gnutls 3.6.12 fails to build: FAIL: status-request-revoked

OpenSubmitted by Christopher Baines.
Details
3 participants
  • Ludovic Courtès
  • Christopher Baines
  • Marius Bakke
Owner
unassigned
Severity
important
C
C
Christopher Baines wrote on 10 Nov 21:49 +0100
(address . bug-guix@gnu.org)
87d00los2d.fsf@cbaines.net
I found this when trying to build guile3.0-gnutls:
guix time-machine --commit=94585fffb23079fe71110e2bf99782eb4ccfa12b -- build --no-grafts --check guile3.0-gnutls
FAIL: status-request-revoked============================
trying NORMAL:-VERS-ALL:+VERS-TLS1.2received status requestreceived status requestcert_verify_callback:263: certificate verify status doesn't match: 100402 != 22FAIL status-request-revoked (exit status: 1)
-----BEGIN PGP SIGNATURE-----
iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl+q/OpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNFODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2JhaW5lcy5uZXQACgkQXiijOwuE9Xd51BAAinwaFsmiRFUPttJP9RutzROS0rh7e8yL83pkM//kJoP+KDqfRNJ3eRz7sHwiWD5hbdn/Yyi4a0sAwKgHNuJhvU5ijWBLOzWJ0sFk0QrDZfeejamtYikssHasYJfwXm9gE2SzQJJq1E6SxsMcfjbpwsmw0Pl2K2LIptg7H3wMaj9ooLxVMVNfswSAGpka1fdpWIYIElgU8fqJ3uSOhMizpiSzpgh73FXadqntLA7/5Bzuk4h6C71TfNRQIJbqeT27SB5fnacUl5faSa7oyqyGF899+iDyvVnCVek6YqzvDLIaVdZrBVs1jkCeUY0LWOStK6/36n++ZPaj26aV1V2yxLztzj77ARZ5S4K9p4ccq780SMT4QiJSgFMnpyr3bga/Wl/WmNGABgaVfzTU68LfPhV+Td4QTvOcRX5kgfZ68+lZ5oVTWD5DwTs3ZRh+IS3MBul3qA4Y56DDc80QrVeWKheDxbVaB5Vhya+OP+Pr8b9qJjzUvhO8HGj/ilp8XzgGySCLmS7Px0xVzEELIuqgqqCgNYCH820DaFgctowjhLF7whaPZs+aDuDj8mXV+ATnEJLKDRtO4d8dmIy6bE9E8fupEu4u2HtU8Y3xthQboMoYUUM39fLg73W3pY6XdJBYbPlxavnruijlyJ45awYL//q4uLNgBbKmuJsXQF4C9lI==PIzS-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 12 Nov 22:06 +0100
(name . Christopher Baines)(address . mail@cbaines.net)(address . 44559@debbugs.gnu.org)
87v9eaffpa.fsf@gnu.org
Hi,
Christopher Baines <mail@cbaines.net> skribis:
Toggle quote (13 lines)> I found this when trying to build guile3.0-gnutls:>> guix time-machine --commit=94585fffb23079fe71110e2bf99782eb4ccfa12b -- build --no-grafts --check guile3.0-gnutls> >> FAIL: status-request-revoked> ============================>> trying NORMAL:-VERS-ALL:+VERS-TLS1.2> received status request> received status request> cert_verify_callback:263: certificate verify status doesn't match: 100402 != 22FAIL status-request-revoked (exit status: 1)
This was fixed upstream between 3.6.12 and 3.6.14 with this patch byBernhard (it’s a small world!):
Toggle snippet (15 lines)commit ed208fe55f31478732fd6cc394f9576b315a42cdAuthor: Bernhard M. Wiedemann <bwiedemann@suse.de>Date: Sun Apr 5 15:09:57 2020 +0200
tests: Fix status-request-revoked after 2020-10-24 included certs expire 2020-10-24 so this test fails after that date. Fixes #967 This patch was done while working on reproducible builds for openSUSE. Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
The question for us becomes how to ensure long-term reproducibility inthe presence of such bugs.
In this case, I think the only solution would be to change the systemclock when one rebuilds GnuTLS (or to use ‘--without-tests=gnutls’, butyou end up with different derivations, which is not necessarilydesirable).
Thoughts?
Ludo’.
M
M
Marius Bakke wrote on 12 Nov 22:18 +0100
(address . 44559@debbugs.gnu.org)
87zh3mb7fr.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (10 lines)> The question for us becomes how to ensure long-term reproducibility in> the presence of such bugs.>> In this case, I think the only solution would be to change the system> clock when one rebuilds GnuTLS (or to use ‘--without-tests=gnutls’, but> you end up with different derivations, which is not necessarily> desirable).>> Thoughts?
There is a related bug report here:
https://issues.guix.gnu.org/39310
Perhaps we could make a "--with-system-clock" option for 'guix build'that instructs the daemon to fake the system time?
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+tppgPHG1hcml1c0BnbnUub3JnAAoJEKKgbfKjOlT6SZUH/2JQce28Rehio2Dk1QbAXM2/8Peo8xhfOnA8NYzJuUkjaqf8LNEs7uB/4zGsJ51IHznTqLecuqdjO+g6zEpzzNrdXmvVqv9A2XcyGGa+ci5hUVKErrG+KGTQEiEtkRUjkzBKGZKv2jc4MpnXJgsDl0qidIZIOi/JmuC1vtSTVM09dG8pj79MefTFKuJtRv0xEpXNRiaJNOjHO5jiThimoiKl15XtSgexPgU0mzv9MV2Po3QRbhc/EE49P/oxuJqjmwFSPdCwL/0YlNEemr2bQx18ps6H9y9Hmg7W5awKGRn0vAK5I45i0jyJyVWHk0a90lEIJSLwJF4Pul2CmpJsVm0==g9FH-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 15 Nov 12:05 +0100
(name . Marius Bakke)(address . marius@gnu.org)
87zh3iani0.fsf@gnu.org
Hi,
Marius Bakke <marius@gnu.org> skribis:
Toggle quote (19 lines)> Ludovic Courtès <ludo@gnu.org> writes:>>> The question for us becomes how to ensure long-term reproducibility in>> the presence of such bugs.>>>> In this case, I think the only solution would be to change the system>> clock when one rebuilds GnuTLS (or to use ‘--without-tests=gnutls’, but>> you end up with different derivations, which is not necessarily>> desirable).>>>> Thoughts?>> There is a related bug report here:>> https://issues.guix.gnu.org/39310>> Perhaps we could make a "--with-system-clock" option for 'guix build'> that instructs the daemon to fake the system time?
How would it fake it though?
There are time_namespaces(7), but it’s only for CLOCK_MONOTONIC andCLOCK_BOOTTIME.
LD_PRELOAD like ‘datefudge’ does is probably not a viable option.
Ludo’.
L
L
Ludovic Courtès wrote on 16 Nov 16:04 +0100
control message for bug #44559
(address . control@debbugs.gnu.org)
87zh3huyuf.fsf@gnu.org
severity 44559 importantquit
?