download: Load X.509 certificates only once.

Previously we'd load /etc/ssl/certs/*.pem (or similar) every time 'http-fetch' is called. * guix/build/download.scm (make-credendials-with-ca-trust-files): Wrap in 'mlambda'.
2022-03-03 22:42:31 +01:00 · 2022-03-03 22:42:31 +01:00 · c1a871a166
commit c1a871a166
parent b4acb39b6b
1 changed files with 23 additions and 19 deletions
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@ -28,6 +28,7 @@
  #:use-module (guix ftp-client)
  #:use-module (guix build utils)
  #:use-module (guix progress)
  #:use-module (guix memoization)
  #:use-module (rnrs io ports)
  #:use-module (rnrs bytevectors)
  #:use-module (srfi srfi-1)
@ -177,10 +178,13 @@ name decoding bug described at
  (let ((data (call-with-input-file file get-bytevector-all)))
    (set-certificate-credentials-x509-trust-data! cred data format)))
-(define (make-credendials-with-ca-trust-files directory)
+(define make-credendials-with-ca-trust-files
  (mlambda (directory)
    "Return certificate credentials with X.509 authority certificates read from
 DIRECTORY.  Those authority certificates are checked when
 'peer-certificate-status' is later called."
    ;; Memoize the result to avoid scanning all the certificates every time a
    ;; connection is made.
    (let ((cred  (make-certificate-credentials))
          (files (match (scandir directory (cut string-suffix? ".pem" <>))
                   ((or #f ())
@ -197,7 +201,7 @@ DIRECTORY.  Those authority certificates are checked when
                       cred file
                       x509-certificate-format/pem))))
                files)
-    cred))
+      cred)))
 (define (peer-certificate session)
  "Return the certificate of the remote peer in SESSION."