # `_sw` avoids installing docs

-    #TODO needs to be a curl.se/pkg that gets updates
-    mkdir -p "$CERTDIR"
-    curl https://curl.se/ca/cacert-2022-07-19.pem -o "$CERTDIR"/cert.pem
+    if test {{hw.platform}} = darwin; then
+      # use Apple’s certs ∵ they are very incentivized to get this right
+      rm -f "$CERTDIR"  # for building over the top FIXME DESTDIR for all
+      ln -sf /etc/ssl "$CERTDIR"
+    else
+      #FIXME needs to be a curl.se/ca-certs that gets updates
+      mkdir -p "$CERTDIR"
+      curl https://curl.se/ca/cacert-2022-07-19.pem -o "$CERTDIR"/cert.pem
+    fi
  env:
    CERTDIR: ${{prefix}}/ssl
    darwin/aarch64: {ARCH: 'darwin64-arm64-cc'}
--- a/scripts/deps.ts
+++ b/scripts/deps.ts
@ -0,0 +1,47 @@
+#!/usr/bin/env -S tea -E
+
+/*---
+args:
+  - deno
+  - run
+  - --allow-read
+  - --allow-env
+  - --import-map={{ srcroot }}/import-map.json
+---*/
+
+import { PackageRequirement, parsePackageRequirement } from "types"
+import usePantry from "hooks/usePantry.ts"
+import useFlags from "hooks/useFlags.ts"
+import hydrate from "prefab/hydrate.ts"
+
+const pantry = usePantry()
+
+useFlags()
+
+const mode: 'build' | 'install' = Deno.args.includes("-b") ? 'build' : 'install'
+const get_deps = async (pkg: PackageRequirement) => {
+  const deps = await pantry.getDeps(pkg)
+  switch (mode) {
+  case 'build':
+    return [...deps.build, ...deps.runtime]
+  case 'install':
+    return deps.runtime
+  }
+}
+
+const dry = Deno.args.compactMap(arg => !arg.startsWith('-') && parsePackageRequirement(arg))
+const explicit = new Set(dry.map(x=>x.project))
+const wet = await hydrate(dry, get_deps)
+const gas = wet.pkgs.compactMap(({project}) => {
+  if (Deno.args.includes('-i')) {
+    return project
+  } else {
+    return explicit.has(project) || project
+  }
+})
+
+if (Deno.env.get("GITHUB_ACTIONS")) {
+  console.log(`::set-output name=pkgs::${gas.join(" ")}\n`)
+} else {
+  console.log(gas.join("\n"))
+}
--- a/scripts/filter.ts
+++ b/scripts/filter.ts
@ -4,10 +4,7 @@
 args:
  - deno
  - run
-  - --allow-net
-  - --allow-run
  - --allow-read
-  - --allow-write
  - --allow-env
  - --import-map={{ srcroot }}/import-map.json
 ---*/
--- a/scripts/repair.ts
+++ b/scripts/repair.ts
@ -0,0 +1,23 @@
+#!/usr/bin/env -S tea -E
+
+/*
+---
+args:
+  - deno
+  - run
+  - --allow-net
+  - --allow-read=/opt
+  - --allow-write=/opt
+  - --allow-run  # uses `/bin/ln`
+  - --import-map={{ srcroot }}/import-map.json
+---
+*/
+
+import repairLinks from "prefab/repair-links.ts"
+import { print } from "utils"
+
+print("this because otherwise console.verbose is not defined lol")
+
+for (const project of Deno.args) {
+  await repairLinks(project)
+}