From c53e71a29fcd66ad7956060088230173b7dfba17 Mon Sep 17 00:00:00 2001
From: Mohammad Akhlaghi <mohammad@akhlaghi.org>
Date: Mon, 3 Dec 2018 16:12:09 +0000
Subject: Trusted CA certificates also downloaded for Wget usage

To enable easy downloading of HTTPS links with Wget (this pipeline's defaut
downloader), we need a set of trusted CA certificates. Until the time that
we can generate one ourselves, one generic set of trusted CA certificates
is now downloaded like a tarball and placed in the OpenSSL configuration
directory.

With these CA certificates, within the pipeline we can now safely use the
pipeline's own installed Wget.
---
 reproduce/src/make/dependencies-basic.mk       | 26 ++++++++++++++++++--------
 reproduce/src/make/dependencies-build-rules.mk |  1 +
 reproduce/src/make/download.mk                 |  2 +-
 3 files changed, 20 insertions(+), 9 deletions(-)

(limited to 'reproduce')

diff --git a/reproduce/src/make/dependencies-basic.mk b/reproduce/src/make/dependencies-basic.mk
index 0f66b06..c8babe1 100644
--- a/reproduce/src/make/dependencies-basic.mk
+++ b/reproduce/src/make/dependencies-basic.mk
@@ -95,6 +95,7 @@ all: $(foreach p, $(top-level-programs), $(ibdir)/$(p))
 tarballs = $(foreach t, bash-$(bash-version).tar.gz                         \
                         binutils-$(binutils-version).tar.lz                 \
                         bzip2-$(bzip2-version).tar.gz                       \
+                        cert.pem                                            \
                         coreutils-$(coreutils-version).tar.xz               \
                         diffutils-$(diffutils-version).tar.xz               \
                         findutils-$(findutils-version).tar.lz               \
@@ -129,6 +130,7 @@ $(tarballs): $(tdir)/%:
           if   [ $$n = bash      ]; then w=http://ftpmirror.gnu.org/gnu/bash; \
           elif [ $$n = binutils  ]; then w=http://ftpmirror.gnu.org/gnu/binutils; \
           elif [ $$n = bzip      ]; then w=http://akhlaghi.org/src;         \
+          elif [ $$n = cert      ]; then w=http://akhlaghi.org/src;         \
           elif [ $$n = coreutils ]; then w=http://ftpmirror.gnu.org/gnu/coreutils;\
           elif [ $$n = diffutils ]; then w=http://ftpmirror.gnu.org/gnu/diffutils;\
           elif [ $$n = findutils ]; then w=http://akhlaghi.org/src;         \
@@ -318,19 +320,25 @@ $(ilidir)/zlib: $(tdir)/zlib-$(zlib-version).tar.gz \
 # OpenSSL: Some programs/libraries later need dynamic linking. So we'll
 # build libssl (and libcrypto) dynamically also.
 #
+# Until we find a nice and generic way to create an updated CA file in the
+# pipeline, the certificates will be available in a file for this pipeline
+# along with the other tarballs.
+#
 # In case you do want a static OpenSSL and libcrypto, then uncomment the
 # following conditional and put $(openssl-static) in the configure options.
 #
 #ifeq ($(static_build),yes)
 #openssl-static = no-dso no-dynamic-engine no-shared
 #endif
-$(ilidir)/openssl: $(tdir)/openssl-$(openssl-version).tar.gz             \
+$(ilidir)/openssl: $(tdir)/openssl-$(openssl-version).tar.gz         \
+                   $(tdir)/cert.pem                                  \
                    $(ilidir)/zlib | $(idir)/etc
-	$(call gbuild, $<, openssl-$(openssl-version), ,                 \
-                       --openssldir=$(idir)/etc/ssl                      \
-	               --with-zlib-lib=$(ildir)                          \
-                       --with-zlib-include=$(idir)/include zlib  )       \
-	&& echo "OpenSSL is built" > $@
+	$(call gbuild, $<, openssl-$(openssl-version), ,             \
+                       --openssldir=$(idir)/etc/ssl                  \
+	               --with-zlib-lib=$(ildir)                      \
+                       --with-zlib-include=$(idir)/include zlib ) && \
+	cp $(tdir)/cert.pem $(idir)/etc/ssl/cert.pem &&              \
+	echo "OpenSSL is built and ready" > $@
 
 # GNU Wget
 #
@@ -373,8 +381,10 @@ $(ibdir)/grep: $(tdir)/grep-$(grep-version).tar.xz \
 	$(call gbuild, $<, grep-$(grep-version), static)
 
 $(ibdir)/ls: $(tdir)/coreutils-$(coreutils-version).tar.xz \
-             $(ibdir)/make
-	$(call gbuild, $<, coreutils-$(coreutils-version), static)
+             $(ilidir)/openssl
+        # Coreutils will use the hashing features of OpenSSL's `libcrypto'.
+	$(call gbuild, $<, coreutils-$(coreutils-version), static,
+	               --with-openssl)
 
 $(ibdir)/pkg-config: $(tdir)/pkg-config-$(pkgconfig-version).tar.gz \
                      $(ibdir)/make
diff --git a/reproduce/src/make/dependencies-build-rules.mk b/reproduce/src/make/dependencies-build-rules.mk
index 457d5fe..af2be95 100644
--- a/reproduce/src/make/dependencies-build-rules.mk
+++ b/reproduce/src/make/dependencies-build-rules.mk
@@ -81,6 +81,7 @@ gbuild = if [ x$(static_build) = xyes ] && [ $(3)x = staticx ]; then          \
 	 else configop="$$shellop --prefix=$(idir)";                          \
 	 fi;                                                                  \
                                                                               \
+	 echo; echo "Using '$$confscript' to configure..."; echo;             \
 	 ./$$confscript $(4) $$configop  &&                                   \
 	 make "$$shellop" $(5) &&                                             \
 	 $$check &&                                                           \
diff --git a/reproduce/src/make/download.mk b/reproduce/src/make/download.mk
index 37789e2..260fd0c 100644
--- a/reproduce/src/make/download.mk
+++ b/reproduce/src/make/download.mk
@@ -68,7 +68,7 @@ $(inputdatasets): $(indir)/%.fits: | $(indir) $(lockdir)
 	  ln -s $(INDIR)/$$origname $@
 	else
 	  touch $(lockdir)/download
-	  flock $(lockdir)/download $(DOWNLOADER) $@ $$url/$$origname
+	  flock $(lockdir)/download wget -O$@ $$url/$$origname
 	fi
 
         # Check the md5 sum to see if this is the proper dataset.
-- 
cgit v1.2.1