Report forwarded
to bug-guix@gnu.org: bug#58650; Package guix.
(Thu, 20 Oct 2022 02:41:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sjors Provoost <sjors@sprovoost.nl>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Thu, 20 Oct 2022 02:41:02 GMT) (full text, mbox, link).
On 03-11-2022 11:03, zimoun wrote:
> Hi,
>
> Thanks for the report.
>
> On Wed, 19 Oct 2022 at 21:46, Sjors Provoost <sjors@sprovoost.nl> wrote:
>> Sorry if this is a duplicate or has already been fixed in a more recent commit.
>>
>> /builder for `/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv' failed with exit code 1
>> build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
>> View build log at '/var/log/guix/drvs/mw/6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv.gz'.
>> [...]
>>
>> ./guix/store.scm:1421:15: In procedure loop: [...]1).
>
> It seems an error with the store. Do you use the offload mechanism?
> And have you allowed the substitutes?
Looking at the attached build log, it is a build failure, not some store
error:
Test Summary Report
-------------------
../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29
Failed: 1)
Failed test: 12
Non-zero exit status: 1
Files=158, Tests=2640, 66 wallclock secs ( 0.87 usr 0.07 sys + 56.47
cusr 7.90 csys = 65.31 CPU)
Result: FAIL
make[1]: *** [Makefile:208: _tests] Error 1
make[1]: Leaving directory
'/tmp/guix-build-openssl-1.1.1n.drv-0/openssl-1.1.1n'
make: *** [Makefile:205: tests] Error 2
Except for the different version number IIRC, I've noticed that one
before (on core-updates). That was without offloading and with
substitutes, though the substitute servers didn't have a substitute
available.
As the backtrace is a distraction, I propose merging something like
<https://issues.guix.gnu.org/50238>.
Greetings,
Maxime
To: Maxime Devos <maximedevos@telenet.be>, Sjors Provoost <sjors@sprovoost.nl>
Cc: 58650@debbugs.gnu.org
Subject: Re: bug#58650: build of
/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
Date: Thu, 03 Nov 2022 12:03:44 +0100
Hi,
On Thu, 03 Nov 2022 at 11:32, Maxime Devos <maximedevos@telenet.be> wrote:
> Looking at the attached build log, it is a build failure, not some store
> error:
>
> Test Summary Report
> -------------------
> ../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29
> Failed: 1)
> Failed test: 12
> Non-zero exit status: 1
> Files=158, Tests=2640, 66 wallclock secs ( 0.87 usr 0.07 sys + 56.47
> cusr 7.90 csys = 65.31 CPU)
> Result: FAIL
> make[1]: *** [Makefile:208: _tests] Error 1
> make[1]: Leaving directory
> '/tmp/guix-build-openssl-1.1.1n.drv-0/openssl-1.1.1n'
> make: *** [Makefile:205: tests] Error 2
Indeed. My bad, I have missed the attachment.
Well, looking closer, I am confused by:
--8<---------------cut here---------------start------------->8---
failed to compute the derivation for Guix (version: "998eda3067c7d21e0d9bb3310d2f5a14b8f1c681"; system:
"x86_64-linux"; host version: "1.3.0.18313-998eda"; pull-version: 1).
--8<---------------cut here---------------end--------------->8---
What is this host version?
> As the backtrace is a distraction, I propose merging something like
> <https://issues.guix.gnu.org/50238>.
Well, I do not know if it is related, although patch#50238 would help
for sure.
Cheers,
simon
Information forwarded
to bug-guix@gnu.org: bug#58650; Package guix.
(Thu, 03 Nov 2022 11:26:02 GMT) (full text, mbox, link).
Subject: Re: bug#58650: build of
/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
Date: Thu, 3 Nov 2022 12:25:31 +0100
I tried building again using:
guix build --cores=1 /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv
This made it more clear that the error was an expired certificate:
../test/recipes/80-test_ssl_new.t ..................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/29 subtests
I was able to work around that by adjusting the machine time:
sudo timedatectl set-ntp no
sudo date --set "28 may 2022 15:00:00"
guix build ....
sudo timedatectl set-ntp yes
Information forwarded
to bug-guix@gnu.org: bug#58650; Package guix.
(Thu, 03 Nov 2022 11:33:01 GMT) (full text, mbox, link).
reopen 56137
merge 56137 58650
thanks
On 03-11-2022 12:25, Sjors Provoost wrote:
> I tried building again using:
> guix build --cores=1 /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv
>
> This made it more clear that the error was an expired certificate:
>
> ../test/recipes/80-test_ssl_new.t ..................
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/29 subtests
>
> I was able to work around that by adjusting the machine time:
>
> sudo timedatectl set-ntp no
> sudo date --set "28 may 2022 15:00:00"
> guix build ....
> sudo timedatectl set-ntp yes
In that case, this appears to be an instance
<https://issues.guix.gnu.org/56137> (‘OpenSSL 3.0.3/1.1.1n includes a
time-dependent test’), this time for different test case.
I propose to implement <https://issues.guix.gnu.org/56137#3> to solve
this more permanently.
Greetings,
Maxime.
Severity set to 'important' from 'normal'
Request was from Maxime Devos <maximedevos@telenet.be>
to control@debbugs.gnu.org.
(Tue, 08 Nov 2022 02:00:02 GMT) (full text, mbox, link).
Merged 5613758650.
Request was from Maxime Devos <maximedevos@telenet.be>
to control@debbugs.gnu.org.
(Tue, 08 Nov 2022 02:00:02 GMT) (full text, mbox, link).
Changed bug title to 'OpenSSL 1.1.1n test failures due to expired certificates (time bomb)' from 'build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed'
Request was from Ludovic Courtès <ludo@gnu.org>
to control@debbugs.gnu.org.
(Tue, 15 Nov 2022 16:16:01 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org: bug#58650; Package guix.
(Mon, 27 Feb 2023 04:05:02 GMT) (full text, mbox, link).
Subject: Re: bug#58650: OpenSSL 1.1.1n test failures due to expired
certificates (time bomb)
Date: Sun, 26 Feb 2023 23:03:53 -0500
Hi,
I also tried with libfaketime, which seemed more complete and easy to
setup globally via environment variables:
--8<---------------cut here---------------start------------->8---
modified gnu/packages/tls.scm
@@ -491,11 +491,47 @@ (define (target->openssl-target target)
(error "unsupported openssl target architecture")))))
(string-append kernel "-" arch))))
+;;; A minimal version of libfaketime that should remain private. Its only
+;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's
+;;; git-fetch origin, which pulls git (which requires openssl).
+(define libfaketime-minimal
+ (package
+ (name "libfaketime")
+ (version "0.9.10")
+ (home-page "https://github.com/wolfcw/libfaketime")
+ (source (origin
+ (method url-fetch)
+ ;; XXX: We cheat and use a dynamically generated archive GitHub
+ ;; link here, since we can't fetch from git.
+ (uri (string-append "https://github.com/wolfcw/" name
+ "/archive/refs/tags/v" version ".tar.gz"))
+ (sha256
+ (base32
+ "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags #~(list "all")
+ #:tests? #f
+ #:phases
+ #~(modify-phases %standard-phases
+ (replace 'configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (setenv "CC" #$(cc-for-target))
+ (setenv "PREFIX" #$output))))))
+ (synopsis "Fake the system time for single applications")
+ (description
+ "The libfaketime library allows users to modify the system time that an
+application \"sees\". It is meant to be loaded using the dynamic linker's
+@code{LD_PRELOAD} environment variable. The @command{faketime} command
+provides a simple way to achieve this.")
+ (license license:gpl2)))
+
(define-public openssl-1.1
;; Note to maintainers: when updating this package, make sure to update the
;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs
;; in the test suite.
- (let ((release-date "2021-08-24 00:00"))
+ (let ((release-date "@2021-08-24 00:00:00"))
(package
(name "openssl")
(version "1.1.1l")
@@ -517,7 +553,7 @@ (define-public openssl-1.1
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
"static")) ;6.4 MiB of .a files
- (native-inputs (list datefudge perl))
+ (native-inputs (list libfaketime-minimal perl))
(arguments
(list
#:modules '((guix build gnu-build-system)
@@ -537,6 +573,15 @@ (define-public openssl-1.1
#:disallowed-references (list (canonical-package perl))
#:phases
#~(modify-phases %standard-phases
+ (add-before 'unpack 'setup-libfaketime
+ (lambda* (#:key native-inputs inputs #:allow-other-keys)
+ (let ((libfaketime.so.1 (search-input-file
+ (or native-inputs inputs)
+ "lib/faketime/libfaketime.so.1")))
+ (setenv "LD_PRELOAD" libfaketime.so.1)
+ (setenv "NO_FAKE_STAT" "1")
+ (setenv "FAKETIME_DONT_RESET" "1")
+ (setenv "FAKETIME" #$release-date))))
#$@(if (%current-target-system)
#~((add-before 'configure 'set-cross-compile
--8<---------------cut here---------------end--------------->8---
But I still get the same error:
--8<---------------cut here---------------start------------->8---
../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0
ok 1 - Getting output from generate_ssl_tests.pl.
ok 2 - Comparing generated sources.
# Subtest: ../ssl_test
1..1
# Subtest: test_handshake
1..6
ok 1 - iteration 1
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 2 - iteration 2
ok 3 - iteration 3
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 4 - iteration 4
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 5 - iteration 5
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 6 - iteration 6
not ok 1 - test_handshake
../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1
not ok 3 - running ssl_test 12-ct.conf
# Failed test 'running ssl_test 12-ct.conf'
# at ../test/recipes/80-test_ssl_new.t line 148.
# Looks like you failed 1 test of 3.
not ok 12 - Test configuration 12-ct.conf
# Failed test 'Test configuration 12-ct.conf'
# at
# /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm
# line 1212.
--8<---------------cut here---------------end--------------->8---
When attempting to build with
--8<---------------cut here---------------start------------->8---
./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)'
--8<---------------cut here---------------end--------------->8---
Upstream seems to have moved to give very large expiry dates on their
test certs (100 years), so perhaps we can simply remove this test and
hope the problem doesn't come back to haunt us...
--
Thanks,
Maxim
Merged 561375865060821.
Request was from Ludovic Courtès <ludo@gnu.org>
to control@debbugs.gnu.org.
(Mon, 17 Apr 2023 13:24:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.