GNU bug report logs

#40316 nss not reproducible

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #102 received at 40316@debbugs.gnu.org (full text, mbox, reply):

Received: (at 40316) by debbugs.gnu.org; 2 May 2024 12:52:04 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu May 02 08:52:04 2024
Received: from localhost ([127.0.0.1]:43589 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1s2Vut-0005b7-R2
	for submit@debbugs.gnu.org; Thu, 02 May 2024 08:52:04 -0400
Received: from vmi993448.contaboserver.net ([194.163.141.236]:43496
 helo=mutix.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cdo@mutix.org>) id 1s2Vup-0005ag-3Z
 for 40316@debbugs.gnu.org; Thu, 02 May 2024 08:52:02 -0400
Received: from [192.168.1.172]
 (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149])
 (Authenticated sender: cdo)
 by mutix.org (Postfix) with ESMTPSA id 4B550A605A8;
 Thu,  2 May 2024 14:51:35 +0200 (CEST)
Message-ID: <f019a921-88aa-b25a-f12a-6fd608c7cdc4@mutix.org>
Date: Thu, 2 May 2024 13:51:34 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
Subject: Re: [PATCH 3/6] gnu: nss: Make reproducible.
Content-Language: en-US
To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 40316@debbugs.gnu.org
References: <cover.1714166213.git.cdo@mutix.org>
 <ba7d0083ae84b8ff3bd5e01a633cbe32226f8651.1714166213.git.cdo@mutix.org>
 <87o79vybmn.fsf@wireframe>
From: Christina O'Donnell <cdo@mutix.org>
In-Reply-To: <87o79vybmn.fsf@wireframe>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: -4.3 (----)
X-Debbugs-Envelope-To: 40316
Cc: zhengjunjie@iscas.ac.cn, steve@futurile.net
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.3 (-----)

Hi Vagrant,

On 26/04/2024 23:58, Vagrant Cascadian wrote:
> On 2024-04-26, Christina O'Donnell wrote:
>> gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
>> signing to make the build reproducible.
>> gnu/packages/nss.scm (nss): Apply this new patch.
> Nice!

I have reordered my commits to first update to 3.99, before making nss 
reproducible. The more

This is similar to the approach that Nix takes,  though Nix adds a 
parameter that enables FIPS and shlibsign again. Is it worth adding a 
parameter to re-enable FIPS?

>> diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch
>> new file mode 100644
>> index 00000000000..b488d29dcad
>> --- /dev/null
>> +++ b/gnu/packages/patches/nss-Disable-library-signing.patch
>> @@ -0,0 +1,67 @@
>> +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
>> +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org>
>> +From: Christina O'Donnell <cdo@mutix.org>
>> +Date: Thu, 25 Apr 2024 16:35:50 +0100
>> +Subject: [PATCH] nss: Disable library signing.
>> +
>> +---
>> + nss/cmd/shlibsign/Makefile | 32 +-------------------------------
>> + 1 file changed, 1 insertion(+), 31 deletions(-)
> I think it would be good to explain why this patch is included, not just
> in the git commit message, but in the patch comments itself. I realize
> the patch actually includes a comment about non-determinism, but it is a
> bit lost in the diff.
Okay I've added a description to the v3 patch.
> Also, might be worth briefly explaining why disabling this feature is
> unlikely to break anything, etc.

I was actually wrong wrong about this on my v1 patch, that did break the 
FIPS tests. However disabling FIPS is what Nix does by default and all 
other tests pass without it.

I have noticed that Nix parameterizes on whether FIPS is enabled so 
users can re-enable FIPS if they need it for their use-cases. Is it 
worth doing something similar here, or would that add too much complexity?

> Curious if there might be some way to leave most of the code in place,
> disable it... otherwise on version updates it is more likely to result
> in conflicts with even minor changes...

I've shrunk the patches to be a few lines each.

Kind regards,

Christina


> live well,
>    vagrant

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Wed Sep 10 12:01:53 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.