#general
- a
ancient-stone-50795
07/22/2015, 7:02 PM@mammoth-autumn-2551: A ssl certificate issue is one we’ve been dealing with for a while. What platform are you on? - a
ancient-stone-50795
07/22/2015, 7:02 PMCopy code#!/bin/bash # # Echos the name of a pem file of CA certs. Creates the # file if needed. # # Linux: There's already a file in /etc # Mac: Extract the SSL CA certificates from the keychain set -e PANTS_BOOTSTRAPDIR=~/.cache/pants UNAME_S=$(uname -s) case ${UNAME_S} in Darwin) mkdir -p ${PANTS_BOOTSTRAPDIR} CACERTS_PEM=${PANTS_BOOTSTRAPDIR}/cacerts.pem security find-certificate -a -p /Library/Keychains/System.keychain > ${CACERTS_PEM} security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> ${CACERTS_PEM} ;; Linux) CACERTS_PEM="/etc/pki/tls/certs/ca-bundle.crt" ;; *) echo "*** ${UNAME_S} not supported by this script!" 1>&2 exit 1 esac echo ${CACERTS_PEM} - a
ancient-stone-50795
07/22/2015, 7:02 PMThat file in /etc/ on Linux may have been something created by our team at Square. - a
ancient-stone-50795
07/22/2015, 7:03 PMThen, what we do is set the environment variable
from the output of that script:REQUESTS_CA_BUNDLECopy codeexport REQUESTS_CA_BUNDLE=$(squarepants/bin/pants_cacerts_bootstrap.sh) - j
jolly-chef-92794
07/22/2015, 7:04 PMSo, I'm noticing that jmake doesn't seem to recompile .java sources that haven't changed, even when using different arguments like
and-C-source
that really should trigger a recompile.-C-target - j
jolly-chef-92794
07/22/2015, 7:05 PM(I know jmake is actually running from the debug output, so it's not just a pants fingerprinting/caching problem) - e
enough-analyst-54434
07/22/2015, 7:09 PMThis doesn't sound particularly surprising. If you need a fix on the jmake side in the interim until you flip over to zinc, we maintain/release/use this fork: https://github.com/pantsbuild/jmake - m
mammoth-autumn-2551
07/22/2015, 7:10 PM@ancient-stone-50795: we’re seeing it on Ubuntu 12.04 (fairly vanilla with security updates) and osx - a
ancient-stone-50795
07/22/2015, 7:11 PM@jolly-chef-92794: we should be able to flip back over to zinc for java soon - You can enable it and see if we have the same problem with zinc. - m
mammoth-autumn-2551
07/22/2015, 7:11 PMFrom what I understand, requests supports bundling updated roots certificates via the project
, so that my solve the issue, but doesn’t explain why it showed up in this pants upgradecertifi - a
ancient-stone-50795
07/22/2015, 7:12 PM@jolly-chef-92794: The only problem we are having with zinc at the moment is error output is garbled. - a
ancient-stone-50795
07/22/2015, 7:12 PM@mammoth-autumn-2551: What URL are you trying to hit that is giving you the error. Is it a self-signed certificate from some internal server (that was what we ran into) - m
mammoth-autumn-2551
07/22/2015, 7:13 PMactually, no its the mailgun validate apihttps://documentation.mailgun.com/api-email-validation.html - a
ancient-stone-50795
07/22/2015, 7:14 PM@mammoth-autumn-2551: you probably just updated to a more recent version of the requests library. I did bump the version some time ago... - a
ancient-stone-50795
07/22/2015, 7:14 PMCopy codecommit d8a8c311085bcc987d3be0b34f5bd73c2e5b2a41 Author: Eric Ayers <zundel@squareup.com> Date: Sun Mar 8 08:58:11 2015 -0400 Update our requests library to something more recent I noticed that this library is way behind the current release which is 2.5.3. See <http://docs.python-requests.org/en/latest/community/updates/> - m
mammoth-autumn-2551
07/22/2015, 7:45 PMSo mystery solved @ancient-stone-50795 and @enough-analyst-54434 : These issues were only happening for us during a high-level release script, which is invoked via
. One of the first things that script does is clean up pants state, which I think blows away the now cached chroot. So downstream code that would load resources would fail (in the case of requests, it would be loading a bundled copy of the root certificate)pants run - e
enough-analyst-54434
07/22/2015, 7:47 PMso .
-> python code that knows about $CWD/.pants.d and kills it in the middle of pants run?/pants run ... - e
enough-analyst-54434
07/22/2015, 7:49 PMIf so that sounds like the winner for sure - e
enough-analyst-54434
07/22/2015, 7:51 PMI guess the proof of that would be to s/run/binary/ and run the pex plopped in dist instead of
- that should still work./pants run - w
witty-crayon-22786
07/22/2015, 8:29 PM@ancient-stone-50795, @bored-art-40741 : do you guys use the mid-graph form of ivy excludes? - w
witty-crayon-22786
07/22/2015, 8:29 PMie - b
bored-art-40741
07/22/2015, 8:29 PMWe do not use ivy excludes at all. We only use ivy for tool resolution - w
witty-crayon-22786
07/22/2015, 8:30 PMCopy codejava_library(name='blah', dependencies=[..], excludes=[exclude(x, y)]) - b
bored-art-40741
07/22/2015, 8:30 PMWe definitely do not do that - w
witty-crayon-22786
07/22/2015, 8:30 PMkk. @ancient-stone-50795 ? - a
ancient-stone-50795
07/22/2015, 8:57 PM@witty-crayon-22786: we don’t use that. We use deploy_excludes on
targets though:jvm_binaryCopy codejvm_binary(name='server', main = 'com.squareup.gns.server.GnsServerApp', basename= 'gns-server', dependencies = [ ':lib', ':server-signed-jars' ], manifest_entries = square_manifest({ 'Class-Path': 'gns-server-signed-jars/bcprov-jdk15on.jar gns-server-signed-jars/ncipherkm.jar', }), deploy_excludes = [ exclude(org='com.squareup.nonmaven', name='ncipherkm'), exclude(org='org.bouncycastle', name='bcprov-jdk15on') ], ) - w
witty-crayon-22786
07/22/2015, 8:57 PMyea, that's the way to go. - w
witty-crayon-22786
07/22/2015, 8:58 PMok. based on your responses, i'm going to assume that we have some freedom to change the default behaviour of those mid-graph excludes - a
ancient-stone-50795
07/22/2015, 8:58 PMSGTM - e
enough-analyst-54434
07/22/2015, 8:59 PMOr kill them? They are an ivy - only feature - does not exist for mvn.