nss not reproducible

  • Open
  • quality assurance status badge
Details
10 participants
  • Björn Höfling
  • Bone Baboon
  • Gábor Boskovits
  • Christina O'Donnell
  • Danny Milosavljevic
  • Tobias Alexandra Platen
  • Ludovic Courtès
  • Marius Bakke
  • Steve George
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Danny Milosavljevic
Severity
normal
Merged with
D
D
Danny Milosavljevic wrote on 29 Mar 2020 13:16
(address . bug-guix@gnu.org)
20200329131611.38448a58@scratchpost.org
Hi,

core-updates' nss is not reproducible (commit
aebcbb27bc2f192cc06163251bab66a4ceb7b7d6).

diffoscope says:

--- /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
+++ /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50-check
??? lib
? ??? nss
? ? ??? libfreebl3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010029
? ? ? -713ef8afdc7c8efcff89e8c420bfdd8835e6d08bb934ce160fe927b99ac8f997
? ? ? -c043c16bfe67abbbd27a97b4aa4df753c33f5a093d9598413edfb4c6a0a68309
? ? ? -4f3a160aec8a5e8e383c108c802580e5f117f9b2be6d496f6eb6e85937258e53
? ? ? -f3f55ac49f7ffa955e91e054d1dd6b19f725506e2242fbb2f8acf81c9ff4278c
? ? ? -5c6ad6528d1a8505c6c83fd643660e3a31dddff7eb5f046f0df6d47ea455c82c
? ? ? -78ec32d8a1aaa29c9deed1053feae3029eacce8b9ff88777ff964757aeb1ccce
? ? ? -bd14d326b7fb0822bbc982250e51d4eaa73599ef8e4fd2298f076edf9a9be41e
? ? ? -94da645f57dc12af730b3661973390672cbcf767caf495e1f3656f06f0fae300
? ? ? -00004030361665e91e760d37d9117256e4f698d2b124115e83aafcc92c2751fa
? ? ? -f2b3384c22c76a207da12a4c4b72662e9ae53f356d6b6d98a066cd240cb06fed
? ? ? -337d6d
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3
? ? ? +35c76bfe38266728b573ef4fedcb22131ce275a8a484902b3ad994ca3a87a754
? ? ? +998b5c5807e4fa0e9b83a6677eca9140b8bbeeb4c36897473065b8305c4d1ddd
? ? ? +3f967b7041217df53ae6ec4211b031cc12df895a35efcde570dd2c7a610151c9
? ? ? +ef0acdf28a646db355ece183e2e71275c51b4331e61ca7948c7aa62d420e8b17
? ? ? +481f427197c78094832de5e3f21d27bf701e6fc524e5f700567969f91e8864c0
? ? ? +fae4da549d548ce8b134456e0720d083c8649bdb44ac6383d2e5a41bd2ec3b64
? ? ? +e9b6d281708447aefdd60be32f7d9093fef2579d6c122b48e449b2266bdc4678
? ? ? +9639fd997f0d8fe649b51a5f3097603b130bb5e8a811b5f3c121ed6d7bb58300
? ? ? +00004004c38a443627df69c2bc659e2e810b24b0e4dc042311fb9b2c99d18e7b
? ? ? +242fc7729f9e5facc1dc69ced89ea571bd69f95277894e9954c28c2f8ab77d62
? ? ? +e96c1d
? ? ??? libfreeblpriv3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3
? ? ? -298c351142cb4107acceb8e07a997cc63fade4c4dd6cc0d3f5dedad25fca66bc
? ? ? -d58fb35b3a1f8ce3c90c795a8066cb4312b2b11558daf3c388ee3865d1cbc75d
? ? ? -88832d044dd267885c36455be97ee5ff17ee95a9377170441267b604d6bea8d2
? ? ? -c7fbaebd2c39506220d5d2c4a34e6a848fc139bd38f95c7e48160d847c270a78
? ? ? -e88519f1a5f2f36c6d6d4c16d621b2e763e48d42818b1a3b76421a52c7c209b9
? ? ? -a70fe921ad9b80411150a5e4d800bd89fe4486361412b39a9b5c68abec6bb68d
? ? ? -8f7d1b823c9d455d0062d9b819b1d5173a493cdbea00dcfc98a52537bd373acb
? ? ? -cb046c7fe4246590c9875413f19dba8f63a2f05771d161513efeb2e663ebf400
? ? ? -000040299e7b6851b43d6f40d1704237831bbb5a1fd4e38c041f1b7222480338
? ? ? -c27b4e655f1846220c4950db84ce7da9b2c1b2c6530304a73c8caff757be8ba4
? ? ? -51d8ec
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010032
? ? ? +0bdce77a4aabe0b8a8b97469180a5882104d30c155dfc227f99b7add6aedda98
? ? ? +b9aee674e8a2f43377eea0e32f4382f8818a9cd39dfe0f2217b989ab695b1317
? ? ? +971ae000096efde5a3610306a7a60b3075204f77543509fb48d1605d0ae6d7cd
? ? ? +dd5b3576d2d09d9e4d5357ea21e7376e2fa69ba804a19161ab639219592efef5
? ? ? +ad5b8714ad21118b1fa53453b6e4222e267b0a692704de6bcd10895afeaf5f21
? ? ? +f721c406a796e092b344bc78abd953205e6d932c87fef89e80715a9eefbd6417
? ? ? +eef4e8c8630fe92927d81870c50f64aa15f2dbb965d9aa51a450d0c53607d60a
? ? ? +8c4ad1461e32c7dc78bf606eaacf38a88a2c47f496b3ba289e104e8d25a84400
? ? ? +0000408df400964ed23bd859d524136afbf355cce08ae540f65bbfe055e81950
? ? ? +6b84f52240c447ad47c53ee31e9fed82d08905f65adfedd54f5b91b6b9d6105b
? ? ? +f2f8f4
? ? ??? libnssdbm3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009d
? ? ? -76e916a4dfe80c81097e4cff0f945852d689772f01c87f11c2fab03f99f20417
? ? ? -d1458884f5255774a9028c848ce879369734f01f1e12ceb9cf63dc9eca1170b8
? ? ? -23e6678ab9f65f2dbeeae2c96fd90367e720124a2d11551127baf17e2a7b214d
? ? ? -f24bca9fbb5355d2479e7c06ec05fe138ad50c26a1876053143bf0ed18eae349
? ? ? -42b8b96ab9bdde2e234fbfe354d8b3698cd5ddadfdd1de6ab8d75c558a96bd8a
? ? ? -accb720a1207f4b25c9e1df0e0b60574d8f89d65e6698e1626e1d1a892c3c1d5
? ? ? -13ee0f6ee4e87e2b54d566283e99aaa6300e3131913c9549d4b1a6ad2869fd4c
? ? ? -d28567c75a32f0d132021b586ab8fb292994d065ec4b3875dabc993cb0e17800
? ? ? -00004070a60b59d01834af5e27dff70526b0beb20dfabb43a6ab25f766d1ec26
? ? ? -90ce003539dbf276a167ec78d7a998f69e99bf3c81fc7246572342aec6d214da
? ? ? -abcc97
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001006b
? ? ? +6170f9835f65f0409f61d947626f5880691b5b1ec5f0d280b82d832d3d5d3957
? ? ? +1745597c3a2392c1271f8508a1c748bc4be5681bacfd11480a1855af07ae3cd4
? ? ? +4fbc4165f89174e7cba60ac7f7c0a17116cfa3fd8e0ed6c0c02696352b3f9d53
? ? ? +7fcbda8cb21b0a95f9e92d38dc8121ea2dac2eabd750ba7770c47d514282f45b
? ? ? +357ef3586d8930a05a6e26c9ea391351d16fa2ab10fb08e42406e7a0365c3258
? ? ? +00de8afadfb3086ca003e964ed1ab11b3410f4ccfede3e7b987ade295d4a0bc5
? ? ? +d505170822d4a01535a93de3a507a51c4180989530d22e50d725d775f7455e9a
? ? ? +9d5a851f2f976a6f312e924c27ac72a3599f9cf8878bbe01046a91cd04664c00
? ? ? +00004002c563080dfd3803f27fa9c896d0dd1b3c985bd53f0622cabea11746fa
? ? ? +ada72d7c05b819eb4dc9cda731e0006b637bd893555506c000dabb5c066d3f7e
? ? ? +3ea9d8
? ? ??? libsoftokn3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010030
? ? ? -045311203f4d6c1624ea5336dc9a5470a2baa285ca7294bf2162c479bc0913d4
? ? ? -f8f326ef62ca8b31781b61e9ad3057d3c4cdd90c882dceb252149d7578cceab4
? ? ? -4ce0bb338d395901afafbe3c570493a7add01e625de9a0a90c4e85c52ce67630
? ? ? -3b1cc388c65d76d87c5bd31d2db8fbe17db05186c3a4bc2032614af6d950e8c7
? ? ? -91da637dc8a7c2897071c92910e47b529566eddafc918e1c05f39aedea9e712f
? ? ? -98be2b6b87685411a5d8be0cd4d0c5e680ade81a3b9ee09d7aa6489775e3465b
? ? ? -0dd470a8bd99a84df719cbf935d46a08f9045c58ccb2861dd35e76d085caed0a
? ? ? -9ecc3cffe9bec61966d09e633bf7ac9870d02e03f8d4a2911da1b6e02cf6ab00
? ? ? -0000408a5c4418abe2196ccf3ad0ce5d4df8edfa598befb414c4c622e92b2a70
? ? ? -c94c5646c44609ba518ecdeef2eaa2745144a5048e2c4a92415fee1e3fe2c479
? ? ? -1fe98a
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010042
? ? ? +3475f0c8a0fbfcbf67cdac446df60765ccc7b02fb6c5079e14c9d2c1da2d7ae5
? ? ? +8f274ecfcf9d135c05a7405008e8f8c7f5ac86c274aabe5fdc33e014b622a5f4
? ? ? +0c8525071b0d5ee7614464deffee9320a965701df92070ff15fe786c1e8c41b3
? ? ? +b4298574d9c0b9d8e1fe896a12973e579372d75fe8f3262254a80b622e6543bb
? ? ? +16be7160f9a89b934cd7133aa87fa5e03bcf981806cbb0bccf01af77008fd424
? ? ? +cf6190e09910d4aaa812092fa64766d1bce0a9cf77f3470f5f0aa37715014cc6
? ? ? +661c5f55253063713dac706cabab09005b9f1e2889f03e5b860f7eacbce21744
? ? ? +fd33e21a0ca62878a7863e27667f0f7eb440bdfff02b9838d75d3fda4dac2400
? ? ? +000040180f14354ae8e6d4d243e4fef0819e75346888290dd80849a7494dd220
? ? ? +db71d615c82b2dbdee722fb914aff6875ffd66be934a102f0f684535169c9940
? ? ? +c0733d
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl6Ag3sACgkQ5xo1VCww
uqUcOQf9FRk0qJnm4CkVu0X3dfZk+MXcqa3Cki13j3PjZ3feJpJT5ypO1EB5V15H
CbSQMLRNn3XJoR/O+cmWor1fyUvwEn9FmwNVQymMEATkKoxGz4VoOREOHeu7XTf8
IkjnSrJW03pmNoMkoFv5awv8CTQ/f7VvWVBunI+scruI0AG9OzAVd3jiYsjuLfeH
a7DcBHS0eCqgrFRkAaYxXjKOVmbFhIFOQv1vreAcHupH7N1G2nVWiPkH/WJjUAnh
Jzl+0C8z+uS/GmdkkZ08wj/U8SR8l+0ME1hushNtF8B2xTnc+5z01UlfxXkf8Mzg
XTC3lG9ByG0vFMB0pyld9Gbv3s9kCA==
=WADR
-----END PGP SIGNATURE-----


G
G
Gábor Boskovits wrote on 30 Mar 2020 08:09
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 40316@debbugs.gnu.org)
CAE4v=pj6kWsqUkQRJzf8wFdFpiTCnGZySgqE3RyQk0pp-PbcUA@mail.gmail.com
Hello Danny,

Danny Milosavljevic <dannym@scratchpost.org> ezt írta (id?pont: 2020.
márc. 30., H, 4:38):
Toggle quote (149 lines)
>
> Hi,
>
> core-updates' nss is not reproducible (commit
> aebcbb27bc2f192cc06163251bab66a4ceb7b7d6).
>
> diffoscope says:
>
> --- /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50
> +++ /gnu/store/gfpgqvwrixhf3sf1bnzsfxzvld0nd8b7-nss-3.50-check
> ??? lib
> ? ??? nss
> ? ? ??? libfreebl3.chk
> ? ? ?? xxd not available in path. Falling back to Python hexlify.
> ? ? ? @@ -11,19 +11,19 @@
> ? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
> ? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
> ? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
> ? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
> ? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
> ? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
> ? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
> ? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010029
> ? ? ? -713ef8afdc7c8efcff89e8c420bfdd8835e6d08bb934ce160fe927b99ac8f997
> ? ? ? -c043c16bfe67abbbd27a97b4aa4df753c33f5a093d9598413edfb4c6a0a68309
> ? ? ? -4f3a160aec8a5e8e383c108c802580e5f117f9b2be6d496f6eb6e85937258e53
> ? ? ? -f3f55ac49f7ffa955e91e054d1dd6b19f725506e2242fbb2f8acf81c9ff4278c
> ? ? ? -5c6ad6528d1a8505c6c83fd643660e3a31dddff7eb5f046f0df6d47ea455c82c
> ? ? ? -78ec32d8a1aaa29c9deed1053feae3029eacce8b9ff88777ff964757aeb1ccce
> ? ? ? -bd14d326b7fb0822bbc982250e51d4eaa73599ef8e4fd2298f076edf9a9be41e
> ? ? ? -94da645f57dc12af730b3661973390672cbcf767caf495e1f3656f06f0fae300
> ? ? ? -00004030361665e91e760d37d9117256e4f698d2b124115e83aafcc92c2751fa
> ? ? ? -f2b3384c22c76a207da12a4c4b72662e9ae53f356d6b6d98a066cd240cb06fed
> ? ? ? -337d6d
> ? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3
> ? ? ? +35c76bfe38266728b573ef4fedcb22131ce275a8a484902b3ad994ca3a87a754
> ? ? ? +998b5c5807e4fa0e9b83a6677eca9140b8bbeeb4c36897473065b8305c4d1ddd
> ? ? ? +3f967b7041217df53ae6ec4211b031cc12df895a35efcde570dd2c7a610151c9
> ? ? ? +ef0acdf28a646db355ece183e2e71275c51b4331e61ca7948c7aa62d420e8b17
> ? ? ? +481f427197c78094832de5e3f21d27bf701e6fc524e5f700567969f91e8864c0
> ? ? ? +fae4da549d548ce8b134456e0720d083c8649bdb44ac6383d2e5a41bd2ec3b64
> ? ? ? +e9b6d281708447aefdd60be32f7d9093fef2579d6c122b48e449b2266bdc4678
> ? ? ? +9639fd997f0d8fe649b51a5f3097603b130bb5e8a811b5f3c121ed6d7bb58300
> ? ? ? +00004004c38a443627df69c2bc659e2e810b24b0e4dc042311fb9b2c99d18e7b
> ? ? ? +242fc7729f9e5facc1dc69ced89ea571bd69f95277894e9954c28c2f8ab77d62
> ? ? ? +e96c1d
> ? ? ??? libfreeblpriv3.chk
> ? ? ?? xxd not available in path. Falling back to Python hexlify.
> ? ? ? @@ -11,19 +11,19 @@
> ? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
> ? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
> ? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
> ? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
> ? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
> ? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
> ? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
> ? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f00000100a3
> ? ? ? -298c351142cb4107acceb8e07a997cc63fade4c4dd6cc0d3f5dedad25fca66bc
> ? ? ? -d58fb35b3a1f8ce3c90c795a8066cb4312b2b11558daf3c388ee3865d1cbc75d
> ? ? ? -88832d044dd267885c36455be97ee5ff17ee95a9377170441267b604d6bea8d2
> ? ? ? -c7fbaebd2c39506220d5d2c4a34e6a848fc139bd38f95c7e48160d847c270a78
> ? ? ? -e88519f1a5f2f36c6d6d4c16d621b2e763e48d42818b1a3b76421a52c7c209b9
> ? ? ? -a70fe921ad9b80411150a5e4d800bd89fe4486361412b39a9b5c68abec6bb68d
> ? ? ? -8f7d1b823c9d455d0062d9b819b1d5173a493cdbea00dcfc98a52537bd373acb
> ? ? ? -cb046c7fe4246590c9875413f19dba8f63a2f05771d161513efeb2e663ebf400
> ? ? ? -000040299e7b6851b43d6f40d1704237831bbb5a1fd4e38c041f1b7222480338
> ? ? ? -c27b4e655f1846220c4950db84ce7da9b2c1b2c6530304a73c8caff757be8ba4
> ? ? ? -51d8ec
> ? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010032
> ? ? ? +0bdce77a4aabe0b8a8b97469180a5882104d30c155dfc227f99b7add6aedda98
> ? ? ? +b9aee674e8a2f43377eea0e32f4382f8818a9cd39dfe0f2217b989ab695b1317
> ? ? ? +971ae000096efde5a3610306a7a60b3075204f77543509fb48d1605d0ae6d7cd
> ? ? ? +dd5b3576d2d09d9e4d5357ea21e7376e2fa69ba804a19161ab639219592efef5
> ? ? ? +ad5b8714ad21118b1fa53453b6e4222e267b0a692704de6bcd10895afeaf5f21
> ? ? ? +f721c406a796e092b344bc78abd953205e6d932c87fef89e80715a9eefbd6417
> ? ? ? +eef4e8c8630fe92927d81870c50f64aa15f2dbb965d9aa51a450d0c53607d60a
> ? ? ? +8c4ad1461e32c7dc78bf606eaacf38a88a2c47f496b3ba289e104e8d25a84400
> ? ? ? +0000408df400964ed23bd859d524136afbf355cce08ae540f65bbfe055e81950
> ? ? ? +6b84f52240c447ad47c53ee31e9fed82d08905f65adfedd54f5b91b6b9d6105b
> ? ? ? +f2f8f4
> ? ? ??? libnssdbm3.chk
> ? ? ?? xxd not available in path. Falling back to Python hexlify.
> ? ? ? @@ -11,19 +11,19 @@
> ? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
> ? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
> ? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
> ? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
> ? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
> ? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
> ? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
> ? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009d
> ? ? ? -76e916a4dfe80c81097e4cff0f945852d689772f01c87f11c2fab03f99f20417
> ? ? ? -d1458884f5255774a9028c848ce879369734f01f1e12ceb9cf63dc9eca1170b8
> ? ? ? -23e6678ab9f65f2dbeeae2c96fd90367e720124a2d11551127baf17e2a7b214d
> ? ? ? -f24bca9fbb5355d2479e7c06ec05fe138ad50c26a1876053143bf0ed18eae349
> ? ? ? -42b8b96ab9bdde2e234fbfe354d8b3698cd5ddadfdd1de6ab8d75c558a96bd8a
> ? ? ? -accb720a1207f4b25c9e1df0e0b60574d8f89d65e6698e1626e1d1a892c3c1d5
> ? ? ? -13ee0f6ee4e87e2b54d566283e99aaa6300e3131913c9549d4b1a6ad2869fd4c
> ? ? ? -d28567c75a32f0d132021b586ab8fb292994d065ec4b3875dabc993cb0e17800
> ? ? ? -00004070a60b59d01834af5e27dff70526b0beb20dfabb43a6ab25f766d1ec26
> ? ? ? -90ce003539dbf276a167ec78d7a998f69e99bf3c81fc7246572342aec6d214da
> ? ? ? -abcc97
> ? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001006b
> ? ? ? +6170f9835f65f0409f61d947626f5880691b5b1ec5f0d280b82d832d3d5d3957
> ? ? ? +1745597c3a2392c1271f8508a1c748bc4be5681bacfd11480a1855af07ae3cd4
> ? ? ? +4fbc4165f89174e7cba60ac7f7c0a17116cfa3fd8e0ed6c0c02696352b3f9d53
> ? ? ? +7fcbda8cb21b0a95f9e92d38dc8121ea2dac2eabd750ba7770c47d514282f45b
> ? ? ? +357ef3586d8930a05a6e26c9ea391351d16fa2ab10fb08e42406e7a0365c3258
> ? ? ? +00de8afadfb3086ca003e964ed1ab11b3410f4ccfede3e7b987ade295d4a0bc5
> ? ? ? +d505170822d4a01535a93de3a507a51c4180989530d22e50d725d775f7455e9a
> ? ? ? +9d5a851f2f976a6f312e924c27ac72a3599f9cf8878bbe01046a91cd04664c00
> ? ? ? +00004002c563080dfd3803f27fa9c896d0dd1b3c985bd53f0622cabea11746fa
> ? ? ? +ada72d7c05b819eb4dc9cda731e0006b637bd893555506c000dabb5c066d3f7e
> ? ? ? +3ea9d8
> ? ? ??? libsoftokn3.chk
> ? ? ?? xxd not available in path. Falling back to Python hexlify.
> ? ? ? @@ -11,19 +11,19 @@
> ? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
> ? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
> ? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
> ? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
> ? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
> ? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
> ? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
> ? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010030
> ? ? ? -045311203f4d6c1624ea5336dc9a5470a2baa285ca7294bf2162c479bc0913d4
> ? ? ? -f8f326ef62ca8b31781b61e9ad3057d3c4cdd90c882dceb252149d7578cceab4
> ? ? ? -4ce0bb338d395901afafbe3c570493a7add01e625de9a0a90c4e85c52ce67630
> ? ? ? -3b1cc388c65d76d87c5bd31d2db8fbe17db05186c3a4bc2032614af6d950e8c7
> ? ? ? -91da637dc8a7c2897071c92910e47b529566eddafc918e1c05f39aedea9e712f
> ? ? ? -98be2b6b87685411a5d8be0cd4d0c5e680ade81a3b9ee09d7aa6489775e3465b
> ? ? ? -0dd470a8bd99a84df719cbf935d46a08f9045c58ccb2861dd35e76d085caed0a
> ? ? ? -9ecc3cffe9bec61966d09e633bf7ac9870d02e03f8d4a2911da1b6e02cf6ab00
> ? ? ? -0000408a5c4418abe2196ccf3ad0ce5d4df8edfa598befb414c4c622e92b2a70
> ? ? ? -c94c5646c44609ba518ecdeef2eaa2745144a5048e2c4a92415fee1e3fe2c479
> ? ? ? -1fe98a
> ? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010042
> ? ? ? +3475f0c8a0fbfcbf67cdac446df60765ccc7b02fb6c5079e14c9d2c1da2d7ae5
> ? ? ? +8f274ecfcf9d135c05a7405008e8f8c7f5ac86c274aabe5fdc33e014b622a5f4
> ? ? ? +0c8525071b0d5ee7614464deffee9320a965701df92070ff15fe786c1e8c41b3
> ? ? ? +b4298574d9c0b9d8e1fe896a12973e579372d75fe8f3262254a80b622e6543bb
> ? ? ? +16be7160f9a89b934cd7133aa87fa5e03bcf981806cbb0bccf01af77008fd424
> ? ? ? +cf6190e09910d4aaa812092fa64766d1bce0a9cf77f3470f5f0aa37715014cc6
> ? ? ? +661c5f55253063713dac706cabab09005b9f1e2889f03e5b860f7eacbce21744
> ? ? ? +fd33e21a0ca62878a7863e27667f0f7eb440bdfff02b9838d75d3fda4dac2400
> ? ? ? +000040180f14354ae8e6d4d243e4fef0819e75346888290dd80849a7494dd220
> ? ? ? +db71d615c82b2dbdee722fb914aff6875ffd66be934a102f0f684535169c9940
> ? ? ? +c0733d

Do you have any idea what these might be?
Are these text files, but not recoginzed by diffoscope, or are they
really binary?
Also, IIRC we had problems earlier with this package, as some keys
were generated.
Might this be somehow related?

Best regards,
g_bor
--
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
M
M
Marius Bakke wrote on 30 Mar 2020 13:55
87pncuukf6.fsf@devup.no
Danny Milosavljevic <dannym@scratchpost.org> writes:

Toggle quote (5 lines)
> Hi,
>
> core-updates' nss is not reproducible (commit
> aebcbb27bc2f192cc06163251bab66a4ceb7b7d6).

Is this issue only present on the 'core-updates' branch? There haven't
been any changes to NSS on that branch compared to 'master' AFAIK.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6B3h0ACgkQoqBt8qM6
VPo8Bwf+M6nzNw0dug8dMEb5YzlB3/AdPpztjt76g1RUUFyyw0lxMeqkSuWXqXlg
3wq43RZWUKGtHbHSlD1wL7rvdR8aSiLbHjMJ0l+/Xt1j31izFuhrphJmaOWsfS90
ta1nfgJkLFbll6X/63NFmOC/HEsoW6ofx/V5gOb+FcvQAgajlkH1p4FaaC4Uq3YJ
xUTKwMt+/4/KTInOBOaGJ1/UEL6aknMfRL8Lqbrv2QMrN9XZ2Kmo/goqKLcz8HR4
6qpRaslY2vmguLFfgTWagHreOQ4Tf++2ZUsszVnvotuKQ8Tz1qYbX1uTNogZ9TVt
xUzAnBdgBAbxH81faOr56RM8R6nVsw==
=VX/z
-----END PGP SIGNATURE-----

B
B
Björn Höfling wrote on 31 Mar 2020 11:21
merge nss bugs
(address . request@debbugs.gnu.org)
20200331112158.663ecc89@alma-ubu
merge 40316 33507 30108
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXoMLtgAKCRC/KGy2WT5f
/eHuAJ9Ee/3Cy/8A+tNax7JvGuFmMS+XCQCePXVaJktqzKzbL1JO+o95PPoSKso=
=EwHg
-----END PGP SIGNATURE-----


B
B
Björn Höfling wrote on 31 Mar 2020 11:28
Re: bug#40316: core-updates nss not reproducible
(name . Marius Bakke)(address . mbakke@fastmail.com)
20200331112841.37c909bf@alma-ubu
On Mon, 30 Mar 2020 13:55:09 +0200
Marius Bakke <mbakke@fastmail.com> wrote:

Toggle quote (11 lines)
> Danny Milosavljevic <dannym@scratchpost.org> writes:
>
> > Hi,
> >
> > core-updates' nss is not reproducible (commit
> > aebcbb27bc2f192cc06163251bab66a4ceb7b7d6).
>
> Is this issue only present on the 'core-updates' branch? There
> haven't been any changes to NSS on that branch compared to 'master'
> AFAIK.

I haven't tried it on 'master', but I think it is branch-independent,
people are only testing it on core-updates. This bug is over 2 years
old with different versions of nss affected and the same three files
not reproducible. And we had past core-updates mergers.

I found and merged these reports:
bug#30108: [core-updates] nss 3.34.1 not reproducible
bug#33507: nss 3.39 output is not deterministic
bug#40316: core-updates nss not reproducible

Björn
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXoMNSQAKCRC/KGy2WT5f
/fpZAJ9iM9L7JtHZ/L+eixYEH8O9QLtOOQCgjqbh1dWZTZ35WpCkysuGaVT98c4=
=/7tG
-----END PGP SIGNATURE-----


B
B
Bone Baboon wrote on 18 May 2021 03:04
Re: core-updates nss not reproducible
(address . 40316@debbugs.gnu.org)
87a6osdf97.fsf@disroot.org
I am also getting the same four files that are not reproducible for nss
on the master branch.

As nss is also not reproducible on master maybe the title of this bug
should be changed to "nss not reproducible".

`guix describe` outputs:

```
Generation 24 May 12 2021 18:06:24 (current)
guix d6aeebb
branch: master
commit: d6aeebb23639258311fdfb9dbf5f903079fde51a
```

`guix challenge /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59`
outputs:

```
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59 contents differ:
local hash: 0pqq1v88yjj80sll4j4ahfh52zzqhvkjv3vgkhmnnikvl6vd5sck
https://ci.guix.gnu.org/nar/lzip/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59:1smx41irpiy9kly3zvr0d61x7hwm0haggvyii34byzfypca1xn2f
differing files:
/lib/nss/libfreebl3.chk
/lib/nss/libsoftokn3.chk
/lib/nss/libfreeblpriv3.chk
/lib/nss/libnssdbm3.chk

1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive
```

`guix challenge --diff=diffoscope
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59` outputs:

```
/gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59 contents differ:
local hash: 0pqq1v88yjj80sll4j4ahfh52zzqhvkjv3vgkhmnnikvl6vd5sck
https://ci.guix.gnu.org/nar/lzip/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59:1smx41irpiy9kly3zvr0d61x7hwm0haggvyii34byzfypca1xn2f
--- /tmp/guix-directory.jSGCMh
+++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59
? --- /tmp/guix-directory.jSGCMh/lib
??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib
? ? --- /tmp/guix-directory.jSGCMh/lib/nss
? ??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss
? ? ? --- /tmp/guix-directory.jSGCMh/lib/nss/libfreebl3.chk
? ? ??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libfreebl3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010062
? ? ? -d97f1f01f03e65f037c7fee3230c59c36d170cc30f23372fbc6eb28d9ec87008
? ? ? -f07660714bb43d98a06734a1658ce721feab8b0ece03ee54cb45dbaee9cff57f
? ? ? -9d9c0fac4a2d67f4f314423973a42819a9eceba758344ef4b304f1737ebe23a4
? ? ? -e13aba8e9f88bec5c067d61a16a3dcb347789575f4cfa8629880f734ec3db9cc
? ? ? -d963cee322fa2eba5172715eb19686e185ff13dfcf23eb7ed9338230f90b4b57
? ? ? -8f7f3c3fb8e0e968d4625646f5fb0897c3e2400e5a5596f01f841f7e4946d406
? ? ? -977e6adbce9113d027a38cd34942cf3158422b590c27b2731fd506c2326a2dbb
? ? ? -1a363a864475bd8464282544cf46fe60e94d705cda2d34257c9e3cadc378fe00
? ? ? -00004025839bed8e61fecf86f99135e9912ab62b5497dc33bdf2bbda445cf237
? ? ? -bfd47c8b826ec02b6cac983765bedd1ae17a57827f6fe0af965a2538a2776388
? ? ? -c14b6c
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010087
? ? ? +37f4789b39e4bcbe32600d9a952265b9a8623a91658d6c5b5c7e8d42741219f2
? ? ? +1f4d9e54994ffa87cc533d63273f7b7d24b63cc0415b62cd419656c63f5acf46
? ? ? +688991664fc00c10740ab0cabbcdb639a9408b76c4cbf27827257fdd3aeaa526
? ? ? +bb9425a9a8c55bb4d4a54e2d389de9561a61af754170bf640b8e23bc9c4c7945
? ? ? +8cfdafc309c7737aa53d0fb451cc7476f73b04b4b5c6cfaeabc332d0478c8c5d
? ? ? +bdde681ef55b30b669a106440c4676f5bf3454617d1707e710c0e426ee823ee1
? ? ? +f1892576f4f4795e6e4fc040b9aab73d65ef132087fdaaba64fa8795a9eef4b6
? ? ? +24700af69d0be0c2f86c1fbfc8a90cc0f50c0a90232cd3ce9f5987cf442d4b00
? ? ? +0000405a720066a9593276d13e8b322c50381a926302d79ae6f571c5fcbbbefa
? ? ? +71a9d259b7efa16aca52365e60baf1aef8904d28f9332d71b3fb3e8ecb30bcfb
? ? ? +19053e
? ? ? --- /tmp/guix-directory.jSGCMh/lib/nss/libfreeblpriv3.chk
? ? ??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libfreeblpriv3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001009a
? ? ? -19ffb743e104ab34cda81d282b09c74ca73dab5baf4e5951814556e25fa92f09
? ? ? -fbb06af5f80893a2c4fb0295ef23c2e8302fc238fda3f3d582c9d3e8c062ae8a
? ? ? -e18dc7a48a1d9e97fc4d21e11abaeb7c98495f478affc6866742c48090d44b09
? ? ? -a5832f4648b1d165de42e279df2d1512bfe47dffffb65f0c543a6c92cfe8beed
? ? ? -3fa84456e6eef833bd675d04846d630eed817bfd153377745d5c6244e2f913ef
? ? ? -17a2b360bebd6f9a0fcbb24ed86e2d59ae5f28df2632518390d7e2f75a2da2fe
? ? ? -2bebf06b7d095a60282a93c38da54ae19625630aac1c4755339a047213ed98e9
? ? ? -91ad52e2723789c34498a0d0eb78055949383ab3a583363c653c5ef89a0c0200
? ? ? -000040862ab0814d947cfb3bf2cf74720e14c633e910a7d3d4d7a81364505701
? ? ? -c3c2c785f6f3804f8aa0de63449bc436f1eb9a4ce187392103de463caec69431
? ? ? -bffb74
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010038
? ? ? +5f7f605095448c566ae24ab5677dd5ff8519a2564d09c3550608f860b12d8e84
? ? ? +a4e5b87752d9bc32caba6bd53d181776624e22a217d9c7567a4556bcb316a13e
? ? ? +1ecf3d2aa360477073f1fa1d376704668122ec75d1d6177cd0368610d4c1c098
? ? ? +1ca41b0fdd1a188bf4940a5b0773e9c7178cd4141032d9f3bca8f77c480884f6
? ? ? +7a30ba559fcf7547abf80840bb0b42e7c3bb47bf3f064e20c827ce0b0ce48c8f
? ? ? +f7ecb9f513589edd858a5e5a3441b12e10a8bb61c93c3cf33d04c518804dcc27
? ? ? +7a9d0df213922ff752f8ea4cba6fb0f5ba8acb57dcf02d3746a7cc588b1362a8
? ? ? +2f7c7077399e18536ca1540e2a868780605dc4bf518a2c86dd2bc904df989f00
? ? ? +0000404547c764e3ab6f499e0ea3656a9332f2da71506a1a5178d4828657682a
? ? ? +c5f3f65eaf7212c1a7e41438bb48524eb5e1eff3d87080f1339c5d3e99369d56
? ? ? +ebc5fd
? ? ? --- /tmp/guix-directory.jSGCMh/lib/nss/libnssdbm3.chk
? ? ??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libnssdbm3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001002e
? ? ? -21ad266d676e56ae5ccc227879f1c1c6b9b6dd83eb7446a82f5a18bb09a4d252
? ? ? -4cb3f635179b88fdab69e30efbc1684d7bcd5f24b3c6c70a14b998b19c7af1a0
? ? ? -d3d79f75d2f3fd00a2fe19bfdcef007b67c2004f0571f670887e1f8ac7d1bf5d
? ? ? -3dea50a0117efd7ff049d41ee286e642a0fe43256d77146324ab6ce8a83ef8c4
? ? ? -9807d016f639f5ceb6f427062f5201e51e7776bb6463d89f9afeddbc7a9a28ee
? ? ? -653be542425efa441a6815238c5898d33d76b9e44ceb7353e98927bb2935e025
? ? ? -953cd7649241efaf3edbb5eed3abb7826c837dbbf2aaf1e1d9d2ee72dee0b3b5
? ? ? -0d872cd2eb74969baa23c186b00fa87b4951ae0eb3fa867fb6462fad73154800
? ? ? -0000403e373b8324248b0d53ba133dda29283d13350324847164c5ab29024678
? ? ? -03611368137b58211456ce78c50968bd1233758422d591805c87d25b64a5abda
? ? ? -09dda9
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001005b
? ? ? +7a928e5d253ed22eb50a37023609db35ebab0672812f924d3ea7b74be43f26d5
? ? ? +bc93ef30cd96d39daad0ab6eb98efab9047dcc73fa7b7dae259dc6a3f43255be
? ? ? +e519afbb0a727b75247fc078fa22c0f1c716655c99e30b24867974959b52179d
? ? ? +92d2b9bee276208c7ae5707975c55eea7125d83929709f5e63b6172e389a4858
? ? ? +6d10c85f501882a285a476692f97247993f4aef2243b803b36528fc26d384503
? ? ? +4437d3107e853f1d05a02f411e7e609ef720ff7bc299575d8840faaa40d33ddd
? ? ? +b58f03a0669be967bc8021dfea2bbce37ae23b3c929ff98396d12a84e0634834
? ? ? +1b80442fbbd9f7dcdda35dea83d1092c5ccc1ac2980bd0f3233bc82cbf165300
? ? ? +00004030d6ccc46ba7ac1abdce687718962041cf98cb55787191130175f9e0d1
? ? ? +ab8b2c610437f4e7a11d220d5989c3868d6db6257ab841d80ffcbff56d3b268c
? ? ? +5abbee
? ? ? --- /tmp/guix-directory.jSGCMh/lib/nss/libsoftokn3.chk
? ? ??? +++ /gnu/store/vs3dxnrkbf58s85p49phxp5xambafp2m-nss-3.59/lib/nss/libsoftokn3.chk
? ? ?? xxd not available in path. Falling back to Python hexlify.
? ? ? @@ -11,19 +11,19 @@
? ? ? 5c80e3430a9e943586d458a1ca22b973460bfb3e33f1d5d3b426bf50d7f20933
? ? ? 6ec0311b6d077086ca57f70b4a63f06fc88aed5060f311c744f3ce4e50422d85
? ? ? 335457038ddc664d6183171c7b0d65bc8f2c1986fce29f5d67fcd4a5f823a11a
? ? ? a2e11115843201ee88f15530e9743c1a2b54452e39b977e132af2d97e021ecf5
? ? ? 58e1c72ee0713d29a4d6e25f859c0504464189033cfab2cffad567ccec68fc83
? ? ? d91f2e4e9a5e77a1ffe66f048bf96b47c649d2886e29a31baee04f728a28940c
? ? ? 1d8c99a26ff8ba9990c7e5b13c1034866a6a1f396358e15e9795454038456f02
? ? ? -b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f000001001e
? ? ? -24d85331677aae2d94bd05a1efc093d260c20de07d57ee8c503956067275acf3
? ? ? -0059cbab61581aa1c386dba534f268f96c5b9f802ef57311f7fa53915e8018b6
? ? ? -d31abcd81c84f23d134ebe15127011e75cbbcaa809f6ca2d47f6ff67c3d02e8f
? ? ? -5984d85463d458e3b35b9c35a1355fe4fae0709dd303eb4481809e10d8ce7ac0
? ? ? -83ac85be99af4ce33520874f101665e0e77e7436ee6423cf82d4a8924aa53e51
? ? ? -d21d7766aa5665041c4d4ef75fddce637a754ca42941cf986e1bbce60012bc1a
? ? ? -5666674075c199c128048bcaee9dd35cb7e7248f553047c90e8e98511aeda17f
? ? ? -2c75e8280037910e500c7e03c7bc935a7ad8d719484ff45bba3393e672c92500
? ? ? -0000400605c2755588373f9f857d000b231c6d59cc6d0b1b08eb3f07a2b09cf7
? ? ? -9a980124839b4bf70a8f3759f4e72fabc28550469f353451c570eb7b4efeebb2
? ? ? -a15a6a
? ? ? +b5866eae2f327ea13a342c1cd3ff4e2c381caa2e66be323e3c065f0000010011
? ? ? +b0342b5cad4140db9fa893b68d1c5f3834c1cee9f95edc9b57a7968ec0c4ec2d
? ? ? +18ccded167b847137ec4b8361aa1e782ccd0797b4401382f5d120848b67930be
? ? ? +07389e0f52dda5f812d7462197594b4e86df50adedafbc57dc4e3160e09b8437
? ? ? +4570899257469c8e97d46d40fe0801d906dfe8bdc611a953b2d0690a0e1d6dc8
? ? ? +5c7699f30dee70856a6627847e08a710db7432e29b33474358005a53dfa5fa95
? ? ? +f23817dda29c64694119e48e7a9b2a428d5afc42c43dafe78994cde0f065b7b9
? ? ? +eca4ee565767ac13fe183cbac6c85002210e67ad8c5635c5bfde812c702b234a
? ? ? +1dc530f5ff737c7ca25224e7375e35077874a999921570273afab1eb91f96200
? ? ? +00004053356da884e81a92cd25fdea9dbd9137990a4e354d1421d50100bb7e56
? ? ? +934dc868d7b5b00f1a9b470ca3c27379af91e9695c8fdab671a160b6272f9276
? ? ? +d1fe04

1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive
```
V
V
Vagrant Cascadian wrote on 7 Mar 23:16 +0100
Re: bug#40316: core-updates nss not reproducible
(address . 40316@debbugs.gnu.org)(address . control@debbugs.gnu.org)
87zfv9n0vy.fsf@wireframe
retitle 40316 nss not reproducible
thanks

Still an issue on master as of d29e5a83e887cd2f4f459a12cbbfc40c77e55ce2:

guix challenge --verbose --diff=simple nss
guix challenge: warning: could not determine current substitute URLs; using defaults
/gnu/store/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1 contents differ:
no local build for '/gnu/store/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1'
https://ci.guix.gnu.org/nar/lzip/mc9gdsm0cqpyd2522f5xghdl59p1l35r-nss-3.88.1:18xvq9cb7y2hajixnkk24bh969px0h5289hgby484iyg3x73sagp
differing files:
/lib/nss/libfreebl3.chk
/lib/nss/libfreeblpriv3.chk
/lib/nss/libnssdbm3.chk
/lib/nss/libsoftokn3.chk

1 store items were analyzed:
- 0 (0.0%) were identical
- 1 (100.0%) differed
- 0 (0.0%) were inconclusive

According to the notes in Debian, this is due to cryptographic
signatures performed at build time:



live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZeo8wQAKCRDcUY/If5cW
qpPOAQD3X++W8pz9obrPqz7Lu6lBT7irx7v7bPgKZylMqrwddgEAnZVMhE9BN2R5
5la3TTgaeQLzJ3OFykNGfOIeGuAy4QQ=
=H8rd
-----END PGP SIGNATURE-----

S
S
Steve George wrote on 23 Apr 14:42 +0200
Update needed of NSS
(address . 40316@debbugs.gnu.org)
ZiesyKIEQ-izI-3k@dragon2
Hi,

Confirmed nss doesn't build reproducibly on current core-updates branch.

Also looks like it needs an update to 3.99

Steve / Futurile
C
C
Christina O'Donnell wrote on 25 Apr 16:06 +0200
Re: Core updates status
(address . 40316@debbugs.gnu.org)
2dc99b59-cb76-f822-f2ce-027f523bb682@mutix.org
Hi Steve,

Toggle quote (4 lines)
> It would be good to confirm this one:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316

Still fails to reproduce with those changes applied.

The culprit is in nss/cmd/shlibsign/shlibsign.c:

shlibSignHMAC generates a new key-pair each time it's run:

    /* Generate a DSA key pair */
    logIt("Generate an HMAC key ... \n");
    crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
                                       hmacKeyTemplate,
PR_ARRAY_SIZE(hmacKeyTemplate),
                                       &hHMACKey);

Three options:
 1. Disable library signing entirely.
 2. Seed the generation to be deterministic.
 3. Drop in a HMAC key-pair and patch the code to use that instead of
generating.

2 and 3 defeat the point of the cryptographically secure supply chain as
the private key can be obtained deterministically, so my vote would be
simply  to not sign the libraries (1), which would be easier to
maintain. We're not the primary distributor and users can verify our
distribution of nss by running `guix challenge` anyway.

Toggle quote (2 lines)
> It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on Master [0]

Building everything cross-compiled to ARM now.

Kind regards,

Christina
C
C
Christina O'Donnell wrote on 25 Apr 19:01 +0200
Re: nss not reproducible
(address . 40316@debbugs.gnu.org)
714bd3eb-76ed-2159-9761-f8614a1b164a@mutix.org
Hi,

I believe I have a fix for this, I'm just waiting on my machine to hurry
up and confirm it, might end up running over night, then I'll send my
patch up.

I'm doing two native builds and two cross-builds.

I've also updated to 3.99.

Kind regards,

Christina

On 25/04/2024 15:06, Christina O'Donnell wrote:
Toggle quote (41 lines)
> Hi Steve,
>
>> It would be good to confirm this one:
>>
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
>
> Still fails to reproduce with those changes applied.
>
> The culprit is in nss/cmd/shlibsign/shlibsign.c:
>
> shlibSignHMAC generates a new key-pair each time it's run:
>
>     /* Generate a DSA key pair */
>     logIt("Generate an HMAC key ... \n");
>     crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
>                                        hmacKeyTemplate,
> PR_ARRAY_SIZE(hmacKeyTemplate),
>                                        &hHMACKey);
>
> Three options:
>  1. Disable library signing entirely.
>  2. Seed the generation to be deterministic.
>  3. Drop in a HMAC key-pair and patch the code to use that instead of
> generating.
>
> 2 and 3 defeat the point of the cryptographically secure supply chain
> as the private key can be obtained deterministically, so my vote would
> be simply  to not sign the libraries (1), which would be easier to
> maintain. We're not the primary distributor and users can verify our
> distribution of nss by running `guix challenge` anyway.
>
>> It looks like Zhen Junjie applied two patches to fix NSS
>> cross-compilation on Master [0]
>
> Building everything cross-compiled to ARM now.
>
> Kind regards,
>
> Christina
>
>
C
C
Christina O'Donnell wrote on 26 Apr 23:33 +0200
[PATCH 0/6] WIP: nss: Update to 3.99
(address . 40316@debbugs.gnu.org)
cover.1714166213.git.cdo@mutix.org
Hi,

I've got as far as making nss 3.98 reproducible, however updating it to 3.99
results in 51 test failures. These are regressions, and worked correctly for
3.98. I'm not entirely sure what the issue is, but I've run out of time to
debug it this week, so I'm sending this patch up as is.

Up to patch 3 build correctly. Patch 4 is the first one that fails.

The issue specifically seems to all be related to FIPS:

A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has
occurred with the token or slot.

If someone could take a look at this and see if there's anything I've missded
then I'd appreciate that. Otherwise I'm free to pick it back up again on
Tuesday.

Let me know if you have any questions.

Kind regards,
Christina

Christina O'Donnell (4):
gnu: nss: Make reproducible.
gnu: nss: Update to 3.99.
gnu: nss-certs: Update to 3.99.
WIP: nss: Attempting to resolve FIPS regression.

Zheng Junjie (2):
gnu: nss: Fix cross-compilation.
gnu: nspr: Fix cross-compilation.

gnu/packages/certs.scm | 24 +++++--
gnu/packages/nss.scm | 30 +++++++--
.../patches/nss-Disable-library-signing.patch | 67 +++++++++++++++++++
3 files changed, 111 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:33 +0200
[PATCH 3/6] gnu: nss: Make reproducible.
(address . 40316@debbugs.gnu.org)
ba7d0083ae84b8ff3bd5e01a633cbe32226f8651.1714166213.git.cdo@mutix.org
gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
signing to make the build reproducible.
gnu/packages/nss.scm (nss): Apply this new patch.

Change-Id: I7860bae219ecc4a79423a590c27a1097ae2e7874
---
gnu/packages/nss.scm | 3 +-
.../patches/nss-Disable-library-signing.patch | 67 +++++++++++++++++++
2 files changed, 69 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch

Toggle diff (89 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f373..b608a995577 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch
new file mode 100644
index 00000000000..b488d29dcad
--- /dev/null
+++ b/gnu/packages/patches/nss-Disable-library-signing.patch
@@ -0,0 +1,67 @@
+From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
+Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 25 Apr 2024 16:35:50 +0100
+Subject: [PATCH] nss: Disable library signing.
+
+---
+ nss/cmd/shlibsign/Makefile | 32 +-------------------------------
+ 1 file changed, 1 insertion(+), 31 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/Makefile b/nss/cmd/shlibsign/Makefile
+index a119205..7a85c1d 100644
+--- a/nss/cmd/shlibsign/Makefile
++++ b/nss/cmd/shlibsign/Makefile
+@@ -43,22 +43,9 @@ EXTRA_SHARED_LIBS += \
+
+ endif
+
+-
+-# sign any and all shared libraries that contain the word freebl
+-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++# Disable library signing as it's non-deterministic
+ CHECKLIBS =
+ CHECKLOC =
+-else
+-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
+-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
+-ifndef NSS_DISABLE_DBM
+-CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
+-endif
+-CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
+-
+-MD_LIB_RELEASE_FILES = $(CHECKLOC)
+-ALL_TRASH += $(CHECKLOC)
+-endif
+
+ #######################################################################
+ # (5) Execute "global" rules. (OPTIONAL) #
+@@ -78,23 +65,6 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+
+ include ../platrules.mk
+
+-SRCDIR = $(call core_abspath,.)
+-
+-%.chk: %.$(DLL_SUFFIX)
+-ifeq ($(OS_TARGET), OS2)
+- cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
+- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+-else
+- ifeq ($(CROSS_COMPILE),1)
+- # do nothing
+- else
+- cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
+- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+- endif
+-endif
+-
+ libs: install
+ ifdef CHECKLOC
+ $(MAKE) $(CHECKLOC)
+
+base-commit: 2951778f8e8855bed24754a57ecc43f02a2843dd
+--
+2.41.0
+
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:33 +0200
[PATCH 1/6] gnu: nss: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
5ac99f62f8c43d2df3f64cd77ccbe0540dd82269.1714166213.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (27 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead8..459e53bc1cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:33 +0200
[PATCH 2/6] gnu: nspr: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
1ea4518f8c971f69a4731da7559c7ab322ff77ed.1714166213.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1cf..0baafe2f373 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:34 +0200
[PATCH 4/6] gnu: nss: Update to 3.99.
(address . 40316@debbugs.gnu.org)
e7eea53f912ca11685ddc2519e9090bb52c7ed6b.1714166213.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b608a995577..80667d8affe 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:34 +0200
[PATCH 5/6] gnu: nss-certs: Update to 3.99.
(address . 40316@debbugs.gnu.org)
4e8fc191444bf48b1d1b8d21c3f1a723c4f4ad85.1714166213.git.cdo@mutix.org
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (52 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d11..7aa96493fbe 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
C
C
Christina O'Donnell wrote on 26 Apr 23:34 +0200
[PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.
(address . 40316@debbugs.gnu.org)
bfed33ceadbd21b2688266f5e3a2918332c264c9.1714166213.git.cdo@mutix.org
There are 51 new test failures which all appear to be related to FIPS.

For example:

modutil -dbdir /tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips -fips true

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11) - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 11

Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
gnu/packages/nss.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

Toggle diff (43 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
(delete-file-recursively "nss/lib/sqlite")))))
(build-system gnu-build-system)
(outputs '("out" "bin"))
+ ;; (search-paths
+ ;; (list (search-path-specification
+ ;; (variable "LD_LIBRARY_PATH")
+ ;; (files '("lib")))))
(arguments
(list
#:make-flags
@@ -161,12 +165,15 @@ (define-public nss
#$@(if (%current-target-system)
#~("CROSS_COMPILE=1")
#~())
+ (string-append "NSS_FORCE_FIPS=1")
+ (string-append "NSPR_LIB_DIR="
+ (string-append #$nspr "/lib"))
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
;; Add $out/lib/nss to RPATH.
(string-append "RPATH=" rpath)
- (string-append "LDFLAGS=" rpath)))
+ (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
#:modules '((guix build gnu-build-system)
(guix build utils)
(ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ ;; (setenv "LD_LIBRARY_PATH"
+ ;; (string-append (getenv "LD_LIBRARY_PATH")))
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
--
2.41.0
V
V
Vagrant Cascadian wrote on 27 Apr 00:58 +0200
Re: [PATCH 3/6] gnu: nss: Make reproducible.
87o79vybmn.fsf@wireframe
On 2024-04-26, Christina O'Donnell wrote:
Toggle quote (4 lines)
> gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
> signing to make the build reproducible.
> gnu/packages/nss.scm (nss): Apply this new patch.

Nice!


Toggle quote (16 lines)
> diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch
> new file mode 100644
> index 00000000000..b488d29dcad
> --- /dev/null
> +++ b/gnu/packages/patches/nss-Disable-library-signing.patch
> @@ -0,0 +1,67 @@
> +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
> +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org>
> +From: Christina O'Donnell <cdo@mutix.org>
> +Date: Thu, 25 Apr 2024 16:35:50 +0100
> +Subject: [PATCH] nss: Disable library signing.
> +
> +---
> + nss/cmd/shlibsign/Makefile | 32 +-------------------------------
> + 1 file changed, 1 insertion(+), 31 deletions(-)

I think it would be good to explain why this patch is included, not just
in the git commit message, but in the patch comments itself. I realize
the patch actually includes a comment about non-determinism, but it is a
bit lost in the diff.

Also, might be worth briefly explaining why disabling this feature is
unlikely to break anything, etc.

Curious if there might be some way to leave most of the code in place,
disable it... otherwise on version updates it is more likely to result
in conflicts with even minor changes...


live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZiwxoAAKCRDcUY/If5cW
qsQ5AQDJ/1xNdBXkWi9aT/MbiZO30A0F22MvfMv5LLUbX5WIXAEAxXLjwe8V188l
hwmE+P+mEqzNrlOzfqveZAXd/xk63gQ=
=tJPX
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 2 May 10:15 +0200
Re: bug#40316: nss not reproducible
(name . Christina O'Donnell)(address . cdo@mutix.org)
87jzkc1vfb.fsf_-_@gnu.org
Hi Christina,

Nice work!

Christina O'Donnell <cdo@mutix.org> skribis:

Toggle quote (5 lines)
> I've got as far as making nss 3.98 reproducible, however updating it to 3.99
> results in 51 test failures. These are regressions, and worked correctly for
> 3.98. I'm not entirely sure what the issue is, but I've run out of time to
> debug it this week, so I'm sending this patch up as is.

Not sure if this is related, but we’re seeing test failures due to
timing issues right now with 3.98:


Thank you!

Ludo’.
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 0/6] Attempt to make nss reproducible
(address . 40316@debbugs.gnu.org)
cover.1714646232.git.cdo@mutix.org
This patch series is an incomplete attempt to make nss reproducible. Currently
this fails 4 tests due to NSS_FIPS_DISABLED not being respected.

Christina O'Donnell (4):
gnu: nss: Update to 3.99.
gnu: nss-certs: Update to 3.99.
gnu: nss: Attempt to disable FIPS.
gnu: nss: Disable FIPS in lowhashtest.

Zheng Junjie (2):
gnu: nss: Fix cross-compilation.
gnu: nspr: Fix cross-compilation.

gnu/packages/certs.scm | 24 +++++++++++---
gnu/packages/nss.scm | 27 ++++++++++++---
.../nss-disable-fips-in-lowhashtest.patch | 28 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
4 files changed, 102 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 2/6] gnu: nspr: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
1ea4518f8c971f69a4731da7559c7ab322ff77ed.1714647502.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 3/6] gnu: nss: Update to 3.99.
(address . 40316@debbugs.gnu.org)
989784d90c983cde67b2d8732b16fcd22f84f8a5.1714647502.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 4/6] gnu: nss-certs: Update to 3.99.
(address . 40316@debbugs.gnu.org)
4468679c910db18313820a2cdd3166f529f4c78e.1714647502.git.cdo@mutix.org
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (52 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 1/6] gnu: nss: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
5ac99f62f8c43d2df3f64cd77ccbe0540dd82269.1714647502.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (29 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))

base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 5/6] gnu: nss: Attempt to disable FIPS.
(address . 40316@debbugs.gnu.org)
588f4c610bded4fb26108e40a5dffd4d8d12a026.1714647502.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic.

This patch is an incomplete attempt to get the tests to succeed by disabling
inapplicable tests, i.e. tests that depend on FIPS.

I have passed NSS_FIPS_DISABLED=1 to the Makefile however it seems to be
ignoring it for no logical reason.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
---
gnu/packages/nss.scm | 8 ++++-
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

Toggle diff (74 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..08e4cb06ee 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -141,6 +142,9 @@ (define-public nss
(string-append "PREFIX=" #$output)
"NSDISTMODE=copy"
"NSS_USE_SYSTEM_SQLITE=1"
+ ;; No FIPS because it adds non-determinism.
+ "NSS_FIPS_DISABLED=1"
+ "NSS_NO_INIT_SUPPORT=1"
;; The gtests fail to compile on riscv64.
;; Skipping them doesn't affect the test suite.
#$@(if (target-riscv64?)
@@ -202,6 +206,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ (setenv "NSS_CYCLES" "standard")
+ (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 13:00 +0200
[PATCH v2 6/6] gnu: nss: Disable FIPS in lowhashtest.
(address . 40316@debbugs.gnu.org)
bab329436b84740e67927d6ba48aae5d3bc23667.1714647502.git.cdo@mutix.org
* gnu/packages/nss.scm (nss): Disable FIPS in lowhashtests.
This is required as FIPS is inherently non-deterministic, making the build no
longer reproducible.

Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
---
gnu/packages/nss.scm | 3 +-
.../nss-disable-fips-in-lowhashtest.patch | 28 +++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch

Toggle diff (50 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 08e4cb06ee..02081c32e1 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -125,7 +125,8 @@ (define-public nss
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
"nss-increase-test-timeout.patch"
- "nss-disable-shlibsign.patch"))
+ "nss-disable-shlibsign.patch"
+ "nss-disable-fips-in-lowhashtest.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
new file mode 100644
index 0000000000..c8fc1e7e7a
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
@@ -0,0 +1,28 @@
+From f32bd353c5b741d6da5811fd40681dda80799bfb Mon Sep 17 00:00:00 2001
+Message-ID: <f32bd353c5b741d6da5811fd40681dda80799bfb.1714591857.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 20:30:15 +0100
+Subject: [PATCH] nss: Disable FIPS in lowhashtest.
+
+---
+ nss/tests/lowhash/lowhash.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/tests/lowhash/lowhash.sh b/nss/tests/lowhash/lowhash.sh
+index 2984b9b..9dcc89b 100755
+--- a/nss/tests/lowhash/lowhash.sh
++++ b/nss/tests/lowhash/lowhash.sh
+@@ -63,7 +63,7 @@ lowhash_test()
+ else
+ TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ OLD_MODE=`echo ${NSS_FIPS}`
+- for fips_mode in 0 1; do
++ for fips_mode in 0; do
+ echo "lowhashtest with fips mode=${fips_mode}"
+ export NSS_FIPS=${fips_mode}
+ for TEST in ${TESTS}
+
+base-commit: 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0
+--
+2.41.0
+
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:33 +0200
[PATCH v3 5/5] gnu: nss: Make reproducible.
(address . 40316@debbugs.gnu.org)
eab5119196e0063e841d19752bb72a320e671f03.1714653076.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic. This removes all non-determinism from this package.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
gnu/packages/nss.scm | 6 +++-
.../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
3 files changed, 67 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

Toggle diff (100 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..404baaf550 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"
+ "nss-define-NSS_FIPS_DISABLED.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -202,6 +204,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+ (setenv "NSS_CYCLES" "standard")
+ (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
;; The "PayPalEE.cert" certificate expires every six months,
;; leading to test failures:
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 0000000000..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: <e89a33daac982107421117ad95ae8443ef316079.1714649801.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+--
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:33 +0200
[PATCH v3 3/5] gnu: nss: Update to 3.99.
(address . 40316@debbugs.gnu.org)
989784d90c983cde67b2d8732b16fcd22f84f8a5.1714653076.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:33 +0200
[PATCH v3 4/5] gnu: nss-certs: Update to 3.99.
(address . 40316@debbugs.gnu.org)
4468679c910db18313820a2cdd3166f529f4c78e.1714653076.git.cdo@mutix.org
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (52 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:33 +0200
[PATCH v3 1/5] gnu: nss: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
5ac99f62f8c43d2df3f64cd77ccbe0540dd82269.1714653076.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (27 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:33 +0200
[PATCH v3 2/5] gnu: nspr: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
1ea4518f8c971f69a4731da7559c7ab322ff77ed.1714653076.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 14:42 +0200
Re: [PATCH v2 0/6] Attempt to make nss reproducible
(address . 40316@debbugs.gnu.org)
3cdb10cf-2fc5-d042-5fb7-15037911340d@mutix.org
Hi,

Please disregard my v2 patch. I now see where I went wrong and it's now
working as expected on my machine.

I've sent an updated (v3) patch which builds successfully on x86_64,
though I haven't yet tried cross-compiling or confirmed that it's still
building reproducibly.

Sorry for the noise.

Christina

On 02/05/2024 12:00, Christina O'Donnell wrote:
Toggle quote (23 lines)
> This patch series is an incomplete attempt to make nss reproducible. Currently
> this fails 4 tests due to NSS_FIPS_DISABLED not being respected.
>
> Christina O'Donnell (4):
> gnu: nss: Update to 3.99.
> gnu: nss-certs: Update to 3.99.
> gnu: nss: Attempt to disable FIPS.
> gnu: nss: Disable FIPS in lowhashtest.
>
> Zheng Junjie (2):
> gnu: nss: Fix cross-compilation.
> gnu: nspr: Fix cross-compilation.
>
> gnu/packages/certs.scm | 24 +++++++++++---
> gnu/packages/nss.scm | 27 ++++++++++++---
> .../nss-disable-fips-in-lowhashtest.patch | 28 ++++++++++++++++
> .../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
> 4 files changed, 102 insertions(+), 10 deletions(-)
> create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
> create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch
>
>
> base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
C
C
Christina O'Donnell wrote on 2 May 14:51 +0200
Re: [PATCH 3/6] gnu: nss: Make reproducible.
f019a921-88aa-b25a-f12a-6fd608c7cdc4@mutix.org
Hi Vagrant,

On 26/04/2024 23:58, Vagrant Cascadian wrote:
Toggle quote (6 lines)
> On 2024-04-26, Christina O'Donnell wrote:
>> gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
>> signing to make the build reproducible.
>> gnu/packages/nss.scm (nss): Apply this new patch.
> Nice!

I have reordered my commits to first update to 3.99, before making nss
reproducible. The more

This is similar to the approach that Nix takes,  though Nix adds a
parameter that enables FIPS and shlibsign again. Is it worth adding a
parameter to re-enable FIPS?

Toggle quote (19 lines)
>> diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch
>> new file mode 100644
>> index 00000000000..b488d29dcad
>> --- /dev/null
>> +++ b/gnu/packages/patches/nss-Disable-library-signing.patch
>> @@ -0,0 +1,67 @@
>> +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
>> +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org>
>> +From: Christina O'Donnell <cdo@mutix.org>
>> +Date: Thu, 25 Apr 2024 16:35:50 +0100
>> +Subject: [PATCH] nss: Disable library signing.
>> +
>> +---
>> + nss/cmd/shlibsign/Makefile | 32 +-------------------------------
>> + 1 file changed, 1 insertion(+), 31 deletions(-)
> I think it would be good to explain why this patch is included, not just
> in the git commit message, but in the patch comments itself. I realize
> the patch actually includes a comment about non-determinism, but it is a
> bit lost in the diff.
Okay I've added a description to the v3 patch.
Toggle quote (3 lines)
> Also, might be worth briefly explaining why disabling this feature is
> unlikely to break anything, etc.

I was actually wrong wrong about this on my v1 patch, that did break the
FIPS tests. However disabling FIPS is what Nix does by default and all
other tests pass without it.

I have noticed that Nix parameterizes on whether FIPS is enabled so
users can re-enable FIPS if they need it for their use-cases. Is it
worth doing something similar here, or would that add too much complexity?

Toggle quote (4 lines)
> Curious if there might be some way to leave most of the code in place,
> disable it... otherwise on version updates it is more likely to result
> in conflicts with even minor changes...

I've shrunk the patches to be a few lines each.

Kind regards,

Christina


Toggle quote (2 lines)
> live well,
> vagrant
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 1/5] gnu: nss: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
5ac99f62f8c43d2df3f64cd77ccbe0540dd82269.1714662574.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (27 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""))))
#~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 3/5] gnu: nss: Update to 3.99.
(address . 40316@debbugs.gnu.org)
989784d90c983cde67b2d8732b16fcd22f84f8a5.1714662574.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
gnu/packages/nss.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.88.1")
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
"nss-" version ".tar.gz")))
(sha256
(base32
- "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
;; leading to test failures:
;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+ (invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 0/5] gnu: nss: Make reproducible.
(address . 40316@debbugs.gnu.org)
cover.1714662574.git.cdo@mutix.org
This patch-set is a slight modification of the previous one with a single change:

In the last commit, I have removed the specification of test parameters that
previously reduced the number of tests. This wasn't justified in the commit
message and turned out to be unnecessary anyway.

Christina O'Donnell (3):
gnu: nss: Update to 3.99.
gnu: nss-certs: Update to 3.99.
gnu: nss: Make reproducible.

Zheng Junjie (2):
gnu: nss: Fix cross-compilation.
gnu: nspr: Fix cross-compilation.

gnu/packages/certs.scm | 24 +++++++++++---
gnu/packages/nss.scm | 22 ++++++++++---
.../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
4 files changed, 98 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 5/5] gnu: nss: Make reproducible.
(address . 40316@debbugs.gnu.org)
12fc4d22d99423f78edd650bdd1c9816294dcc56.1714662574.git.cdo@mutix.org
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic. This removes all non-determinism from this package.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
gnu/packages/nss.scm | 4 ++-
.../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++
.../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++
3 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

Toggle diff (91 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..ecc1c5156b 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-shlibsign.patch"
+ "nss-define-NSS_FIPS_DISABLED.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 0000000000..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: <e89a33daac982107421117ad95ae8443ef316079.1714649801.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+--
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+- echo "${2}"/shlibsign -v -i "${5}"
+- "${2}"/shlibsign -v -i "${5}"
++ # Disable lib signing as it generates its keys through a non-deterministic
++ # process.
++ # echo "${2}"/shlibsign -v -i "${5}"
++ # "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+--
+2.41.0
+
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 4/5] gnu: nss-certs: Update to 3.99.
(address . 40316@debbugs.gnu.org)
4468679c910db18313820a2cdd3166f529f4c78e.1714662574.git.cdo@mutix.org
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
gnu/packages/certs.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (52 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
that was originally contributed to Debian.")
(license license:isc))))
-(define-public nss-certs
+(define-public nss-certs-3.88.1
(package
(name "nss-certs")
;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
(license license:mpl2.0)))
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
(package
- (inherit nss-certs)
- (version "3.98")
+ (inherit nss-certs-3.88.1)
+ (version "3.99")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))))
+ "15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"
+ "nss-Disable-library-signing.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))))
+
+(define-public nss-certs
+ nss-certs-3.99)
(define-public le-certs
(package
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:15 +0200
[PATCH v4 2/5] gnu: nspr: Fix cross-compilation.
(address . 40316@debbugs.gnu.org)
1ea4518f8c971f69a4731da7559c7ab322ff77ed.1714662574.git.cdo@mutix.org
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie <zhengjunjie@iscas.ac.cn>
---
gnu/packages/nss.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
C
C
Christina O'Donnell wrote on 2 May 17:20 +0200
Re: bug#40316: nss not reproducible
(name . Ludovic Courtès)(address . ludo@gnu.org)
265e4d6b-c83d-e477-3025-9d4f7187f849@mutix.org
Hi Ludo',

This doesn't look directly related. I haven't seen anything like this
occur when I build it.

Tangentially, given how long nss takes to build, do you think that it'd
be worth shaving it down to a single test pass? Currently it runs each
test up to 3 times, which takes ~1h on my machine with no other build
running. Running only the standard pass takes 2.5-3x less time, which is
a huge quality of life improvement.

Kind regards,

Christina

On 02/05/2024 09:15, Ludovic Courtès wrote:
Toggle quote (18 lines)
> Hi Christina,
>
> Nice work!
>
> Christina O'Donnell <cdo@mutix.org> skribis:
>
>> I've got as far as making nss 3.98 reproducible, however updating it to 3.99
>> results in 51 test failures. These are regressions, and worked correctly for
>> 3.98. I'm not entirely sure what the issue is, but I've run out of time to
>> debug it this week, so I'm sending this patch up as is.
> Not sure if this is related, but we’re seeing test failures due to
> timing issues right now with 3.98:
>
> https://issues.guix.gnu.org/70693
>
> Thank you!
>
> Ludo’.
T
T
Tobias Alexandra Platen wrote on 5 May 10:00 +0200
(address . bug-guix@gnu.org)
4e6a8ae18ff07f802bb3bb7028a3959f570e34be.camel@platen-software.de
Building nss on my Talos II takes a long time, I did not test weather
it is reproducible. It seems that there are no binaries from the
build farm.

Alex
L
L
Ludovic Courtès wrote on 6 May 12:12 +0200
(name . Christina O'Donnell)(address . cdo@mutix.org)
8734qvl05q.fsf@gnu.org
Hi,

Christina O'Donnell <cdo@mutix.org> skribis:

Toggle quote (6 lines)
> Tangentially, given how long nss takes to build, do you think that
> it'd be worth shaving it down to a single test pass? Currently it runs
> each test up to 3 times, which takes ~1h on my machine with no other
> build running. Running only the standard pass takes 2.5-3x less time,
> which is a huge quality of life improvement.

Currently we run ./nss/tests/all.sh, which I suppose is what upstream
recommends to run tests.

For sure I’d be happy if the test suite could run faster, but does
upstream offer such an option? When you say “a single pass”, is that
something upstream supports?

Thanks,
Ludo’.
C
C
Christina O'Donnell wrote on 6 May 13:37 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)
c6f6cd42-4878-01f1-2b59-5fea771838ad@mutix.org
Hi,

On 06/05/2024 11:12, Ludovic Courtès wrote:
Toggle quote (15 lines)
> Hi,
>
> Christina O'Donnell <cdo@mutix.org> skribis:
>
>> Tangentially, given how long nss takes to build, do you think that
>> it'd be worth shaving it down to a single test pass? Currently it runs
>> each test up to 3 times, which takes ~1h on my machine with no other
>> build running. Running only the standard pass takes 2.5-3x less time,
>> which is a huge quality of life improvement.
> Currently we run ./nss/tests/all.sh, which I suppose is what upstream
> recommends to run tests.
>
> For sure I’d be happy if the test suite could run faster, but does
> upstream offer such an option? When you say “a single pass”, is that
> something upstream supports?
Yes, you can control the tests by setting environment variables
NSS_TESTS to a list of tests and NSS_CYCLES to a list of 'cycles' (what
I previously called passes). The default is:

"standard pkix threadunsafe"

* 'standard' runs all of the below tests with default settings: "cipher
lowhash cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests
ssl_gtests policy"

* 'pkix' runs the tests "lowhash libpkix cert tools ssl ocsp pkits ec
gtests ssl_gtests policy" with PKIX enabled.

* 'thread_unsafe' runs "ssl ssl_gtests" with "THREAD_UNSAFE" enabled.

My thinking would be to run the thread_unsafe cycle normally, but to
reduce the test overlap between standard and pkix however, I can't say
that I'm knowledgeable enough of NSS to claim that that wouldn't leave
gaps that might bite us some point down the line. So it might be best to
leave it as is unless someone familiar with NSS can confirm that it'd be
safe to disable some tests/cycles.

Kind regards,

Christina
L
L
Ludovic Courtès wrote on 14 May 11:15 +0200
(name . Christina O'Donnell)(address . cdo@mutix.org)
87msos69fd.fsf@gnu.org
Hi,

Christina O'Donnell <cdo@mutix.org> skribis:

Toggle quote (2 lines)
> On 06/05/2024 11:12, Ludovic Courtès wrote:

[...]

Toggle quote (18 lines)
>> For sure I’d be happy if the test suite could run faster, but does
>> upstream offer such an option? When you say “a single pass”, is that
>> something upstream supports?
> Yes, you can control the tests by setting environment variables
> NSS_TESTS to a list of tests and NSS_CYCLES to a list of 'cycles'
> (what I previously called passes). The default is:
>
> "standard pkix threadunsafe"
>
> * 'standard' runs all of the below tests with default settings:
> "cipher lowhash cert dbtests tools sdr crmf smime ssl ocsp merge
> pkits ec gtests ssl_gtests policy"
>
> * 'pkix' runs the tests "lowhash libpkix cert tools ssl ocsp pkits ec
> gtests ssl_gtests policy" with PKIX enabled.
>
> * 'thread_unsafe' runs "ssl ssl_gtests" with "THREAD_UNSAFE" enabled.

Interesting.

Toggle quote (7 lines)
> My thinking would be to run the thread_unsafe cycle normally, but to
> reduce the test overlap between standard and pkix however, I can't say
> that I'm knowledgeable enough of NSS to claim that that wouldn't leave
> gaps that might bite us some point down the line. So it might be best
> to leave it as is unless someone familiar with NSS can confirm that
> it'd be safe to disable some tests/cycles.

Right, there doesn’t seem to be an obvious way to disable those without
also weakening test coverage. I wonder what Debian and others are
doing.

Thanks for explaining!

Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 40316@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 40316
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch