Having default nss-certs plus nss-certs in operating-system packages causes problems

  • Done
  • quality assurance status badge
Details
3 participants
  • Liliana Marie Prikler
  • Christopher Baines
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Christopher Baines
Severity
normal

Debbugs page

Christopher Baines wrote 10 months ago
(address . bug-guix@gnu.org)
87wmnxz92i.fsf@cbaines.net
I've seen this when updating systems, but it seems like something is
wrong with the handling of nss-certs.

I'm on a guix revision with nss-certs by default, and when I add
nss-certs to my system packages (to simulate not removing it when
upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
doesn't work).

My reading of the operating-system-packages code suggests that adding
nss-certs shouldn't have any effect, but this doesn't seem to be
working.
-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZCiFVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XemTA//a8rXXqiiYMHplH1+Ky4Yf/MkEbCCRITj
7DsRwLvSuPRWhMkDcaUHYii/XCIMlaZp0L60upR0rKywCA86iQCryB59H2Sv+/5J
W4apMNJWvNDfvBDqY5Q586xrQkBnf6lftPN2Vv4seoZ0JbCJ4ar1ZPHydKMmmzYL
kfX/K1ro7kY9Rg5pMkbxf/C+3iagGy3LglcTUUE5yEhMIWc6V9tGW/L/0kVOTpZj
4++yvye+7UIcu195j2MqyWZFC5h5VHfHbuZL5TDntV/NCs2v5JNtzb9T7XuGSP2o
8BxWqsV76iBPgt0F1mgtLezAcW9EgjGVLylg2r+3EL+YxFGRpR0AWpwaWmFpKRND
hNjZKrsqqMVYH97G6k/wYuW3orruhR/R9zD1Gjf6zpUwkmcLzPaSrsRgZyYh/Fd7
mkytu5NTNVgJ1KnKfT5d18ThJO+iYyJhQ13yB9xJuKRNY71rAkMdYQMYDO61NEOT
H2KcTiSc56/bL0zZjXtN0QmiVN2SGrScEwjdyraqqX17i4rafV0GWxtNZNNPgxPr
VfsyNYgpnjly9b44abd0lPezS6ZZyXYpIFK8ne0m/OeOpClCcZhSpoB7+0hbQ7jP
NI0kfK8y16A4fwKxdReqUaDaDdRsZRhvfUqkiqENYNZAyAlxvn7ItrlxBlZKcoob
cq0qLA+WYvg=
=mSgS
-----END PGP SIGNATURE-----

Liliana Marie Prikler wrote 10 months ago
b5a26bf0bc2fb10d4c2abb0c301621dcf9ff0a7e.camel@gmail.com
Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines:
Toggle quote (7 lines)
> I've seen this when updating systems, but it seems like something is
> wrong with the handling of nss-certs.
>
> I'm on a guix revision with nss-certs by default, and when I add
> nss-certs to my system packages (to simulate not removing it when
> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
> doesn't work).
I can confirm this on three machines (two of my own, one from a
relative): Having nss-certs in the packages field unexpectedly breaks
all known certificates.

Toggle quote (3 lines)
> My reading of the operating-system-packages code suggests that adding
> nss-certs shouldn't have any effect, but this doesn't seem to be
> working.
It would be really nice to detect the mismatching versions if it's
based on that. IIUC we graft nss-certs now, so that we can hot-swap
stuff like pythons certifi package. Is this use case broken by any
chance?

Cheers
Maxim Cournoyer wrote 10 months ago
Re: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)
87r0e2wjb0.fsf@gmail.com
Hello,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

Toggle quote (20 lines)
> Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines:
>> I've seen this when updating systems, but it seems like something is
>> wrong with the handling of nss-certs.
>>
>> I'm on a guix revision with nss-certs by default, and when I add
>> nss-certs to my system packages (to simulate not removing it when
>> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
>> doesn't work).
> I can confirm this on three machines (two of my own, one from a
> relative): Having nss-certs in the packages field unexpectedly breaks
> all known certificates.
>
>> My reading of the operating-system-packages code suggests that adding
>> nss-certs shouldn't have any effect, but this doesn't seem to be
>> working.
> It would be really nice to detect the mismatching versions if it's
> based on that. IIUC we graft nss-certs now, so that we can hot-swap
> stuff like pythons certifi package. Is this use case broken by any
> chance?

Apparently having multiple nss-certs of the same version is no problem
(they get deduped later). The original problem would thus only exist
when there are multiple versions of nss-certs listed in packages, as
could happen for installer-generated configs that use
'(specification->package "nss-certs"), which would pick the latest
version and clash with the one in %base-packages.

My code could call delete even in the first case, which would clear
*all* nss-certs because they were the same object. That's now guarded
against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not
delete all nss-certs packages when they are the same object."), which
I've just pushed.

Closing.

--
Thanks,
Maxim
Closed
Christopher Baines wrote 10 months ago
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
87bk50u8ip.fsf@cbaines.net
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (37 lines)
> Hello,
>
> Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>
>> Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines:
>>> I've seen this when updating systems, but it seems like something is
>>> wrong with the handling of nss-certs.
>>>
>>> I'm on a guix revision with nss-certs by default, and when I add
>>> nss-certs to my system packages (to simulate not removing it when
>>> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
>>> doesn't work).
>> I can confirm this on three machines (two of my own, one from a
>> relative): Having nss-certs in the packages field unexpectedly breaks
>> all known certificates.
>>
>>> My reading of the operating-system-packages code suggests that adding
>>> nss-certs shouldn't have any effect, but this doesn't seem to be
>>> working.
>> It would be really nice to detect the mismatching versions if it's
>> based on that. IIUC we graft nss-certs now, so that we can hot-swap
>> stuff like pythons certifi package. Is this use case broken by any
>> chance?
>
> Apparently having multiple nss-certs of the same version is no problem
> (they get deduped later). The original problem would thus only exist
> when there are multiple versions of nss-certs listed in packages, as
> could happen for installer-generated configs that use
> '(specification->package "nss-certs"), which would pick the latest
> version and clash with the one in %base-packages.
>
> My code could call delete even in the first case, which would clear
> *all* nss-certs because they were the same object. That's now guarded
> against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not
> delete all nss-certs packages when they are the same object."), which
> I've just pushed.

Great, thanks for fixing this Maxim!

Chris
-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZLGl5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XfAeRAAgbtpnnTxVlgzZa85317xhxWcbTlOJgQG
RFj6FCryNaxeNs9fmuLKxZKfChJ/SB7q6Zc2GjlVWRGHRES3JHBxlrQqpoA59JQQ
TYOjO4TFh887IC9DDZmLXdk0F7k4xzhVriwuaRD4YPvF+ZQNKfaKu15FyFSPanIu
pjUIh0zZH/CMZ7grw1Zgx0h7l5kGNKxwvAY3g5cERyb7r9am5v/j6NCTsHMGO7m9
sURSjDcBia6gbLEhupOiibUabfNqs3FOx1HeqlG5wRAfGQnviTteUgOrp9HdRZik
lh9CPeuw3udf1LiRc2fL0aqoOnDTcNgzy3T8HBU4f7lxQfQ+GTyQwNeZZuAeGM+T
ZA8VjHV9ZtJ8ELnmg4H1BbYQkn4u3mq+OhBTRyNhO5IX+H2/EoCQZruDN8aJBQjN
DJGszPO386rCSJxiGg77ilPpf1bVIR+UHB7jy1u0Leu3jCtlWLHkgX8Mu7ULWkyN
LhaWGafiGJnLBAbeZRuqovUcKL/paYzlu2JZBIdEYuLqQCnhrdzGIUqk0B+s5Wdk
SfmMNFN66hsrEHMbE+jGPj5Egywh8mbsVkKxnKJdNkAZAfNjEDc6O8TWMaRoOFOg
bo0sHSa61+irP8QOfa+PPdoCY94f30nnuBhVVbrB7CYJbq0WrdklGUBHhvky+/OI
YrTr+IYzNmA=
=exsW
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 70926@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70926
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help