From: Danny Milosavljevic <dannym@scratchpost.org>
To: <bug-guix@gnu.org>
Subject: core-updates nss not reproducible
Date: Sun, 29 Mar 2020 13:16:11 +0200
Report forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Mon, 30 Mar 2020 02:36:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Danny Milosavljevic <dannym@scratchpost.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Mon, 30 Mar 2020 02:36:21 GMT) (full text, mbox, link).
Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, core-updates' nss is not reproducible (commit aebcbb27bc2f192cc06163251bab66a4ceb7b7d6). diffoscope says: --- /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50 +++ /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50-check ├── lib │ ├── nss │ │ ├── libfreebl3.chk │ │ │┄ xxd not available in path. Falling back to Python hexlify. │ │ │ @@ -11,19 +11,19 @@ │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010029 │ │ │ -713ef8afdc7c8efcff89e8c420bfdd8835e6d08bb934ce160fe927b99ac8f997 │ │ │ -c043c16bfe67abbbd27a97b4aa4df753c33f5a093d9598413edfb4c6a0a68309 │ │ │ -4f3a160aec8a5e8e383c108c802580e5f117f9b2be6d496f6eb6e85937258e53 │ │ │ -f3f55ac49f7ffa955e91e054d1dd6b19f725506e2242fbb2f8acf81c9ff4278c │ │ │ -5c6ad6528d1a8505c6c83fd643660e3a31dddff7eb5f046f0df6d47ea455c82c │ │ │ -78ec32d8a1aaa29c9deed1053feae3029eacce8b9ff88777ff964757aeb1ccce │ │ │ -bd14d326b7fb0822bbc982250e51d4eaa73599ef8e4fd2298f076edf9a9be41e │ │ │ -94da645f57dc12af730b3661973390672cbcf767caf495e1f3656f06f0fae300 │ │ │ -00004030361665e91e760d37d9117256e4f698d2b124115e83aafcc92c2751fa │ │ │ -f2b3384c22c76a207da12a4c4b72662e9ae53f356d6b6d98a066cd240cb06fed │ │ │ -337d6d │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3 │ │ │ +35c76bfe38266728b573ef4fedcb22131ce275a8a484902b3ad994ca3a87a754 │ │ │ +998b5c5807e4fa0e9b83a6677eca9140b8bbeeb4c36897473065b8305c4d1ddd │ │ │ +3f967b7041217df53ae6ec4211b031cc12df895a35efcde570dd2c7a610151c9 │ │ │ +ef0acdf28a646db355ece183e2e71275c51b4331e61ca7948c7aa62d420e8b17 │ │ │ +481f427197c78094832de5e3f21d27bf701e6fc524e5f700567969f91e8864c0 │ │ │ +fae4da549d548ce8b134456e0720d083c8649bdb44ac6383d2e5a41bd2ec3b64 │ │ │ +e9b6d281708447aefdd60be32f7d9093fef2579d6c122b48e449b2266bdc4678 │ │ │ +9639fd997f0d8fe649b51a5f3097603b130bb5e8a811b5f3c121ed6d7bb58300 │ │ │ +00004004c38a443627df69c2bc659e2e810b24b0e4dc042311fb9b2c99d18e7b │ │ │ +242fc7729f9e5facc1dc69ced89ea571bd69f95277894e9954c28c2f8ab77d62 │ │ │ +e96c1d │ │ ├── libfreeblpriv3.chk │ │ │┄ xxd not available in path. Falling back to Python hexlify. │ │ │ @@ -11,19 +11,19 @@ │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3 │ │ │ -298c351142cb4107acceb8e07a997cc63fade4c4dd6cc0d3f5dedad25fca66bc │ │ │ -d58fb35b3a1f8ce3c90c795a8066cb4312b2b11558daf3c388ee3865d1cbc75d │ │ │ -88832d044dd267885c36455be97ee5ff17ee95a9377170441267b604d6bea8d2 │ │ │ -c7fbaebd2c39506220d5d2c4a34e6a848fc139bd38f95c7e48160d847c270a78 │ │ │ -e88519f1a5f2f36c6d6d4c16d621b2e763e48d42818b1a3b76421a52c7c209b9 │ │ │ -a70fe921ad9b80411150a5e4d800bd89fe4486361412b39a9b5c68abec6bb68d │ │ │ -8f7d1b823c9d455d0062d9b819b1d5173a493cdbea00dcfc98a52537bd373acb │ │ │ -cb046c7fe4246590c9875413f19dba8f63a2f05771d161513efeb2e663ebf400 │ │ │ -000040299e7b6851b43d6f40d1704237831bbb5a1fd4e38c041f1b7222480338 │ │ │ -c27b4e655f1846220c4950db84ce7da9b2c1b2c6530304a73c8caff757be8ba4 │ │ │ -51d8ec │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010032 │ │ │ +0bdce77a4aabe0b8a8b97469180a5882104d30c155dfc227f99b7add6aedda98 │ │ │ +b9aee674e8a2f43377eea0e32f4382f8818a9cd39dfe0f2217b989ab695b1317 │ │ │ +971ae000096efde5a3610306a7a60b3075204f77543509fb48d1605d0ae6d7cd │ │ │ +dd5b3576d2d09d9e4d5357ea21e7376e2fa69ba804a19161ab639219592efef5 │ │ │ +ad5b8714ad21118b1fa53453b6e4222e267b0a692704de6bcd10895afeaf5f21 │ │ │ +f721c406a796e092b344bc78abd953205e6d932c87fef89e80715a9eefbd6417 │ │ │ +eef4e8c8630fe92927d81870c50f64aa15f2dbb965d9aa51a450d0c53607d60a │ │ │ +8c4ad1461e32c7dc78bf606eaacf38a88a2c47f496b3ba289e104e8d25a84400 │ │ │ +0000408df400964ed23bd859d524136afbf355cce08ae540f65bbfe055e81950 │ │ │ +6b84f52240c447ad47c53ee31e9fed82d08905f65adfedd54f5b91b6b9d6105b │ │ │ +f2f8f4 │ │ ├── libnssdbm3.chk │ │ │┄ xxd not available in path. Falling back to Python hexlify. │ │ │ @@ -11,19 +11,19 @@ │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009d │ │ │ -76e916a4dfe80c81097e4cff0f945852d689772f01c87f11c2fab03f99f20417 │ │ │ -d1458884f5255774a9028c848ce879369734f01f1e12ceb9cf63dc9eca1170b8 │ │ │ -23e6678ab9f65f2dbeeae2c96fd90367e720124a2d11551127baf17e2a7b214d │ │ │ -f24bca9fbb5355d2479e7c06ec05fe138ad50c26a1876053143bf0ed18eae349 │ │ │ -42b8b96ab9bdde2e234fbfe354d8b3698cd5ddadfdd1de6ab8d75c558a96bd8a │ │ │ -accb720a1207f4b25c9e1df0e0b60574d8f89d65e6698e1626e1d1a892c3c1d5 │ │ │ -13ee0f6ee4e87e2b54d566283e99aaa6300e3131913c9549d4b1a6ad2869fd4c │ │ │ -d28567c75a32f0d132021b586ab8fb292994d065ec4b3875dabc993cb0e17800 │ │ │ -00004070a60b59d01834af5e27dff70526b0beb20dfabb43a6ab25f766d1ec26 │ │ │ -90ce003539dbf276a167ec78d7a998f69e99bf3c81fc7246572342aec6d214da │ │ │ -abcc97 │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001006b │ │ │ +6170f9835f65f0409f61d947626f5880691b5b1ec5f0d280b82d832d3d5d3957 │ │ │ +1745597c3a2392c1271f8508a1c748bc4be5681bacfd11480a1855af07ae3cd4 │ │ │ +4fbc4165f89174e7cba60ac7f7c0a17116cfa3fd8e0ed6c0c02696352b3f9d53 │ │ │ +7fcbda8cb21b0a95f9e92d38dc8121ea2dac2eabd750ba7770c47d514282f45b │ │ │ +357ef3586d8930a05a6e26c9ea391351d16fa2ab10fb08e42406e7a0365c3258 │ │ │ +00de8afadfb3086ca003e964ed1ab11b3410f4ccfede3e7b987ade295d4a0bc5 │ │ │ +d505170822d4a01535a93de3a507a51c4180989530d22e50d725d775f7455e9a │ │ │ +9d5a851f2f976a6f312e924c27ac72a3599f9cf8878bbe01046a91cd04664c00 │ │ │ +00004002c563080dfd3803f27fa9c896d0dd1b3c985bd53f0622cabea11746fa │ │ │ +ada72d7c05b819eb4dc9cda731e0006b637bd893555506c000dabb5c066d3f7e │ │ │ +3ea9d8 │ │ ├── libsoftokn3.chk │ │ │┄ xxd not available in path. Falling back to Python hexlify. │ │ │ @@ -11,19 +11,19 @@ │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010030 │ │ │ -045311203f4d6c1624ea5336dc9a5470a2baa285ca7294bf2162c479bc0913d4 │ │ │ -f8f326ef62ca8b31781b61e9ad3057d3c4cdd90c882dceb252149d7578cceab4 │ │ │ -4ce0bb338d395901afafbe3c570493a7add01e625de9a0a90c4e85c52ce67630 │ │ │ -3b1cc388c65d76d87c5bd31d2db8fbe17db05186c3a4bc2032614af6d950e8c7 │ │ │ -91da637dc8a7c2897071c92910e47b529566eddafc918e1c05f39aedea9e712f │ │ │ -98be2b6b87685411a5d8be0cd4d0c5e680ade81a3b9ee09d7aa6489775e3465b │ │ │ -0dd470a8bd99a84df719cbf935d46a08f9045c58ccb2861dd35e76d085caed0a │ │ │ -9ecc3cffe9bec61966d09e633bf7ac9870d02e03f8d4a2911da1b6e02cf6ab00 │ │ │ -0000408a5c4418abe2196ccf3ad0ce5d4df8edfa598befb414c4c622e92b2a70 │ │ │ -c94c5646c44609ba518ecdeef2eaa2745144a5048e2c4a92415fee1e3fe2c479 │ │ │ -1fe98a │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010042 │ │ │ +3475f0c8a0fbfcbf67cdac446df60765ccc7b02fb6c5079e14c9d2c1da2d7ae5 │ │ │ +8f274ecfcf9d135c05a7405008e8f8c7f5ac86c274aabe5fdc33e014b622a5f4 │ │ │ +0c8525071b0d5ee7614464deffee9320a965701df92070ff15fe786c1e8c41b3 │ │ │ +b4298574d9c0b9d8e1fe896a12973e579372d75fe8f3262254a80b622e6543bb │ │ │ +16be7160f9a89b934cd7133aa87fa5e03bcf981806cbb0bccf01af77008fd424 │ │ │ +cf6190e09910d4aaa812092fa64766d1bce0a9cf77f3470f5f0aa37715014cc6 │ │ │ +661c5f55253063713dac706cabab09005b9f1e2889f03e5b860f7eacbce21744 │ │ │ +fd33e21a0ca62878a7863e27667f0f7eb440bdfff02b9838d75d3fda4dac2400 │ │ │ +000040180f14354ae8e6d4d243e4fef0819e75346888290dd80849a7494dd220 │ │ │ +db71d615c82b2dbdee722fb914aff6875ffd66be934a102f0f684535169c9940 │ │ │ +c0733d
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Mon, 30 Mar 2020 06:11:02 GMT) (full text, mbox, link).
Message #8 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hello Danny, Danny Milosavljevic <dannym@scratchpost.org> ezt írta (időpont: 2020. márc. 30., H, 4:38): > > Hi, > > core-updates' nss is not reproducible (commit > aebcbb27bc2f192cc06163251bab66a4ceb7b7d6). > > diffoscope says: > > --- /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50 > +++ /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50-check > ├── lib > │ ├── nss > │ │ ├── libfreebl3.chk > │ │ │┄ xxd not available in path. Falling back to Python hexlify. > │ │ │ @@ -11,19 +11,19 @@ > │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 > │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 > │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a > │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 > │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 > │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c > │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 > │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010029 > │ │ │ -713ef8afdc7c8efcff89e8c420bfdd8835e6d08bb934ce160fe927b99ac8f997 > │ │ │ -c043c16bfe67abbbd27a97b4aa4df753c33f5a093d9598413edfb4c6a0a68309 > │ │ │ -4f3a160aec8a5e8e383c108c802580e5f117f9b2be6d496f6eb6e85937258e53 > │ │ │ -f3f55ac49f7ffa955e91e054d1dd6b19f725506e2242fbb2f8acf81c9ff4278c > │ │ │ -5c6ad6528d1a8505c6c83fd643660e3a31dddff7eb5f046f0df6d47ea455c82c > │ │ │ -78ec32d8a1aaa29c9deed1053feae3029eacce8b9ff88777ff964757aeb1ccce > │ │ │ -bd14d326b7fb0822bbc982250e51d4eaa73599ef8e4fd2298f076edf9a9be41e > │ │ │ -94da645f57dc12af730b3661973390672cbcf767caf495e1f3656f06f0fae300 > │ │ │ -00004030361665e91e760d37d9117256e4f698d2b124115e83aafcc92c2751fa > │ │ │ -f2b3384c22c76a207da12a4c4b72662e9ae53f356d6b6d98a066cd240cb06fed > │ │ │ -337d6d > │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3 > │ │ │ +35c76bfe38266728b573ef4fedcb22131ce275a8a484902b3ad994ca3a87a754 > │ │ │ +998b5c5807e4fa0e9b83a6677eca9140b8bbeeb4c36897473065b8305c4d1ddd > │ │ │ +3f967b7041217df53ae6ec4211b031cc12df895a35efcde570dd2c7a610151c9 > │ │ │ +ef0acdf28a646db355ece183e2e71275c51b4331e61ca7948c7aa62d420e8b17 > │ │ │ +481f427197c78094832de5e3f21d27bf701e6fc524e5f700567969f91e8864c0 > │ │ │ +fae4da549d548ce8b134456e0720d083c8649bdb44ac6383d2e5a41bd2ec3b64 > │ │ │ +e9b6d281708447aefdd60be32f7d9093fef2579d6c122b48e449b2266bdc4678 > │ │ │ +9639fd997f0d8fe649b51a5f3097603b130bb5e8a811b5f3c121ed6d7bb58300 > │ │ │ +00004004c38a443627df69c2bc659e2e810b24b0e4dc042311fb9b2c99d18e7b > │ │ │ +242fc7729f9e5facc1dc69ced89ea571bd69f95277894e9954c28c2f8ab77d62 > │ │ │ +e96c1d > │ │ ├── libfreeblpriv3.chk > │ │ │┄ xxd not available in path. Falling back to Python hexlify. > │ │ │ @@ -11,19 +11,19 @@ > │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 > │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 > │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a > │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 > │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 > │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c > │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 > │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3 > │ │ │ -298c351142cb4107acceb8e07a997cc63fade4c4dd6cc0d3f5dedad25fca66bc > │ │ │ -d58fb35b3a1f8ce3c90c795a8066cb4312b2b11558daf3c388ee3865d1cbc75d > │ │ │ -88832d044dd267885c36455be97ee5ff17ee95a9377170441267b604d6bea8d2 > │ │ │ -c7fbaebd2c39506220d5d2c4a34e6a848fc139bd38f95c7e48160d847c270a78 > │ │ │ -e88519f1a5f2f36c6d6d4c16d621b2e763e48d42818b1a3b76421a52c7c209b9 > │ │ │ -a70fe921ad9b80411150a5e4d800bd89fe4486361412b39a9b5c68abec6bb68d > │ │ │ -8f7d1b823c9d455d0062d9b819b1d5173a493cdbea00dcfc98a52537bd373acb > │ │ │ -cb046c7fe4246590c9875413f19dba8f63a2f05771d161513efeb2e663ebf400 > │ │ │ -000040299e7b6851b43d6f40d1704237831bbb5a1fd4e38c041f1b7222480338 > │ │ │ -c27b4e655f1846220c4950db84ce7da9b2c1b2c6530304a73c8caff757be8ba4 > │ │ │ -51d8ec > │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010032 > │ │ │ +0bdce77a4aabe0b8a8b97469180a5882104d30c155dfc227f99b7add6aedda98 > │ │ │ +b9aee674e8a2f43377eea0e32f4382f8818a9cd39dfe0f2217b989ab695b1317 > │ │ │ +971ae000096efde5a3610306a7a60b3075204f77543509fb48d1605d0ae6d7cd > │ │ │ +dd5b3576d2d09d9e4d5357ea21e7376e2fa69ba804a19161ab639219592efef5 > │ │ │ +ad5b8714ad21118b1fa53453b6e4222e267b0a692704de6bcd10895afeaf5f21 > │ │ │ +f721c406a796e092b344bc78abd953205e6d932c87fef89e80715a9eefbd6417 > │ │ │ +eef4e8c8630fe92927d81870c50f64aa15f2dbb965d9aa51a450d0c53607d60a > │ │ │ +8c4ad1461e32c7dc78bf606eaacf38a88a2c47f496b3ba289e104e8d25a84400 > │ │ │ +0000408df400964ed23bd859d524136afbf355cce08ae540f65bbfe055e81950 > │ │ │ +6b84f52240c447ad47c53ee31e9fed82d08905f65adfedd54f5b91b6b9d6105b > │ │ │ +f2f8f4 > │ │ ├── libnssdbm3.chk > │ │ │┄ xxd not available in path. Falling back to Python hexlify. > │ │ │ @@ -11,19 +11,19 @@ > │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 > │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 > │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a > │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 > │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 > │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c > │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 > │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009d > │ │ │ -76e916a4dfe80c81097e4cff0f945852d689772f01c87f11c2fab03f99f20417 > │ │ │ -d1458884f5255774a9028c848ce879369734f01f1e12ceb9cf63dc9eca1170b8 > │ │ │ -23e6678ab9f65f2dbeeae2c96fd90367e720124a2d11551127baf17e2a7b214d > │ │ │ -f24bca9fbb5355d2479e7c06ec05fe138ad50c26a1876053143bf0ed18eae349 > │ │ │ -42b8b96ab9bdde2e234fbfe354d8b3698cd5ddadfdd1de6ab8d75c558a96bd8a > │ │ │ -accb720a1207f4b25c9e1df0e0b60574d8f89d65e6698e1626e1d1a892c3c1d5 > │ │ │ -13ee0f6ee4e87e2b54d566283e99aaa6300e3131913c9549d4b1a6ad2869fd4c > │ │ │ -d28567c75a32f0d132021b586ab8fb292994d065ec4b3875dabc993cb0e17800 > │ │ │ -00004070a60b59d01834af5e27dff70526b0beb20dfabb43a6ab25f766d1ec26 > │ │ │ -90ce003539dbf276a167ec78d7a998f69e99bf3c81fc7246572342aec6d214da > │ │ │ -abcc97 > │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001006b > │ │ │ +6170f9835f65f0409f61d947626f5880691b5b1ec5f0d280b82d832d3d5d3957 > │ │ │ +1745597c3a2392c1271f8508a1c748bc4be5681bacfd11480a1855af07ae3cd4 > │ │ │ +4fbc4165f89174e7cba60ac7f7c0a17116cfa3fd8e0ed6c0c02696352b3f9d53 > │ │ │ +7fcbda8cb21b0a95f9e92d38dc8121ea2dac2eabd750ba7770c47d514282f45b > │ │ │ +357ef3586d8930a05a6e26c9ea391351d16fa2ab10fb08e42406e7a0365c3258 > │ │ │ +00de8afadfb3086ca003e964ed1ab11b3410f4ccfede3e7b987ade295d4a0bc5 > │ │ │ +d505170822d4a01535a93de3a507a51c4180989530d22e50d725d775f7455e9a > │ │ │ +9d5a851f2f976a6f312e924c27ac72a3599f9cf8878bbe01046a91cd04664c00 > │ │ │ +00004002c563080dfd3803f27fa9c896d0dd1b3c985bd53f0622cabea11746fa > │ │ │ +ada72d7c05b819eb4dc9cda731e0006b637bd893555506c000dabb5c066d3f7e > │ │ │ +3ea9d8 > │ │ ├── libsoftokn3.chk > │ │ │┄ xxd not available in path. Falling back to Python hexlify. > │ │ │ @@ -11,19 +11,19 @@ > │ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933 > │ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85 > │ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a > │ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5 > │ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83 > │ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c > │ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02 > │ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010030 > │ │ │ -045311203f4d6c1624ea5336dc9a5470a2baa285ca7294bf2162c479bc0913d4 > │ │ │ -f8f326ef62ca8b31781b61e9ad3057d3c4cdd90c882dceb252149d7578cceab4 > │ │ │ -4ce0bb338d395901afafbe3c570493a7add01e625de9a0a90c4e85c52ce67630 > │ │ │ -3b1cc388c65d76d87c5bd31d2db8fbe17db05186c3a4bc2032614af6d950e8c7 > │ │ │ -91da637dc8a7c2897071c92910e47b529566eddafc918e1c05f39aedea9e712f > │ │ │ -98be2b6b87685411a5d8be0cd4d0c5e680ade81a3b9ee09d7aa6489775e3465b > │ │ │ -0dd470a8bd99a84df719cbf935d46a08f9045c58ccb2861dd35e76d085caed0a > │ │ │ -9ecc3cffe9bec61966d09e633bf7ac9870d02e03f8d4a2911da1b6e02cf6ab00 > │ │ │ -0000408a5c4418abe2196ccf3ad0ce5d4df8edfa598befb414c4c622e92b2a70 > │ │ │ -c94c5646c44609ba518ecdeef2eaa2745144a5048e2c4a92415fee1e3fe2c479 > │ │ │ -1fe98a > │ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010042 > │ │ │ +3475f0c8a0fbfcbf67cdac446df60765ccc7b02fb6c5079e14c9d2c1da2d7ae5 > │ │ │ +8f274ecfcf9d135c05a7405008e8f8c7f5ac86c274aabe5fdc33e014b622a5f4 > │ │ │ +0c8525071b0d5ee7614464deffee9320a965701df92070ff15fe786c1e8c41b3 > │ │ │ +b4298574d9c0b9d8e1fe896a12973e579372d75fe8f3262254a80b622e6543bb > │ │ │ +16be7160f9a89b934cd7133aa87fa5e03bcf981806cbb0bccf01af77008fd424 > │ │ │ +cf6190e09910d4aaa812092fa64766d1bce0a9cf77f3470f5f0aa37715014cc6 > │ │ │ +661c5f55253063713dac706cabab09005b9f1e2889f03e5b860f7eacbce21744 > │ │ │ +fd33e21a0ca62878a7863e27667f0f7eb440bdfff02b9838d75d3fda4dac2400 > │ │ │ +000040180f14354ae8e6d4d243e4fef0819e75346888290dd80849a7494dd220 > │ │ │ +db71d615c82b2dbdee722fb914aff6875ffd66be934a102f0f684535169c9940 > │ │ │ +c0733d Do you have any idea what these might be? Are these text files, but not recoginzed by diffoscope, or are they really binary? Also, IIRC we had problems earlier with this package, as some keys were generated. Might this be somehow related? Best regards, g_bor -- OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Mon, 30 Mar 2020 11:56:02 GMT) (full text, mbox, link).
Message #11 received at 40316@debbugs.gnu.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Danny Milosavljevic <dannym@scratchpost.org> writes: > Hi, > > core-updates' nss is not reproducible (commit > aebcbb27bc2f192cc06163251bab66a4ceb7b7d6). Is this issue only present on the 'core-updates' branch? There haven't been any changes to NSS on that branch compared to 'master' AFAIK.
[signature.asc (application/pgp-signature, inline)]
Merged 30108 33507 40316.
Request was from Björn Höfling <bjoern.hoefling@bjoernhoefling.de>
to control@debbugs.gnu.org.
(Tue, 31 Mar 2020 09:23:02 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Tue, 31 Mar 2020 09:29:02 GMT) (full text, mbox, link).
Message #16 received at 40316@debbugs.gnu.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 30 Mar 2020 13:55:09 +0200 Marius Bakke <mbakke@fastmail.com> wrote: > Danny Milosavljevic <dannym@scratchpost.org> writes: > > > Hi, > > > > core-updates' nss is not reproducible (commit > > aebcbb27bc2f192cc06163251bab66a4ceb7b7d6). > > Is this issue only present on the 'core-updates' branch? There > haven't been any changes to NSS on that branch compared to 'master' > AFAIK. I haven't tried it on 'master', but I think it is branch-independent, people are only testing it on core-updates. This bug is over 2 years old with different versions of nss affected and the same three files not reproducible. And we had past core-updates mergers. I found and merged these reports: bug#30108: [core-updates] nss 3.34.1 not reproducible bug#33507: nss 3.39 output is not deterministic bug#40316: core-updates nss not reproducible Björn
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Tue, 18 May 2021 04:11:02 GMT) (full text, mbox, link).
Message #19 received at 40316@debbugs.gnu.org (full text, mbox, reply):
I am also getting the same four files that are not reproducible for nss
on the master branch.
As nss is also not reproducible on master maybe the title of this bug
should be changed to "nss not reproducible".
`guix describe` outputs:
```
Generation 24 May 12 2021 18:06:24 (current)
guix d6aeebb
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: d6aeebb23639258311fdfb9dbf5f903079fde51a
```
`guix challenge /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59`
outputs:
```
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59 contents differ:
local hash: 0pqq1v88yjj80sll4j4ahfh52zzqhvkjv3vgkhmnnikvl6vd5sck
https://ci.guix.gnu.org/nar/lzip/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59: 1smx41irpiy9kly3zvr0d61x7hwm0haggvyii34byzfypca1xn2f
differing files:
/lib/nss/libfreebl3.chk
/lib/nss/libsoftokn3.chk
/lib/nss/libfreeblpriv3.chk
/lib/nss/libnssdbm3.chk
1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive
```
`guix challenge --diff=diffoscope
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59` outputs:
```
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59 contents differ:
local hash: 0pqq1v88yjj80sll4j4ahfh52zzqhvkjv3vgkhmnnikvl6vd5sck
https://ci.guix.gnu.org/nar/lzip/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59: 1smx41irpiy9kly3zvr0d61x7hwm0haggvyii34byzfypca1xn2f
--- /tmp/guix-directory.jSGCMh
+++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59
│ --- /tmp/guix-directory.jSGCMh/lib
├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib
│ │ --- /tmp/guix-directory.jSGCMh/lib/nss
│ ├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss
│ │ │ --- /tmp/guix-directory.jSGCMh/lib/nss/libfreebl3.chk
│ │ ├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libfreebl3.chk
│ │ │┄ xxd not available in path. Falling back to Python hexlify.
│ │ │ @@ -11,19 +11,19 @@
│ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
│ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
│ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
│ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
│ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
│ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
│ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
│ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010062
│ │ │ -d97f1f01f03e65f037c7fee3230c59c36d170cc30f23372fbc6eb28d9ec87008
│ │ │ -f07660714bb43d98a06734a1658ce721feab8b0ece03ee54cb45dbaee9cff57f
│ │ │ -9d9c0fac4a2d67f4f314423973a42819a9eceba758344ef4b304f1737ebe23a4
│ │ │ -e13aba8e9f88bec5c067d61a16a3dcb347789575f4cfa8629880f734ec3db9cc
│ │ │ -d963cee322fa2eba5172715eb19686e185ff13dfcf23eb7ed9338230f90b4b57
│ │ │ -8f7f3c3fb8e0e968d4625646f5fb0897c3e2400e5a5596f01f841f7e4946d406
│ │ │ -977e6adbce9113d027a38cd34942cf3158422b590c27b2731fd506c2326a2dbb
│ │ │ -1a363a864475bd8464282544cf46fe60e94d705cda2d34257c9e3cadc378fe00
│ │ │ -00004025839bed8e61fecf86f99135e9912ab62b5497dc33bdf2bbda445cf237
│ │ │ -bfd47c8b826ec02b6cac983765bedd1ae17a57827f6fe0af965a2538a2776388
│ │ │ -c14b6c
│ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010087
│ │ │ +37f4789b39e4bcbe32600d9a952265b9a8623a91658d6c5b5c7e8d42741219f2
│ │ │ +1f4d9e54994ffa87cc533d63273f7b7d24b63cc0415b62cd419656c63f5acf46
│ │ │ +688991664fc00c10740ab0cabbcdb639a9408b76c4cbf27827257fdd3aeaa526
│ │ │ +bb9425a9a8c55bb4d4a54e2d389de9561a61af754170bf640b8e23bc9c4c7945
│ │ │ +8cfdafc309c7737aa53d0fb451cc7476f73b04b4b5c6cfaeabc332d0478c8c5d
│ │ │ +bdde681ef55b30b669a106440c4676f5bf3454617d1707e710c0e426ee823ee1
│ │ │ +f1892576f4f4795e6e4fc040b9aab73d65ef132087fdaaba64fa8795a9eef4b6
│ │ │ +24700af69d0be0c2f86c1fbfc8a90cc0f50c0a90232cd3ce9f5987cf442d4b00
│ │ │ +0000405a720066a9593276d13e8b322c50381a926302d79ae6f571c5fcbbbefa
│ │ │ +71a9d259b7efa16aca52365e60baf1aef8904d28f9332d71b3fb3e8ecb30bcfb
│ │ │ +19053e
│ │ │ --- /tmp/guix-directory.jSGCMh/lib/nss/libfreeblpriv3.chk
│ │ ├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libfreeblpriv3.chk
│ │ │┄ xxd not available in path. Falling back to Python hexlify.
│ │ │ @@ -11,19 +11,19 @@
│ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
│ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
│ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
│ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
│ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
│ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
│ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
│ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009a
│ │ │ -19ffb743e104ab34cda81d282b09c74ca73dab5baf4e5951814556e25fa92f09
│ │ │ -fbb06af5f80893a2c4fb0295ef23c2e8302fc238fda3f3d582c9d3e8c062ae8a
│ │ │ -e18dc7a48a1d9e97fc4d21e11abaeb7c98495f478affc6866742c48090d44b09
│ │ │ -a5832f4648b1d165de42e279df2d1512bfe47dffffb65f0c543a6c92cfe8beed
│ │ │ -3fa84456e6eef833bd675d04846d630eed817bfd153377745d5c6244e2f913ef
│ │ │ -17a2b360bebd6f9a0fcbb24ed86e2d59ae5f28df2632518390d7e2f75a2da2fe
│ │ │ -2bebf06b7d095a60282a93c38da54ae19625630aac1c4755339a047213ed98e9
│ │ │ -91ad52e2723789c34498a0d0eb78055949383ab3a583363c653c5ef89a0c0200
│ │ │ -000040862ab0814d947cfb3bf2cf74720e14c633e910a7d3d4d7a81364505701
│ │ │ -c3c2c785f6f3804f8aa0de63449bc436f1eb9a4ce187392103de463caec69431
│ │ │ -bffb74
│ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010038
│ │ │ +5f7f605095448c566ae24ab5677dd5ff8519a2564d09c3550608f860b12d8e84
│ │ │ +a4e5b87752d9bc32caba6bd53d181776624e22a217d9c7567a4556bcb316a13e
│ │ │ +1ecf3d2aa360477073f1fa1d376704668122ec75d1d6177cd0368610d4c1c098
│ │ │ +1ca41b0fdd1a188bf4940a5b0773e9c7178cd4141032d9f3bca8f77c480884f6
│ │ │ +7a30ba559fcf7547abf80840bb0b42e7c3bb47bf3f064e20c827ce0b0ce48c8f
│ │ │ +f7ecb9f513589edd858a5e5a3441b12e10a8bb61c93c3cf33d04c518804dcc27
│ │ │ +7a9d0df213922ff752f8ea4cba6fb0f5ba8acb57dcf02d3746a7cc588b1362a8
│ │ │ +2f7c7077399e18536ca1540e2a868780605dc4bf518a2c86dd2bc904df989f00
│ │ │ +0000404547c764e3ab6f499e0ea3656a9332f2da71506a1a5178d4828657682a
│ │ │ +c5f3f65eaf7212c1a7e41438bb48524eb5e1eff3d87080f1339c5d3e99369d56
│ │ │ +ebc5fd
│ │ │ --- /tmp/guix-directory.jSGCMh/lib/nss/libnssdbm3.chk
│ │ ├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libnssdbm3.chk
│ │ │┄ xxd not available in path. Falling back to Python hexlify.
│ │ │ @@ -11,19 +11,19 @@
│ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
│ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
│ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
│ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
│ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
│ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
│ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
│ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001002e
│ │ │ -21ad266d676e56ae5ccc227879f1c1c6b9b6dd83eb7446a82f5a18bb09a4d252
│ │ │ -4cb3f635179b88fdab69e30efbc1684d7bcd5f24b3c6c70a14b998b19c7af1a0
│ │ │ -d3d79f75d2f3fd00a2fe19bfdcef007b67c2004f0571f670887e1f8ac7d1bf5d
│ │ │ -3dea50a0117efd7ff049d41ee286e642a0fe43256d77146324ab6ce8a83ef8c4
│ │ │ -9807d016f639f5ceb6f427062f5201e51e7776bb6463d89f9afeddbc7a9a28ee
│ │ │ -653be542425efa441a6815238c5898d33d76b9e44ceb7353e98927bb2935e025
│ │ │ -953cd7649241efaf3edbb5eed3abb7826c837dbbf2aaf1e1d9d2ee72dee0b3b5
│ │ │ -0d872cd2eb74969baa23c186b00fa87b4951ae0eb3fa867fb6462fad73154800
│ │ │ -0000403e373b8324248b0d53ba133dda29283d13350324847164c5ab29024678
│ │ │ -03611368137b58211456ce78c50968bd1233758422d591805c87d25b64a5abda
│ │ │ -09dda9
│ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001005b
│ │ │ +7a928e5d253ed22eb50a37023609db35ebab0672812f924d3ea7b74be43f26d5
│ │ │ +bc93ef30cd96d39daad0ab6eb98efab9047dcc73fa7b7dae259dc6a3f43255be
│ │ │ +e519afbb0a727b75247fc078fa22c0f1c716655c99e30b24867974959b52179d
│ │ │ +92d2b9bee276208c7ae5707975c55eea7125d83929709f5e63b6172e389a4858
│ │ │ +6d10c85f501882a285a476692f97247993f4aef2243b803b36528fc26d384503
│ │ │ +4437d3107e853f1d05a02f411e7e609ef720ff7bc299575d8840faaa40d33ddd
│ │ │ +b58f03a0669be967bc8021dfea2bbce37ae23b3c929ff98396d12a84e0634834
│ │ │ +1b80442fbbd9f7dcdda35dea83d1092c5ccc1ac2980bd0f3233bc82cbf165300
│ │ │ +00004030d6ccc46ba7ac1abdce687718962041cf98cb55787191130175f9e0d1
│ │ │ +ab8b2c610437f4e7a11d220d5989c3868d6db6257ab841d80ffcbff56d3b268c
│ │ │ +5abbee
│ │ │ --- /tmp/guix-directory.jSGCMh/lib/nss/libsoftokn3.chk
│ │ ├── +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libsoftokn3.chk
│ │ │┄ xxd not available in path. Falling back to Python hexlify.
│ │ │ @@ -11,19 +11,19 @@
│ │ │ 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
│ │ │ 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
│ │ │ 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
│ │ │ a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
│ │ │ 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
│ │ │ d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
│ │ │ 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
│ │ │ -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001001e
│ │ │ -24d85331677aae2d94bd05a1efc093d260c20de07d57ee8c503956067275acf3
│ │ │ -0059cbab61581aa1c386dba534f268f96c5b9f802ef57311f7fa53915e8018b6
│ │ │ -d31abcd81c84f23d134ebe15127011e75cbbcaa809f6ca2d47f6ff67c3d02e8f
│ │ │ -5984d85463d458e3b35b9c35a1355fe4fae0709dd303eb4481809e10d8ce7ac0
│ │ │ -83ac85be99af4ce33520874f101665e0e77e7436ee6423cf82d4a8924aa53e51
│ │ │ -d21d7766aa5665041c4d4ef75fddce637a754ca42941cf986e1bbce60012bc1a
│ │ │ -5666674075c199c128048bcaee9dd35cb7e7248f553047c90e8e98511aeda17f
│ │ │ -2c75e8280037910e500c7e03c7bc935a7ad8d719484ff45bba3393e672c92500
│ │ │ -0000400605c2755588373f9f857d000b231c6d59cc6d0b1b08eb3f07a2b09cf7
│ │ │ -9a980124839b4bf70a8f3759f4e72fabc28550469f353451c570eb7b4efeebb2
│ │ │ -a15a6a
│ │ │ +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010011
│ │ │ +b0342b5cad4140db9fa893b68d1c5f3834c1cee9f95edc9b57a7968ec0c4ec2d
│ │ │ +18ccded167b847137ec4b8361aa1e782ccd0797b4401382f5d120848b67930be
│ │ │ +07389e0f52dda5f812d7462197594b4e86df50adedafbc57dc4e3160e09b8437
│ │ │ +4570899257469c8e97d46d40fe0801d906dfe8bdc611a953b2d0690a0e1d6dc8
│ │ │ +5c7699f30dee70856a6627847e08a710db7432e29b33474358005a53dfa5fa95
│ │ │ +f23817dda29c64694119e48e7a9b2a428d5afc42c43dafe78994cde0f065b7b9
│ │ │ +eca4ee565767ac13fe183cbac6c85002210e67ad8c5635c5bfde812c702b234a
│ │ │ +1dc530f5ff737c7ca25224e7375e35077874a999921570273afab1eb91f96200
│ │ │ +00004053356da884e81a92cd25fdea9dbd9137990a4e354d1421d50100bb7e56
│ │ │ +934dc868d7b5b00f1a9b470ca3c27379af91e9695c8fdab671a160b6272f9276
│ │ │ +d1fe04
1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive
```
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 07 Mar 2024 22:18:01 GMT) (full text, mbox, link).
Message #22 received at 40316@debbugs.gnu.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 40316 nss not reproducible
thanks
Still an issue on master as of d29e5a83e887cd2f4f459a12cbbfc40c77e55ce2:
guix challenge --verbose --diff=simple nss
guix challenge: warning: could not determine current substitute URLs; using defaults
/gnu/store/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1 contents differ:
no local build for '/gnu/store/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1'
https://ci.guix.gnu.org/nar/lzip/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1: 18xvq9cb7y2hajixnkk24bh969px0h5289hgby484iyg3x73sagp
https://bordeaux.guix.gnu.org/nar/lzip/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1: 0pnmzsy7m34v51qxpi4lrj2a9m7l19prldabwad8gx24gih4irah
differing files:
/lib/nss/libfreebl3.chk
/lib/nss/libfreeblpriv3.chk
/lib/nss/libnssdbm3.chk
/lib/nss/libsoftokn3.chk
1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive
According to the notes in Debian, this is due to cryptographic
signatures performed at build time:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/nss.html
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Changed bug title to 'nss not reproducible' from 'core-updates nss not reproducible'
Request was from Vagrant Cascadian <vagrant@reproducible-builds.org>
to control@debbugs.gnu.org.
(Thu, 07 Mar 2024 22:18:02 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Tue, 23 Apr 2024 12:44:02 GMT) (full text, mbox, link).
Message #27 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi, Confirmed nss doesn't build reproducibly on current core-updates branch. Also looks like it needs an update to 3.99 Steve / Futurile
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 25 Apr 2024 14:08:05 GMT) (full text, mbox, link).
Message #30 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi Steve,
> It would be good to confirm this one:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
Still fails to reproduce with those changes applied.
The culprit is in nss/cmd/shlibsign/shlibsign.c:
shlibSignHMAC generates a new key-pair each time it's run:
/* Generate a DSA key pair */
logIt("Generate an HMAC key ... \n");
crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
hmacKeyTemplate,
PR_ARRAY_SIZE(hmacKeyTemplate),
&hHMACKey);
Three options:
1. Disable library signing entirely.
2. Seed the generation to be deterministic.
3. Drop in a HMAC key-pair and patch the code to use that instead of
generating.
2 and 3 defeat the point of the cryptographically secure supply chain as
the private key can be obtained deterministically, so my vote would be
simply to not sign the libraries (1), which would be easier to
maintain. We're not the primary distributor and users can verify our
distribution of nss by running `guix challenge` anyway.
> It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on Master [0]
Building everything cross-compiled to ARM now.
Kind regards,
Christina
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 25 Apr 2024 17:03:10 GMT) (full text, mbox, link).
Message #33 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi,
I believe I have a fix for this, I'm just waiting on my machine to hurry
up and confirm it, might end up running over night, then I'll send my
patch up.
I'm doing two native builds and two cross-builds.
I've also updated to 3.99.
Kind regards,
Christina
On 25/04/2024 15:06, Christina O'Donnell wrote:
> Hi Steve,
>
>> It would be good to confirm this one:
>>
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
>
> Still fails to reproduce with those changes applied.
>
> The culprit is in nss/cmd/shlibsign/shlibsign.c:
>
> shlibSignHMAC generates a new key-pair each time it's run:
>
> /* Generate a DSA key pair */
> logIt("Generate an HMAC key ... \n");
> crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
> hmacKeyTemplate,
> PR_ARRAY_SIZE(hmacKeyTemplate),
> &hHMACKey);
>
> Three options:
> 1. Disable library signing entirely.
> 2. Seed the generation to be deterministic.
> 3. Drop in a HMAC key-pair and patch the code to use that instead of
> generating.
>
> 2 and 3 defeat the point of the cryptographically secure supply chain
> as the private key can be obtained deterministically, so my vote would
> be simply to not sign the libraries (1), which would be easier to
> maintain. We're not the primary distributor and users can verify our
> distribution of nss by running `guix challenge` anyway.
>
>> It looks like Zhen Junjie applied two patches to fix NSS
>> cross-compilation on Master [0]
>
> Building everything cross-compiled to ARM now.
>
> Kind regards,
>
> Christina
>
>
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:06 GMT) (full text, mbox, link).
Message #36 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi,
I've got as far as making nss 3.98 reproducible, however updating it to 3.99
results in 51 test failures. These are regressions, and worked correctly for
3.98. I'm not entirely sure what the issue is, but I've run out of time to
debug it this week, so I'm sending this patch up as is.
Up to patch 3 build correctly. Patch 4 is the first one that fails.
The issue specifically seems to all be related to FIPS:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has
occurred with the token or slot.
If someone could take a look at this and see if there's anything I've missded
then I'd appreciate that. Otherwise I'm free to pick it back up again on
Tuesday.
Let me know if you have any questions.
Kind regards,
Christina
Christina O'Donnell (4):
gnu: nss: Make reproducible.
gnu: nss: Update to 3.99.
gnu: nss-certs: Update to 3.99.
WIP: nss: Attempting to resolve FIPS regression.
Zheng Junjie (2):
gnu: nss: Fix cross-compilation.
gnu: nspr: Fix cross-compilation.
gnu/packages/certs.scm | 24 +++++--
gnu/packages/nss.scm | 30 +++++++--
.../patches/nss-Disable-library-signing.patch | 67 +++++++++++++++++++
3 files changed, 111 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch
base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:10 GMT) (full text, mbox, link).
Message #39 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
signing to make the build reproducible.
gnu/packages/nss.scm (nss): Apply this new patch.
Change-Id: I7860bae219ecc4a79423a590c27a1097ae2e7874
---
gnu/packages/nss.scm | 3 +-
.../patches/nss-Disable-library-signing.patch | 67 +++++++++++++++++++
2 files changed, 69 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f373..b608a995577 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch
new file mode 100644
index 00000000000..b488d29dcad
--- /dev/null
+++ b/gnu/packages/patches/nss-Disable-library-signing.patch
@@ -0,0 +1,67 @@
+From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
+Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 25 Apr 2024 16:35:50 +0100
+Subject: [PATCH] nss: Disable library signing.
+
+---
+ nss/cmd/shlibsign/Makefile | 32 +-------------------------------
+ 1 file changed, 1 insertion(+), 31 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/Makefile b/nss/cmd/shlibsign/Makefile
+index a119205..7a85c1d 100644
+--- a/nss/cmd/shlibsign/Makefile
++++ b/nss/cmd/shlibsign/Makefile
+@@ -43,22 +43,9 @@ EXTRA_SHARED_LIBS += \
+
+ endif
+
+-
+-# sign any and all shared libraries that contain the word freebl
+-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++# Disable library signing as it's non-deterministic
+ CHECKLIBS =
+ CHECKLOC =
+-else
+-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
+-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
+-ifndef NSS_DISABLE_DBM
+-CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
+-endif
+-CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
+-
+-MD_LIB_RELEASE_FILES = $(CHECKLOC)
+-ALL_TRASH += $(CHECKLOC)
+-endif
+
+ #######################################################################
+ # (5) Execute "global" rules. (OPTIONAL) #
+@@ -78,23 +65,6 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+
+ include ../platrules.mk
+
+-SRCDIR = $(call core_abspath,.)
+-
+-%.chk: %.$(DLL_SUFFIX)
+-ifeq ($(OS_TARGET), OS2)
+- cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
+- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+-else
+- ifeq ($(CROSS_COMPILE),1)
+- # do nothing
+- else
+- cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
+- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+- endif
+-endif
+-
+ libs: install
+ ifdef CHECKLOC
+ $(MAKE) $(CHECKLOC)
+
+base-commit: 2951778f8e8855bed24754a57ecc43f02a2843dd
+--
+2.41.0
+
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:14 GMT) (full text, mbox, link).
Message #42 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.
Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead8..459e53bc1cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:19 GMT) (full text, mbox, link).
Message #45 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.
Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1cf..0baafe2f373 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:24 GMT) (full text, mbox, link).
Message #48 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Update to 3.99.
Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b608a995577..80667d8affe 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:27 GMT) (full text, mbox, link).
Message #51 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.
Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d11..7aa96493fbe 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 21:35:29 GMT) (full text, mbox, link).
Message #54 received at 40316@debbugs.gnu.org (full text, mbox, reply):
There are 51 new test failures which all appear to be related to FIPS.
For example:
modutil -dbdir /tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips -fips true
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11) - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 11
Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
gnu/packages/nss.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
(delete-file-recursively "nss/lib/sqlite")))))
(build-system gnu-build-system)
(outputs '("out" "bin"))
+ ;; (search-paths
+ ;; (list (search-path-specification
+ ;; (variable "LD_LIBRARY_PATH")
+ ;; (files '("lib")))))
(arguments
(list
#:make-flags
@@ -161,12 +165,15 @@ (define-public nss
#$@(if (%current-target-system)
#~("CROSS_COMPILE=1")
#~())
+ (string-append "NSS_FORCE_FIPS=1")
+ (string-append "NSPR_LIB_DIR="
+ (string-append #$nspr "/lib"))
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
;; Add $out/lib/nss to RPATH.
(string-append "RPATH=" rpath)
- (string-append "LDFLAGS=" rpath)))
+ (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
#:modules '((guix build gnu-build-system)
(guix build utils)
(ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ ;; (setenv "LD_LIBRARY_PATH"
+ ;; (string-append (getenv "LD_LIBRARY_PATH")))
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Fri, 26 Apr 2024 23:00:11 GMT) (full text, mbox, link).
Message #57 received at 40316@debbugs.gnu.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2024-04-26, Christina O'Donnell wrote: > gnu/packages/patches/nss-Disable-library-signing.patch: Disable library > signing to make the build reproducible. > gnu/packages/nss.scm (nss): Apply this new patch. Nice! > diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch > new file mode 100644 > index 00000000000..b488d29dcad > --- /dev/null > +++ b/gnu/packages/patches/nss-Disable-library-signing.patch > @@ -0,0 +1,67 @@ > +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001 > +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org> > +From: Christina O'Donnell <cdo@mutix.org> > +Date: Thu, 25 Apr 2024 16:35:50 +0100 > +Subject: [PATCH] nss: Disable library signing. > + > +--- > + nss/cmd/shlibsign/Makefile | 32 +------------------------------- > + 1 file changed, 1 insertion(+), 31 deletions(-) I think it would be good to explain why this patch is included, not just in the git commit message, but in the patch comments itself. I realize the patch actually includes a comment about non-determinism, but it is a bit lost in the diff. Also, might be worth briefly explaining why disabling this feature is unlikely to break anything, etc. Curious if there might be some way to leave most of the code in place, disable it... otherwise on version updates it is more likely to result in conflicts with even minor changes... live well, vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 08:17:02 GMT) (full text, mbox, link).
Message #60 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi Christina, Nice work! Christina O'Donnell <cdo@mutix.org> skribis: > I've got as far as making nss 3.98 reproducible, however updating it to 3.99 > results in 51 test failures. These are regressions, and worked correctly for > 3.98. I'm not entirely sure what the issue is, but I've run out of time to > debug it this week, so I'm sending this patch up as is. Not sure if this is related, but we’re seeing test failures due to timing issues right now with 3.98: https://issues.guix.gnu.org/70693 Thank you! Ludo’.
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:01 GMT) (full text, mbox, link).
Message #63 received at 40316@debbugs.gnu.org (full text, mbox, reply):
This patch series is an incomplete attempt to make nss reproducible. Currently this fails 4 tests due to NSS_FIPS_DISABLED not being respected. Christina O'Donnell (4): gnu: nss: Update to 3.99. gnu: nss-certs: Update to 3.99. gnu: nss: Attempt to disable FIPS. gnu: nss: Disable FIPS in lowhashtest. Zheng Junjie (2): gnu: nss: Fix cross-compilation. gnu: nspr: Fix cross-compilation. gnu/packages/certs.scm | 24 +++++++++++--- gnu/packages/nss.scm | 27 ++++++++++++--- .../nss-disable-fips-in-lowhashtest.patch | 28 ++++++++++++++++ .../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++ 4 files changed, 102 insertions(+), 10 deletions(-) create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8 -- 2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:02 GMT) (full text, mbox, link).
Message #66 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.
Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:02 GMT) (full text, mbox, link).
Message #69 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Update to 3.99.
Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:02 GMT) (full text, mbox, link).
Message #72 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.
Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:03 GMT) (full text, mbox, link).
Message #75 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.
Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:03 GMT) (full text, mbox, link).
Message #78 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic.
This patch is an incomplete attempt to get the tests to succeed by disabling
inapplicable tests, i.e. tests that depend on FIPS.
I have passed NSS_FIPS_DISABLED=1 to the Makefile however it seems to be
ignoring it for no logical reason.
Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
---
gnu/packages/nss.scm | 8 ++++-
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..08e4cb06ee 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -141,6 +142,9 @@ (define-public nss
(string-append "PREFIX=" #$output)
"NSDISTMODE=copy"
"NSS_USE_SYSTEM_SQLITE=1"
+ ;; No FIPS because it adds non-determinism.
+ "NSS_FIPS_DISABLED=1"
+ "NSS_NO_INIT_SUPPORT=1"
;; The gtests fail to compile on riscv64.
;; Skipping them doesn't affect the test suite.
#$@(if (target-riscv64?)
@@ -202,6 +206,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ (setenv "NSS_CYCLES" "standard")
+ (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 11:02:04 GMT) (full text, mbox, link).
Message #81 received at 40316@debbugs.gnu.org (full text, mbox, reply):
* gnu/packages/nss.scm (nss): Disable FIPS in lowhashtests.
This is required as FIPS is inherently non-deterministic, making the build no
longer reproducible.
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
---
gnu/packages/nss.scm | 3 +-
.../nss-disable-fips-in-lowhashtest.patch | 28 +++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 08e4cb06ee..02081c32e1 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -125,7 +125,8 @@ (define-public nss
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
"nss-increase-test-timeout.patch"
- "nss-disable-shlibsign.patch"))
+ "nss-disable-shlibsign.patch"
+ "nss-disable-fips-in-lowhashtest.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
new file mode 100644
index 0000000000..c8fc1e7e7a
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
@@ -0,0 +1,28 @@
+From f32bd353c5b741d6da5811fd40681dda80799bfb Mon Sep 17 00:00:00 2001
+Message-ID: <f32bd353c5b741d6da5811fd40681dda80799bfb.1714591857.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 20:30:15 +0100
+Subject: [PATCH] nss: Disable FIPS in lowhashtest.
+
+---
+ nss/tests/lowhash/lowhash.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/tests/lowhash/lowhash.sh b/nss/tests/lowhash/lowhash.sh
+index 2984b9b..9dcc89b 100755
+--- a/nss/tests/lowhash/lowhash.sh
++++ b/nss/tests/lowhash/lowhash.sh
+@@ -63,7 +63,7 @@ lowhash_test()
+ else
+ TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ OLD_MODE=`echo ${NSS_FIPS}`
+- for fips_mode in 0 1; do
++ for fips_mode in 0; do
+ echo "lowhashtest with fips mode=${fips_mode}"
+ export NSS_FIPS=${fips_mode}
+ for TEST in ${TESTS}
+
+base-commit: 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0
+--
+2.41.0
+
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:35:01 GMT) (full text, mbox, link).
Message #84 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic. This removes all non-determinism from this package.
Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
gnu/packages/nss.scm | 6 +++-
.../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
3 files changed, 67 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..404baaf550 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"
+ "nss-define-NSS_FIPS_DISABLED.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -202,6 +204,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ (setenv "NSS_CYCLES" "standard")
+ (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 0000000000..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: <e89a33daac982107421117ad95ae8443ef316079.1714649801.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+--
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:35:02 GMT) (full text, mbox, link).
Message #87 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Update to 3.99.
Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:35:02 GMT) (full text, mbox, link).
Message #90 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.
Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:35:03 GMT) (full text, mbox, link).
Message #93 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.
Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:35:03 GMT) (full text, mbox, link).
Message #96 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.
Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:44:02 GMT) (full text, mbox, link).
Message #99 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi, Please disregard my v2 patch. I now see where I went wrong and it's now working as expected on my machine. I've sent an updated (v3) patch which builds successfully on x86_64, though I haven't yet tried cross-compiling or confirmed that it's still building reproducibly. Sorry for the noise. Christina On 02/05/2024 12:00, Christina O'Donnell wrote: > This patch series is an incomplete attempt to make nss reproducible. Currently > this fails 4 tests due to NSS_FIPS_DISABLED not being respected. > > Christina O'Donnell (4): > gnu: nss: Update to 3.99. > gnu: nss-certs: Update to 3.99. > gnu: nss: Attempt to disable FIPS. > gnu: nss: Disable FIPS in lowhashtest. > > Zheng Junjie (2): > gnu: nss: Fix cross-compilation. > gnu: nspr: Fix cross-compilation. > > gnu/packages/certs.scm | 24 +++++++++++--- > gnu/packages/nss.scm | 27 ++++++++++++--- > .../nss-disable-fips-in-lowhashtest.patch | 28 ++++++++++++++++ > .../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++ > 4 files changed, 102 insertions(+), 10 deletions(-) > create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch > create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch > > > base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 12:53:02 GMT) (full text, mbox, link).
Message #102 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi Vagrant, On 26/04/2024 23:58, Vagrant Cascadian wrote: > On 2024-04-26, Christina O'Donnell wrote: >> gnu/packages/patches/nss-Disable-library-signing.patch: Disable library >> signing to make the build reproducible. >> gnu/packages/nss.scm (nss): Apply this new patch. > Nice! I have reordered my commits to first update to 3.99, before making nss reproducible. The more This is similar to the approach that Nix takes, though Nix adds a parameter that enables FIPS and shlibsign again. Is it worth adding a parameter to re-enable FIPS? >> diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch >> new file mode 100644 >> index 00000000000..b488d29dcad >> --- /dev/null >> +++ b/gnu/packages/patches/nss-Disable-library-signing.patch >> @@ -0,0 +1,67 @@ >> +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001 >> +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org> >> +From: Christina O'Donnell <cdo@mutix.org> >> +Date: Thu, 25 Apr 2024 16:35:50 +0100 >> +Subject: [PATCH] nss: Disable library signing. >> + >> +--- >> + nss/cmd/shlibsign/Makefile | 32 +------------------------------- >> + 1 file changed, 1 insertion(+), 31 deletions(-) > I think it would be good to explain why this patch is included, not just > in the git commit message, but in the patch comments itself. I realize > the patch actually includes a comment about non-determinism, but it is a > bit lost in the diff. Okay I've added a description to the v3 patch. > Also, might be worth briefly explaining why disabling this feature is > unlikely to break anything, etc. I was actually wrong wrong about this on my v1 patch, that did break the FIPS tests. However disabling FIPS is what Nix does by default and all other tests pass without it. I have noticed that Nix parameterizes on whether FIPS is enabled so users can re-enable FIPS if they need it for their use-cases. Is it worth doing something similar here, or would that add too much complexity? > Curious if there might be some way to leave most of the code in place, > disable it... otherwise on version updates it is more likely to result > in conflicts with even minor changes... I've shrunk the patches to be a few lines each. Kind regards, Christina > live well, > vagrant
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:17:01 GMT) (full text, mbox, link).
Message #105 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.
Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:18:02 GMT) (full text, mbox, link).
Message #108 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Update to 3.99.
Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:18:02 GMT) (full text, mbox, link).
Message #111 received at 40316@debbugs.gnu.org (full text, mbox, reply):
This patch-set is a slight modification of the previous one with a single change: In the last commit, I have removed the specification of test parameters that previously reduced the number of tests. This wasn't justified in the commit message and turned out to be unnecessary anyway. Christina O'Donnell (3): gnu: nss: Update to 3.99. gnu: nss-certs: Update to 3.99. gnu: nss: Make reproducible. Zheng Junjie (2): gnu: nss: Fix cross-compilation. gnu: nspr: Fix cross-compilation. gnu/packages/certs.scm | 24 +++++++++++--- gnu/packages/nss.scm | 22 ++++++++++--- .../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++ .../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++ 4 files changed, 98 insertions(+), 10 deletions(-) create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8 -- 2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:18:03 GMT) (full text, mbox, link).
Message #114 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic. This removes all non-determinism from this package.
Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
gnu/packages/nss.scm | 4 ++-
.../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
3 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..ecc1c5156b 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"
+ "nss-define-NSS_FIPS_DISABLED.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 0000000000..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: <e89a33daac982107421117ad95ae8443ef316079.1714649801.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+--
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:18:03 GMT) (full text, mbox, link).
Message #117 received at 40316@debbugs.gnu.org (full text, mbox, reply):
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.
Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:18:04 GMT) (full text, mbox, link).
Message #120 received at 40316@debbugs.gnu.org (full text, mbox, reply):
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.
Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Thu, 02 May 2024 15:22:02 GMT) (full text, mbox, link).
Message #123 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi Ludo', This doesn't look directly related. I haven't seen anything like this occur when I build it. Tangentially, given how long nss takes to build, do you think that it'd be worth shaving it down to a single test pass? Currently it runs each test up to 3 times, which takes ~1h on my machine with no other build running. Running only the standard pass takes 2.5-3x less time, which is a huge quality of life improvement. Kind regards, Christina On 02/05/2024 09:15, Ludovic Courtès wrote: > Hi Christina, > > Nice work! > > Christina O'Donnell <cdo@mutix.org> skribis: > >> I've got as far as making nss 3.98 reproducible, however updating it to 3.99 >> results in 51 test failures. These are regressions, and worked correctly for >> 3.98. I'm not entirely sure what the issue is, but I've run out of time to >> debug it this week, so I'm sending this patch up as is. > Not sure if this is related, but we’re seeing test failures due to > timing issues right now with 3.98: > > https://issues.guix.gnu.org/70693 > > Thank you! > > Ludo’.
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Sun, 05 May 2024 09:05:02 GMT) (full text, mbox, link).
Message #126 received at submit@debbugs.gnu.org (full text, mbox, reply):
Building nss on my Talos II takes a long time, I did not test weather it is reproducible. It seems that there are no binaries from the build farm. Alex
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Mon, 06 May 2024 10:13:01 GMT) (full text, mbox, link).
Message #129 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi, Christina O'Donnell <cdo@mutix.org> skribis: > Tangentially, given how long nss takes to build, do you think that > it'd be worth shaving it down to a single test pass? Currently it runs > each test up to 3 times, which takes ~1h on my machine with no other > build running. Running only the standard pass takes 2.5-3x less time, > which is a huge quality of life improvement. Currently we run ./nss/tests/all.sh, which I suppose is what upstream recommends to run tests. For sure I’d be happy if the test suite could run faster, but does upstream offer such an option? When you say “a single pass”, is that something upstream supports? Thanks, Ludo’.
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Mon, 06 May 2024 11:39:01 GMT) (full text, mbox, link).
Message #132 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi, On 06/05/2024 11:12, Ludovic Courtès wrote: > Hi, > > Christina O'Donnell <cdo@mutix.org> skribis: > >> Tangentially, given how long nss takes to build, do you think that >> it'd be worth shaving it down to a single test pass? Currently it runs >> each test up to 3 times, which takes ~1h on my machine with no other >> build running. Running only the standard pass takes 2.5-3x less time, >> which is a huge quality of life improvement. > Currently we run ./nss/tests/all.sh, which I suppose is what upstream > recommends to run tests. > > For sure I’d be happy if the test suite could run faster, but does > upstream offer such an option? When you say “a single pass”, is that > something upstream supports? Yes, you can control the tests by setting environment variables NSS_TESTS to a list of tests and NSS_CYCLES to a list of 'cycles' (what I previously called passes). The default is: "standard pkix threadunsafe" * 'standard' runs all of the below tests with default settings: "cipher lowhash cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy" * 'pkix' runs the tests "lowhash libpkix cert tools ssl ocsp pkits ec gtests ssl_gtests policy" with PKIX enabled. * 'thread_unsafe' runs "ssl ssl_gtests" with "THREAD_UNSAFE" enabled. My thinking would be to run the thread_unsafe cycle normally, but to reduce the test overlap between standard and pkix however, I can't say that I'm knowledgeable enough of NSS to claim that that wouldn't leave gaps that might bite us some point down the line. So it might be best to leave it as is unless someone familiar with NSS can confirm that it'd be safe to disable some tests/cycles. Kind regards, Christina
Information forwarded
to bug-guix@gnu.org:
bug#40316; Package guix.
(Tue, 14 May 2024 09:17:02 GMT) (full text, mbox, link).
Message #135 received at 40316@debbugs.gnu.org (full text, mbox, reply):
Hi, Christina O'Donnell <cdo@mutix.org> skribis: > On 06/05/2024 11:12, Ludovic Courtès wrote: [...] >> For sure I’d be happy if the test suite could run faster, but does >> upstream offer such an option? When you say “a single pass”, is that >> something upstream supports? > Yes, you can control the tests by setting environment variables > NSS_TESTS to a list of tests and NSS_CYCLES to a list of 'cycles' > (what I previously called passes). The default is: > > "standard pkix threadunsafe" > > * 'standard' runs all of the below tests with default settings: > "cipher lowhash cert dbtests tools sdr crmf smime ssl ocsp merge > pkits ec gtests ssl_gtests policy" > > * 'pkix' runs the tests "lowhash libpkix cert tools ssl ocsp pkits ec > gtests ssl_gtests policy" with PKIX enabled. > > * 'thread_unsafe' runs "ssl ssl_gtests" with "THREAD_UNSAFE" enabled. Interesting. > My thinking would be to run the thread_unsafe cycle normally, but to > reduce the test overlap between standard and pkix however, I can't say > that I'm knowledgeable enough of NSS to claim that that wouldn't leave > gaps that might bite us some point down the line. So it might be best > to leave it as is unless someone familiar with NSS can confirm that > it'd be safe to disable some tests/cycles. Right, there doesn’t seem to be an obvious way to disable those without also weakening test coverage. I wonder what Debian and others are doing. Thanks for explaining! Ludo’.
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.