[PATCH 0/6] NSS updates

  • Open
  • quality assurance status badge
Details
2 participants
  • Ian Eure
  • Liliana Marie Prikler
Owner
unassigned
Submitted by
Ian Eure
Severity
normal
I
I
Ian Eure wrote on 9 Sep 19:52 +0200
(address . guix-patches@gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175249.8003-1-ian@retrospec.tv
Hello,

This is a first pass at getting the nss packages into shape, as I proposed
earlier this year[1]. Many packages depend on nss, so these patches need to
be applied to a new branch -- my suggestion is `nss-updates', but I have no
strong preference.

This patch series:

- Ungrafts nss
- Factors out package creation into the `make-nss' procedure.
- Updates nss and nss-rapid to use that procedure.
- Updates nss and nss-certs to 3.102.1, the current ESR.
- Updates nss-rapid to 3.104, the latest release.
- Removes nspr-4.32, as it doesn’t appear to be used by anything.


Ian Eure (6):
gnu: Remove nss/fixed.
gnu: Remove nspr-4.32.
gnu: Add make-nss.
gnu: nss: Update to 3.102.1.
gnu: nss-rapid: Update to 3.104.
gnu: nss-certs: Update to 3.102.1.

gnu/packages/certs.scm | 4 +-
gnu/packages/nss.scm | 208 +++++++++++------------------------------
2 files changed, 59 insertions(+), 153 deletions(-)

--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 1/1] gnu: nss-certs: Update to 3.102.1.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-1-ian@retrospec.tv
* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.

Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10
---
gnu/packages/certs.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.102.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
"nss-" version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 1/6] gnu: Remove nss/fixed.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-2-ian@retrospec.tv
* gnu/packages/nss.scm (nss/fixed): Delete variable.

Change-Id: I0a071a8c3c4a9e2a24b873177402735912192212
---
gnu/packages/nss.scm | 51 --------------------------------------------
1 file changed, 51 deletions(-)

Toggle diff (64 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6c60e9fbae..718a3ba4c0 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -271,57 +271,6 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss/fixed
- (let ((actual-version "3.99"))
- (hidden-package
- (package
- (inherit nss)
- (version (string-append actual-version ".0")) ;for grafts requirements
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split actual-version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" actual-version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))))
-
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
;; channel.
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 2/6] gnu: Remove nspr-4.32.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-3-ian@retrospec.tv
* gnu/packages/nss.scm (nspr-4.32): Delete variable.

Change-Id: I05c97fe6fc32d045618334df118a84836c0d0261
---
gnu/packages/nss.scm | 12 ------------
1 file changed, 12 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 718a3ba4c0..60b4b34d4e 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,18 +94,6 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
-(define-public nspr-4.32
- (package
- (inherit nspr)
- (version "4.32")
- (source (origin
- (method url-fetch)
- (uri (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
- version "/src/nspr-" version ".tar.gz"))
- (sha256
- (base32
- "0v3zds1id71j5a5si42a658fjz8nv2f6zp6w4gqrqmdr6ksz8sxv"))))))
;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 3/6] gnu: Add make-nss.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-4-ian@retrospec.tv
* gnu/packages/nss.scm (make-nss): New variable.
NSS builds require time-shifting to their approximate release date to build
repeatably, because it ships with test certificates which expire. To avoid
duplicating the whole package definition between `nss' and `nss-rapid', move
the bulk of the definition into `make-nss', which accepts a version, hash, and
release date, allowing reuse between the two definitions.

Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
---
gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)

Toggle diff (179 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 60b4b34d4e..b51bebda3d 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,6 +94,172 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
+(define* (make-nss #:key version release-date hash)
+ (package
+ (name "nss")
+ ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
+ ;; version and source to avoid a top-level variable reference & module
+ ;; cycle.
+ (version version)
+ (source
+ (origin
+ (method url-fetch)
+ (uri (let ((version-with-underscores
+ (string-join (string-split version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" version ".tar.gz")))
+ (sha256
+ (base32 hash))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))
+ (build-system gnu-build-system)
+ (outputs '("out" "bin"))
+ (arguments
+ (list
+ #:make-flags
+ #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
+ (list "-C" "nss"
+ (string-append "PREFIX=" #$output)
+ "NSDISTMODE=copy"
+ "NSS_USE_SYSTEM_SQLITE=1"
+ ;; The gtests fail to compile on riscv64.
+ ;; Skipping them doesn't affect the test suite.
+ #$@(if (target-riscv64?)
+ #~("NSS_DISABLE_GTESTS=1")
+ #~())
+ ;; Ensure we are building for the (%current-target-system).
+ #$@(if (%current-target-system)
+ #~((string-append
+ "OS_TEST="
+ (string-take #$(%current-target-system)
+ (string-index #$(%current-target-system) #\-)))
+ (string-append
+ "KERNEL=" (cond (#$(target-hurd?) "gnu")
+ (#$(target-linux?) "linux")
+ (else ""))))
+ #~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
+ (string-append "NSPR_INCLUDE_DIR="
+ (search-input-directory %build-inputs
+ "include/nspr"))
+ ;; Add $out/lib/nss to RPATH.
+ (string-append "RPATH=" rpath)
+ (string-append "LDFLAGS=" rpath)))
+ #:modules '((guix build gnu-build-system)
+ (guix build utils)
+ (ice-9 ftw)
+ (ice-9 match)
+ (srfi srfi-26))
+ #:tests? (not (or (%current-target-system)
+ ;; Tests take more than 30 hours on some architectures.
+ (target-riscv64?)
+ (target-ppc32?)))
+ #:phases
+ #~(modify-phases %standard-phases
+ (replace 'configure
+ (lambda _
+ (setenv "CC" #$(cc-for-target))
+ (setenv "CCC" #$(cxx-for-target))
+ (setenv "NATIVE_CC" "gcc")
+ ;; No VSX on powerpc-linux.
+ #$@(if (target-ppc32?)
+ #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
+ #~())
+ ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
+ #$@(if (target-64bit?)
+ #~((setenv "USE_64" "1"))
+ #~())))
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
+
+ ;; This specific test is looking at performance "now
+ ;; verify that we can quickly dump a database", and
+ ;; we're not testing performance here (especially
+ ;; since we're using faketime), so raise the
+ ;; threshold
+ (substitute* "nss/tests/dbtests/dbtests.sh"
+ ((" -lt 5") " -lt 50"))
+
+ ;; Since the test suite is very lengthy, run the test
+ ;; suite once, not thrice as done by default, by
+ ;; selecting only the 'standard' cycle.
+ (setenv "NSS_CYCLES" "standard")
+
+ #$@(if (target-64bit?)
+ '()
+ ;; The script fails to determine the source
+ ;; directory when running under 'datefudge' (see
+ ;; <https://issues.guix.gnu.org/72239>). Help it.
+ #~((substitute* "nss/tests/gtests/gtests.sh"
+ (("SOURCE_DIR=.*")
+ (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
+
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke #$(if (target-64bit?) "faketime" "datefudge")
+ #$release-date "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (bin (string-append (assoc-ref outputs "bin") "/bin"))
+ (inc (string-append out "/include/nss"))
+ (lib (string-append out "/lib/nss"))
+ (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
+ ((obj) (string-append "dist/" obj)))))
+ ;; Install nss-config to $out/bin.
+ (install-file (string-append obj "/bin/nss-config")
+ (string-append out "/bin"))
+ (delete-file (string-append obj "/bin/nss-config"))
+ ;; Install nss.pc to $out/lib/pkgconfig.
+ (install-file (string-append obj "/lib/pkgconfig/nss.pc")
+ (string-append out "/lib/pkgconfig"))
+ (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
+ (rmdir (string-append obj "/lib/pkgconfig"))
+ ;; Install other files.
+ (copy-recursively "dist/public/nss" inc)
+ (copy-recursively (string-append obj "/bin") bin)
+ (copy-recursively (string-append obj "/lib") lib)))))))
+ (inputs (list sqlite zlib))
+ (propagated-inputs (list nspr)) ;required by nss.pc.
+ (native-inputs (list perl ;for tests
+ (if (target-64bit?) libfaketime datefudge)
+ which))
+
+ ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
+ ;; another build is happening concurrently on the same machine.
+ (properties '((timeout . 216000))) ;60 hours
+
+ (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+ (synopsis "Network Security Services")
+ (description
+ "Network Security Services (@dfn{NSS}) is a set of libraries designed to
+support cross-platform development of security-enabled client and server
+applications. Applications built with NSS can support SSL v2 and v3, TLS,
+PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
+security standards.")
+ (license license:mpl2.0)))
;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 4/6] gnu: nss: Update to 3.102.1.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-5-ian@retrospec.tv
gnu/packages/nss.scm (nss): Update to 3.102.1.

Change-Id: Ic24624279b1d2efbe6f4dd82cb73cc63f50f2e14
---
gnu/packages/nss.scm | 172 +++----------------------------------------
1 file changed, 10 insertions(+), 162 deletions(-)

Toggle diff (186 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b51bebda3d..b4fdd13abc 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -261,169 +261,17 @@ (define* (make-nss #:key version release-date hash)
security standards.")
(license license:mpl2.0)))
-;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
-
(define-public nss
- (package
- (name "nss")
- ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
- ;; version and source to avoid a top-level variable reference & module
- ;; cycle.
- (version "3.99")
- (source (origin
- (method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
- (build-system gnu-build-system)
- (outputs '("out" "bin"))
- (arguments
- (list
- #:make-flags
- #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
- (list "-C" "nss"
- (string-append "PREFIX=" #$output)
- "NSDISTMODE=copy"
- "NSS_USE_SYSTEM_SQLITE=1"
- ;; The gtests fail to compile on riscv64.
- ;; Skipping them doesn't affect the test suite.
- #$@(if (target-riscv64?)
- #~("NSS_DISABLE_GTESTS=1")
- #~())
- ;; Ensure we are building for the (%current-target-system).
- #$@(if (%current-target-system)
- #~((string-append
- "OS_TEST="
- (string-take #$(%current-target-system)
- (string-index #$(%current-target-system) #\-)))
- (string-append
- "KERNEL=" (cond (#$(target-hurd?) "gnu")
- (#$(target-linux?) "linux")
- (else ""))))
- #~())
- #$@(if (%current-target-system)
- #~("CROSS_COMPILE=1")
- #~())
- (string-append "NSPR_INCLUDE_DIR="
- (search-input-directory %build-inputs
- "include/nspr"))
- ;; Add $out/lib/nss to RPATH.
- (string-append "RPATH=" rpath)
- (string-append "LDFLAGS=" rpath)))
- #:modules '((guix build gnu-build-system)
- (guix build utils)
- (ice-9 ftw)
- (ice-9 match)
- (srfi srfi-26))
- #:tests? (not (or (%current-target-system)
- ;; Tests take more than 30 hours on some architectures.
- (target-riscv64?)
- (target-ppc32?)))
- #:phases
- #~(modify-phases %standard-phases
- (replace 'configure
- (lambda _
- (setenv "CC" #$(cc-for-target))
- (setenv "CCC" #$(cxx-for-target))
- (setenv "NATIVE_CC" "gcc")
- ;; No VSX on powerpc-linux.
- #$@(if (target-ppc32?)
- #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
- #~())
- ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
- #$@(if (target-64bit?)
- #~((setenv "USE_64" "1"))
- #~())))
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- #$@(if (target-64bit?)
- '()
- ;; The script fails to determine the source
- ;; directory when running under 'datefudge' (see
- ;; <https://issues.guix.gnu.org/72239>). Help it.
- #~((substitute* "nss/tests/gtests/gtests.sh"
- (("SOURCE_DIR=.*")
- (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke #$(if (target-64bit?) "faketime" "datefudge")
- "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))
- (replace 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let* ((out (assoc-ref outputs "out"))
- (bin (string-append (assoc-ref outputs "bin") "/bin"))
- (inc (string-append out "/include/nss"))
- (lib (string-append out "/lib/nss"))
- (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
- ((obj) (string-append "dist/" obj)))))
- ;; Install nss-config to $out/bin.
- (install-file (string-append obj "/bin/nss-config")
- (string-append out "/bin"))
- (delete-file (string-append obj "/bin/nss-config"))
- ;; Install nss.pc to $out/lib/pkgconfig.
- (install-file (string-append obj "/lib/pkgconfig/nss.pc")
- (string-append out "/lib/pkgconfig"))
- (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
- (rmdir (string-append obj "/lib/pkgconfig"))
- ;; Install other files.
- (copy-recursively "dist/public/nss" inc)
- (copy-recursively (string-append obj "/bin") bin)
- (copy-recursively (string-append obj "/lib") lib)))))))
- (inputs (list sqlite zlib))
- (propagated-inputs (list nspr)) ;required by nss.pc.
- (native-inputs (list perl ;for tests
- (if (target-64bit?) libfaketime datefudge)
- which))
-
- ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
- ;; another build is happening concurrently on the same machine.
- (properties '((timeout . 216000))) ;60 hours
-
- (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
- (synopsis "Network Security Services")
- (description
- "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications. Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
- (license license:mpl2.0)))
+ (let ((base (make-nss
+ #:version "3.102.1"
+ #:release-date "2024-07-24"
+ #:hash "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l")))
+ (package
+ (inherit base)
+ (synopsis (string-append (package-synopsis base) " (ESR)"))
+ (description
+ (string-append (package-description base) "
+This package tracks the Extended Support Release channel.")))))
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 5/6] gnu: nss-rapid: Update to 3.104.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-6-ian@retrospec.tv
* gnu/packages/nss.scm (nss-rapid): Update to 3.104.

Change-Id: I22772d75a98a479a65717ea7bcbfbb7986bd0c77
---
gnu/packages/nss.scm | 67 ++++++++------------------------------------
1 file changed, 11 insertions(+), 56 deletions(-)

Toggle diff (81 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b4fdd13abc..b53e6e22cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -281,63 +281,18 @@ (define-public nss
;; and https://wiki.mozilla.org/Rapid_Release_Model
(define-public nss-rapid
- (package
- (inherit nss)
- (name "nss-rapid")
- (version "3.103")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "0qp9rs226rr6gh51b42cdbydr4mj80cli3bfqhh7bp3jyxbvcjkv"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-08-17" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))
- (synopsis "Network Security Services (Rapid Release)")
- (description
- "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications. Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.
+ (let ((base (make-nss
+ #:version "3.104"
+ #:release-date "2024-08-30"
+ #:hash "13mca2y92sm05kxb40qvlkq8l93ghmrhh0s3iawpc7idc8ik4xp2")))
+ (package
+ (inherit base)
+ (name (string-append (package-name base) "-rapid"))
+ (synopsis (string-append (package-synopsis base) " (Rapid Release)"))
+ (description
+ (string-append (package-description base) "
+This package tracks the Rapid Release channel, which updates frequently.")))))
-This package tracks the Rapid Release channel, which updates frequently.")))
(define-public nsncd
(package
(name "nsncd")
--
2.46.0
I
I
Ian Eure wrote on 9 Sep 19:55 +0200
[PATCH 6/6] gnu: nss-certs: Update to 3.102.1.
(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)
20240909175540.8156-7-ian@retrospec.tv
* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.

Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10
---
gnu/packages/certs.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.102.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
"nss-" version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.46.0
L
L
Liliana Marie Prikler wrote on 10 Sep 19:59 +0200
Re: [PATCH 3/6] gnu: Add make-nss.
04bf227b79ecc755e5137a8296c2a5458073393f.camel@gmail.com
Am Montag, dem 09.09.2024 um 10:55 -0700 schrieb Ian Eure:
Toggle quote (10 lines)
> * gnu/packages/nss.scm (make-nss): New variable.
> NSS builds require time-shifting to their approximate release date to
> build repeatably, because it ships with test certificates which
> expire.  To avoid duplicating the whole package definition between
> `nss' and `nss-rapid', move the bulk of the definition into `make-
> nss', which accepts a version, hash, and release date, allowing reuse
> between the two definitions.
>
> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
> ---
Note: the explanation should come before the ChangeLog.

Cheers
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73152@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73152
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch