[PATCH 0/6] NSS updates

Open

Details

3 participants

Ian Eure
Liliana Marie Prikler
Christopher Baines

Owner: unassigned

Submitted by: Ian Eure

Severity: normal

Debbugs page

Ian Eure wrote 6 months ago

Recipients:(address . guix-patches@gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175249.8003-1-ian@retrospec.tv

Hello,

This is a first pass at getting the nss packages into shape, as I proposed

earlier this year[1]. Many packages depend on nss, so these patches need to

be applied to a new branch -- my suggestion is `nss-updates', but I have no

strong preference.

This patch series:

- Ungrafts nss

- Factors out package creation into the `make-nss' procedure.

- Updates nss and nss-rapid to use that procedure.

- Updates nss and nss-certs to 3.102.1, the current ESR.

- Updates nss-rapid to 3.104, the latest release.

- Removes nspr-4.32, as it doesn’t appear to be used by anything.

[1]: https://lists.gnu.org/archive/html/guix-devel/2024-06/msg00318.html

Ian Eure (6):

gnu: Remove nss/fixed.

gnu: Remove nspr-4.32.

gnu: Add make-nss.

gnu: nss: Update to 3.102.1.

gnu: nss-rapid: Update to 3.104.

gnu: nss-certs: Update to 3.102.1.

gnu/packages/certs.scm | 4 +-

gnu/packages/nss.scm | 208 +++++++++++------------------------------

2 files changed, 59 insertions(+), 153 deletions(-)

2.46.0

Ian Eure wrote 6 months ago

[PATCH 1/1] gnu: nss-certs: Update to 3.102.1.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-1-ian@retrospec.tv

* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.

Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10

---

gnu/packages/certs.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
     ;; FIXME We used to refer to the nss package here, but that eventually caused
     ;; module cycles.  The below is a quick copy-paste job that must be kept in
     ;; sync manually.  Surely there's a better way…?
-    (version "3.99")
+    (version "3.102.1")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+                "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 1/6] gnu: Remove nss/fixed.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-2-ian@retrospec.tv

* gnu/packages/nss.scm (nss/fixed): Delete variable.

Change-Id: I0a071a8c3c4a9e2a24b873177402735912192212

---

gnu/packages/nss.scm | 51 --------------------------------------------

1 file changed, 51 deletions(-)

Toggle diff (64 lines)diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6c60e9fbae..718a3ba4c0 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -271,57 +271,6 @@ (define-public nss
 security standards.")
     (license license:mpl2.0)))
 
-(define-public nss/fixed
-  (let ((actual-version "3.99"))
-    (hidden-package
-     (package
-       (inherit nss)
-       (version (string-append actual-version ".0")) ;for grafts requirements
-       (source (origin
-                 (inherit (package-source nss))
-                 (uri (let ((version-with-underscores
-                             (string-join (string-split actual-version #\.) "_")))
-                        (string-append
-                         "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
-                         "releases/NSS_" version-with-underscores "_RTM/src/"
-                         "nss-" actual-version ".tar.gz")))
-                 (sha256
-                  (base32
-                   "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))))
-       (arguments
-        (substitute-keyword-arguments (package-arguments nss)
-          ((#:phases phases)
-           #~(modify-phases #$phases
-               (replace 'check
-                 (lambda* (#:key tests? #:allow-other-keys)
-                   (if tests?
-                       (begin
-                         ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
-                         ;; testing.  The latter requires a working DNS or /etc/hosts.
-                         (setenv "DOMSUF" "localdomain")
-                         (setenv "USE_IP" "TRUE")
-                         (setenv "IP_ADDRESS" "127.0.0.1")
-
-                         ;; This specific test is looking at performance "now
-                         ;; verify that we can quickly dump a database", and
-                         ;; we're not testing performance here (especially
-                         ;; since we're using faketime), so raise the
-                         ;; threshold
-                         (substitute* "nss/tests/dbtests/dbtests.sh"
-                           ((" -lt 5") " -lt 50"))
-
-                         ;; Since the test suite is very lengthy, run the test
-                         ;; suite once, not thrice as done by default, by
-                         ;; selecting only the 'standard' cycle.
-                         (setenv "NSS_CYCLES" "standard")
-
-                         ;; The "PayPalEE.cert" certificate expires every six months,
-                         ;; leading to test failures:
-                         ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
-                         ;; work around that, set the time to roughly the release date.
-                         (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
-                       (format #t "test suite not run~%"))))))))))))
-
 ;; nss-rapid tracks the rapid release channel.  Unless your package requires a
 ;; newer version, you should prefer the `nss' package, which tracks the ESR
 ;; channel.
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 2/6] gnu: Remove nspr-4.32.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-3-ian@retrospec.tv

* gnu/packages/nss.scm (nspr-4.32): Delete variable.

Change-Id: I05c97fe6fc32d045618334df118a84836c0d0261

---

gnu/packages/nss.scm | 12 ------------

1 file changed, 12 deletions(-)

Toggle diff (25 lines)diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 718a3ba4c0..60b4b34d4e 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,18 +94,6 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
-(define-public nspr-4.32
-  (package
-    (inherit nspr)
-    (version "4.32")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append
-                   "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
-                   version "/src/nspr-" version ".tar.gz"))
-             (sha256
-              (base32
-               "0v3zds1id71j5a5si42a658fjz8nv2f6zp6w4gqrqmdr6ksz8sxv"))))))
 
 ;; nss should track ESRs, but currently doesn't.  3.102.1 is the current ESR.
 
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 3/6] gnu: Add make-nss.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-4-ian@retrospec.tv

* gnu/packages/nss.scm (make-nss): New variable.
NSS builds require time-shifting to their approximate release date to build
repeatably, because it ships with test certificates which expire.  To avoid
duplicating the whole package definition between `nss' and `nss-rapid', move
the bulk of the definition into `make-nss', which accepts a version, hash, and
release date, allowing reuse between the two definitions.

Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
---
 gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 166 insertions(+)

Toggle diff (179 lines)diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 60b4b34d4e..b51bebda3d 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,6 +94,172 @@ (define-public nspr
 in the Mozilla clients.")
     (license license:mpl2.0)))
 
+(define* (make-nss #:key version release-date hash)
+  (package
+    (name "nss")
+    ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
+    ;; version and source to avoid a top-level variable reference & module
+    ;; cycle.
+    (version version)
+    (source
+     (origin
+       (method url-fetch)
+       (uri (let ((version-with-underscores
+                   (string-join (string-split version #\.) "_")))
+              (string-append
+               "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+               "releases/NSS_" version-with-underscores "_RTM/src/"
+               "nss-" version ".tar.gz")))
+       (sha256
+        (base32 hash))
+       ;; Create nss.pc and nss-config.
+       (patches (search-patches "nss-3.56-pkgconfig.patch"
+                                "nss-getcwd-nonnull.patch"
+                                "nss-increase-test-timeout.patch"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           ;; Delete the bundled copy of these libraries.
+           (delete-file-recursively "nss/lib/zlib")
+           (delete-file-recursively "nss/lib/sqlite")))))
+    (build-system gnu-build-system)
+    (outputs '("out" "bin"))
+    (arguments
+     (list
+      #:make-flags
+      #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
+          (list "-C" "nss"
+                (string-append "PREFIX=" #$output)
+                "NSDISTMODE=copy"
+                "NSS_USE_SYSTEM_SQLITE=1"
+                ;; The gtests fail to compile on riscv64.
+                ;; Skipping them doesn't affect the test suite.
+                #$@(if (target-riscv64?)
+                       #~("NSS_DISABLE_GTESTS=1")
+                       #~())
+                ;; Ensure we are building for the (%current-target-system).
+                #$@(if (%current-target-system)
+                       #~((string-append
+                           "OS_TEST="
+                           (string-take #$(%current-target-system)
+                                        (string-index #$(%current-target-system) #\-)))
+                          (string-append
+                           "KERNEL=" (cond (#$(target-hurd?) "gnu")
+                                           (#$(target-linux?) "linux")
+                                           (else ""))))
+                       #~())
+                #$@(if (%current-target-system)
+                       #~("CROSS_COMPILE=1")
+                       #~())
+                (string-append "NSPR_INCLUDE_DIR="
+                               (search-input-directory %build-inputs
+                                                       "include/nspr"))
+                ;; Add $out/lib/nss to RPATH.
+                (string-append "RPATH=" rpath)
+                (string-append "LDFLAGS=" rpath)))
+      #:modules '((guix build gnu-build-system)
+                  (guix build utils)
+                  (ice-9 ftw)
+                  (ice-9 match)
+                  (srfi srfi-26))
+      #:tests? (not (or (%current-target-system)
+                        ;; Tests take more than 30 hours on some architectures.
+                        (target-riscv64?)
+                        (target-ppc32?)))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda _
+              (setenv "CC" #$(cc-for-target))
+              (setenv "CCC" #$(cxx-for-target))
+              (setenv "NATIVE_CC" "gcc")
+              ;; No VSX on powerpc-linux.
+              #$@(if (target-ppc32?)
+                     #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
+                     #~())
+              ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
+              #$@(if (target-64bit?)
+                     #~((setenv "USE_64" "1"))
+                     #~())))
+          (replace 'check
+            (lambda* (#:key tests? #:allow-other-keys)
+              (if tests?
+                  (begin
+                    ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+                    ;; testing.  The latter requires a working DNS or /etc/hosts.
+                    (setenv "DOMSUF" "localdomain")
+                    (setenv "USE_IP" "TRUE")
+                    (setenv "IP_ADDRESS" "127.0.0.1")
+
+                    ;; This specific test is looking at performance "now
+                    ;; verify that we can quickly dump a database", and
+                    ;; we're not testing performance here (especially
+                    ;; since we're using faketime), so raise the
+                    ;; threshold
+                    (substitute* "nss/tests/dbtests/dbtests.sh"
+                      ((" -lt 5") " -lt 50"))
+
+                    ;; Since the test suite is very lengthy, run the test
+                    ;; suite once, not thrice as done by default, by
+                    ;; selecting only the 'standard' cycle.
+                    (setenv "NSS_CYCLES" "standard")
+
+                    #$@(if (target-64bit?)
+                           '()
+                           ;; The script fails to determine the source
+                           ;; directory when running under 'datefudge' (see
+                           ;; <https://issues.guix.gnu.org/72239>).  Help it.
+                           #~((substitute* "nss/tests/gtests/gtests.sh"
+                                (("SOURCE_DIR=.*")
+                                 (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
+
+                    ;; The "PayPalEE.cert" certificate expires every six months,
+                    ;; leading to test failures:
+                    ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
+                    ;; work around that, set the time to roughly the release date.
+                    (invoke #$(if (target-64bit?) "faketime" "datefudge")
+                            #$release-date "./nss/tests/all.sh"))
+                  (format #t "test suite not run~%"))))
+          (replace 'install
+            (lambda* (#:key outputs #:allow-other-keys)
+              (let* ((out (assoc-ref outputs "out"))
+                     (bin (string-append (assoc-ref outputs "bin") "/bin"))
+                     (inc (string-append out "/include/nss"))
+                     (lib (string-append out "/lib/nss"))
+                     (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
+                            ((obj) (string-append "dist/" obj)))))
+                ;; Install nss-config to $out/bin.
+                (install-file (string-append obj "/bin/nss-config")
+                              (string-append out "/bin"))
+                (delete-file (string-append obj "/bin/nss-config"))
+                ;; Install nss.pc to $out/lib/pkgconfig.
+                (install-file (string-append obj "/lib/pkgconfig/nss.pc")
+                              (string-append out "/lib/pkgconfig"))
+                (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
+                (rmdir (string-append obj "/lib/pkgconfig"))
+                ;; Install other files.
+                (copy-recursively "dist/public/nss" inc)
+                (copy-recursively (string-append obj "/bin") bin)
+                (copy-recursively (string-append obj "/lib") lib)))))))
+    (inputs (list sqlite zlib))
+    (propagated-inputs (list nspr))               ;required by nss.pc.
+    (native-inputs (list perl                     ;for tests
+                         (if (target-64bit?) libfaketime datefudge)
+                         which))
+
+    ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
+    ;; another build is happening concurrently on the same machine.
+    (properties '((timeout . 216000)))  ;60 hours
+
+    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+    (synopsis "Network Security Services")
+    (description
+     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
+support cross-platform development of security-enabled client and server
+applications.  Applications built with NSS can support SSL v2 and v3, TLS,
+PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
+security standards.")
+    (license license:mpl2.0)))
 
 ;; nss should track ESRs, but currently doesn't.  3.102.1 is the current ESR.
 
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 4/6] gnu: nss: Update to 3.102.1.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-5-ian@retrospec.tv

gnu/packages/nss.scm (nss): Update to 3.102.1.

Change-Id: Ic24624279b1d2efbe6f4dd82cb73cc63f50f2e14

---

gnu/packages/nss.scm | 172 +++----------------------------------------

1 file changed, 10 insertions(+), 162 deletions(-)

Toggle diff (186 lines)diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b51bebda3d..b4fdd13abc 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -261,169 +261,17 @@ (define* (make-nss #:key version release-date hash)
 security standards.")
     (license license:mpl2.0)))
 
-;; nss should track ESRs, but currently doesn't.  3.102.1 is the current ESR.
-
 (define-public nss
-  (package
-    (name "nss")
-    ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
-    ;; version and source to avoid a top-level variable reference & module
-    ;; cycle.
-    (version "3.99")
-    (source (origin
-              (method url-fetch)
-              (uri (let ((version-with-underscores
-                          (string-join (string-split version #\.) "_")))
-                     (string-append
-                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
-                      "releases/NSS_" version-with-underscores "_RTM/src/"
-                      "nss-" version ".tar.gz")))
-              (sha256
-               (base32
-                "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
-              ;; Create nss.pc and nss-config.
-              (patches (search-patches "nss-3.56-pkgconfig.patch"
-                                       "nss-getcwd-nonnull.patch"
-                                       "nss-increase-test-timeout.patch"))
-              (modules '((guix build utils)))
-              (snippet
-               '(begin
-                  ;; Delete the bundled copy of these libraries.
-                  (delete-file-recursively "nss/lib/zlib")
-                  (delete-file-recursively "nss/lib/sqlite")))))
-    (build-system gnu-build-system)
-    (outputs '("out" "bin"))
-    (arguments
-     (list
-      #:make-flags
-      #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
-          (list "-C" "nss"
-                (string-append "PREFIX=" #$output)
-                "NSDISTMODE=copy"
-                "NSS_USE_SYSTEM_SQLITE=1"
-                ;; The gtests fail to compile on riscv64.
-                ;; Skipping them doesn't affect the test suite.
-                #$@(if (target-riscv64?)
-                       #~("NSS_DISABLE_GTESTS=1")
-                       #~())
-                ;; Ensure we are building for the (%current-target-system).
-                #$@(if (%current-target-system)
-                       #~((string-append
-                            "OS_TEST="
-                            (string-take #$(%current-target-system)
-                                         (string-index #$(%current-target-system) #\-)))
-                          (string-append
-                            "KERNEL=" (cond (#$(target-hurd?) "gnu")
-                                            (#$(target-linux?) "linux")
-                                            (else ""))))
-                       #~())
-                #$@(if (%current-target-system)
-                       #~("CROSS_COMPILE=1")
-                       #~())
-                (string-append "NSPR_INCLUDE_DIR="
-                               (search-input-directory %build-inputs
-                                                       "include/nspr"))
-                ;; Add $out/lib/nss to RPATH.
-                (string-append "RPATH=" rpath)
-                (string-append "LDFLAGS=" rpath)))
-      #:modules '((guix build gnu-build-system)
-                  (guix build utils)
-                  (ice-9 ftw)
-                  (ice-9 match)
-                  (srfi srfi-26))
-      #:tests? (not (or (%current-target-system)
-                        ;; Tests take more than 30 hours on some architectures.
-                        (target-riscv64?)
-                        (target-ppc32?)))
-      #:phases
-      #~(modify-phases %standard-phases
-          (replace 'configure
-            (lambda _
-              (setenv "CC" #$(cc-for-target))
-              (setenv "CCC" #$(cxx-for-target))
-              (setenv "NATIVE_CC" "gcc")
-              ;; No VSX on powerpc-linux.
-              #$@(if (target-ppc32?)
-                     #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
-                     #~())
-              ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
-              #$@(if (target-64bit?)
-                     #~((setenv "USE_64" "1"))
-                     #~())))
-          (replace 'check
-            (lambda* (#:key tests? #:allow-other-keys)
-              (if tests?
-                  (begin
-                    ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
-                    ;; testing.  The latter requires a working DNS or /etc/hosts.
-                    (setenv "DOMSUF" "localdomain")
-                    (setenv "USE_IP" "TRUE")
-                    (setenv "IP_ADDRESS" "127.0.0.1")
-
-                    ;; This specific test is looking at performance "now
-                    ;; verify that we can quickly dump a database", and
-                    ;; we're not testing performance here (especially
-                    ;; since we're using faketime), so raise the
-                    ;; threshold
-                    (substitute* "nss/tests/dbtests/dbtests.sh"
-                      ((" -lt 5") " -lt 50"))
-
-                    #$@(if (target-64bit?)
-                           '()
-                           ;; The script fails to determine the source
-                           ;; directory when running under 'datefudge' (see
-                           ;; <https://issues.guix.gnu.org/72239>).  Help it.
-                           #~((substitute* "nss/tests/gtests/gtests.sh"
-                                (("SOURCE_DIR=.*")
-                                 (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
-
-                    ;; The "PayPalEE.cert" certificate expires every six months,
-                    ;; leading to test failures:
-                    ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
-                    ;; work around that, set the time to roughly the release date.
-                    (invoke #$(if (target-64bit?) "faketime" "datefudge")
-                            "2024-01-23" "./nss/tests/all.sh"))
-                  (format #t "test suite not run~%"))))
-          (replace 'install
-            (lambda* (#:key outputs #:allow-other-keys)
-              (let* ((out (assoc-ref outputs "out"))
-                     (bin (string-append (assoc-ref outputs "bin") "/bin"))
-                     (inc (string-append out "/include/nss"))
-                     (lib (string-append out "/lib/nss"))
-                     (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
-                            ((obj) (string-append "dist/" obj)))))
-                ;; Install nss-config to $out/bin.
-                (install-file (string-append obj "/bin/nss-config")
-                              (string-append out "/bin"))
-                (delete-file (string-append obj "/bin/nss-config"))
-                ;; Install nss.pc to $out/lib/pkgconfig.
-                (install-file (string-append obj "/lib/pkgconfig/nss.pc")
-                              (string-append out "/lib/pkgconfig"))
-                (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
-                (rmdir (string-append obj "/lib/pkgconfig"))
-                ;; Install other files.
-                (copy-recursively "dist/public/nss" inc)
-                (copy-recursively (string-append obj "/bin") bin)
-                (copy-recursively (string-append obj "/lib") lib)))))))
-    (inputs (list sqlite zlib))
-    (propagated-inputs (list nspr))               ;required by nss.pc.
-    (native-inputs (list perl                     ;for tests
-                         (if (target-64bit?) libfaketime datefudge)
-                         which))
-
-    ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
-    ;; another build is happening concurrently on the same machine.
-    (properties '((timeout . 216000)))  ;60 hours
-
-    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
-    (synopsis "Network Security Services")
-    (description
-     "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications.  Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
-    (license license:mpl2.0)))
+  (let ((base (make-nss
+               #:version "3.102.1"
+               #:release-date "2024-07-24"
+               #:hash "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l")))
+    (package
+      (inherit base)
+      (synopsis (string-append (package-synopsis base) " (ESR)"))
+      (description
+       (string-append (package-description base) "
+This package tracks the Extended Support Release channel.")))))
 
 ;; nss-rapid tracks the rapid release channel.  Unless your package requires a
 ;; newer version, you should prefer the `nss' package, which tracks the ESR
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 5/6] gnu: nss-rapid: Update to 3.104.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-6-ian@retrospec.tv

* gnu/packages/nss.scm (nss-rapid): Update to 3.104.

Change-Id: I22772d75a98a479a65717ea7bcbfbb7986bd0c77

---

gnu/packages/nss.scm | 67 ++++++++------------------------------------

1 file changed, 11 insertions(+), 56 deletions(-)

Toggle diff (81 lines)diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b4fdd13abc..b53e6e22cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -281,63 +281,18 @@ (define-public nss
 ;; and https://wiki.mozilla.org/Rapid_Release_Model
 
 (define-public nss-rapid
-  (package
-   (inherit nss)
-   (name "nss-rapid")
-   (version "3.103")
-   (source (origin
-             (inherit (package-source nss))
-             (uri (let ((version-with-underscores
-                         (string-join (string-split version #\.) "_")))
-                    (string-append
-                     "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
-                     "releases/NSS_" version-with-underscores "_RTM/src/"
-                     "nss-" version ".tar.gz")))
-             (sha256
-              (base32
-               "0qp9rs226rr6gh51b42cdbydr4mj80cli3bfqhh7bp3jyxbvcjkv"))))
-   (arguments
-    (substitute-keyword-arguments (package-arguments nss)
-      ((#:phases phases)
-       #~(modify-phases #$phases
-           (replace 'check
-             (lambda* (#:key tests? #:allow-other-keys)
-               (if tests?
-                   (begin
-                     ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
-                     ;; testing.  The latter requires a working DNS or /etc/hosts.
-                     (setenv "DOMSUF" "localdomain")
-                     (setenv "USE_IP" "TRUE")
-                     (setenv "IP_ADDRESS" "127.0.0.1")
-
-                     ;; This specific test is looking at performance "now
-                     ;; verify that we can quickly dump a database", and
-                     ;; we're not testing performance here (especially
-                     ;; since we're using faketime), so raise the
-                     ;; threshold
-                     (substitute* "nss/tests/dbtests/dbtests.sh"
-                       ((" -lt 5") " -lt 50"))
-
-                     ;; Since the test suite is very lengthy, run the test
-                     ;; suite once, not thrice as done by default, by
-                     ;; selecting only the 'standard' cycle.
-                     (setenv "NSS_CYCLES" "standard")
-
-                     ;; The "PayPalEE.cert" certificate expires every six months,
-                     ;; leading to test failures:
-                     ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
-                     ;; work around that, set the time to roughly the release date.
-                     (invoke "faketime" "2024-08-17" "./nss/tests/all.sh"))
-                   (format #t "test suite not run~%"))))))))
-   (synopsis "Network Security Services (Rapid Release)")
-   (description
-    "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications.  Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.
+  (let ((base (make-nss
+               #:version "3.104"
+               #:release-date "2024-08-30"
+               #:hash "13mca2y92sm05kxb40qvlkq8l93ghmrhh0s3iawpc7idc8ik4xp2")))
+    (package
+      (inherit base)
+      (name (string-append (package-name base) "-rapid"))
+      (synopsis (string-append (package-synopsis base) " (Rapid Release)"))
+      (description
+       (string-append (package-description base) "
+This package tracks the Rapid Release channel, which updates frequently.")))))
 
-This package tracks the Rapid Release channel, which updates frequently.")))
 (define-public nsncd
   (package
     (name "nsncd")
-- 
2.46.0

Ian Eure wrote 6 months ago

[PATCH 6/6] gnu: nss-certs: Update to 3.102.1.

Recipients:(address . 73152@debbugs.gnu.org)(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:20240909175540.8156-7-ian@retrospec.tv

* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.

Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10

---

gnu/packages/certs.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
     ;; FIXME We used to refer to the nss package here, but that eventually caused
     ;; module cycles.  The below is a quick copy-paste job that must be kept in
     ;; sync manually.  Surely there's a better way…?
-    (version "3.99")
+    (version "3.102.1")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+                "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-- 
2.46.0

Liliana Marie Prikler wrote 6 months ago

Re: [PATCH 3/6] gnu: Add make-nss.

Recipients:

Message-ID:04bf227b79ecc755e5137a8296c2a5458073393f.camel@gmail.com

Am Montag, dem 09.09.2024 um 10:55 -0700 schrieb Ian Eure:

Toggle quote (10 lines)> * gnu/packages/nss.scm (make-nss): New variable.
> NSS builds require time-shifting to their approximate release date to
> build repeatably, because it ships with test certificates which
> expire.  To avoid duplicating the whole package definition between
> `nss' and `nss-rapid', move the bulk of the definition into `make-
> nss', which accepts a version, hash, and release date, allowing reuse
> between the two definitions.
> 
> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
> ---

Note: the explanation should come before the ChangeLog.

Cheers

Christopher Baines wrote 3 weeks ago

Re: [bug#73152] [PATCH 3/6] gnu: Add make-nss.

Recipients:(name . Ian Eure)(address . ian@retrospec.tv)(address . 73152@debbugs.gnu.org)

Message-ID:87seoehrpb.fsf@cbaines.net

Ian Eure <ian@retrospec.tv> writes:

Toggle quote (12 lines)> * gnu/packages/nss.scm (make-nss): New variable.
> NSS builds require time-shifting to their approximate release date to build
> repeatably, because it ships with test certificates which expire.  To avoid
> duplicating the whole package definition between `nss' and `nss-rapid', move
> the bulk of the definition into `make-nss', which accepts a version, hash, and
> release date, allowing reuse between the two definitions.
>
> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
> ---
>  gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 166 insertions(+)

I'm not sure the refactoring here is overall helpful, I think I
understand the motivation but I think it would be simpler and more
readable to stick with the package inheritance approach.

If you just need to change the source, plus the faketime date in
nss-rapid, but want to avoid replacing the entire check phase, maybe you
could change the nss package to use an environment variable
(e.g. GUIX_CHECK_FAKETIME_DATE) for this, and set this environment
variable in a single phase.

So in nss you'd have:

  (add-before 'check 'set-GUIX_CHECK_FAKETIME_DATE
    (lambda _
      (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-01-23")))
  (replace 'check
    (lambda* (#:key tests? #:allow-other-keys)
      ...
      (invoke #$(if (target-64bit?) "faketime" "datefudge")
              (getenv "GUIX_CHECK_FAKETIME_DATE") "./nss/tests/all.sh")))

Then in nss-rapid you'd just do

  (replace 'set-GUIX_CHECK_FAKETIME_DATE
    (lambda _
      (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-08-30")))

Maybe there's a more elegant way to share a value between phases in the
builder, but I think even doing it via an environment variable is still
preferable than using a procedure to create the package. I've spent many
hours debugging complex functional and performance related issues caused
by procedures returning packages, and while it's a powerful tool, it's
something to be avoided unless necessary.

In terms of how to make this kind of change, I'd split it in to two
parts. Introducing the environment variable can definately go to the
core-packages-team branch in my opinion, and the package updates could
maybe as well, but I'd think of it as two separate patch series.

Ian Eure wrote 3 weeks ago

Recipients:(name . Christopher Baines)(address . mail@cbaines.net)(address . 73152@debbugs.gnu.org)

Message-ID:87frkdn2t5.fsf@retrospec.tv

Hi Christopher,

Christopher Baines <mail@cbaines.net> writes:

Toggle quote (62 lines)> Ian Eure <ian@retrospec.tv> writes:
>
>> * gnu/packages/nss.scm (make-nss): New variable.
>> NSS builds require time-shifting to their approximate release 
>> date to build
>> repeatably, because it ships with test certificates which 
>> expire.  To avoid
>> duplicating the whole package definition between `nss' and 
>> `nss-rapid', move
>> the bulk of the definition into `make-nss', which accepts a 
>> version, hash, and
>> release date, allowing reuse between the two definitions.
>>
>> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
>> ---
>>  gnu/packages/nss.scm | 166 
>>  +++++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 166 insertions(+)
>
> I'm not sure the refactoring here is overall helpful, I think I
> understand the motivation but I think it would be simpler and 
> more
> readable to stick with the package inheritance approach.
>
> If you just need to change the source, plus the faketime date in
> nss-rapid, but want to avoid replacing the entire check phase, 
> maybe you
> could change the nss package to use an environment variable
> (e.g. GUIX_CHECK_FAKETIME_DATE) for this, and set this 
> environment
> variable in a single phase.
>
> So in nss you'd have:
>
>   (add-before 'check 'set-GUIX_CHECK_FAKETIME_DATE
>     (lambda _
>       (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-01-23")))
>   (replace 'check
>     (lambda* (#:key tests? #:allow-other-keys)
>       ...
>       (invoke #$(if (target-64bit?) "faketime" "datefudge")
>               (getenv "GUIX_CHECK_FAKETIME_DATE") 
>               "./nss/tests/all.sh")))
>
> Then in nss-rapid you'd just do
>
>   (replace 'set-GUIX_CHECK_FAKETIME_DATE
>     (lambda _
>       (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-08-30")))
>
> Maybe there's a more elegant way to share a value between phases 
> in the
> builder, but I think even doing it via an environment variable 
> is still
> preferable than using a procedure to create the package. I've 
> spent many
> hours debugging complex functional and performance related 
> issues caused
> by procedures returning packages, and while it's a powerful 
> tool, it's
> something to be avoided unless necessary.

Thank you very much for the detailed review and suggestion.  I 
like the environment variable approach a lot, and will send an 
updated patch series which uses it.  I agree with you that 
straightforward package definitions are preferable, and this is a 
much simpler approach.

Toggle quote (8 lines)

> In terms of how to make this kind of change, I'd split it in to

> two

> parts. Introducing the environment variable can definately go to

> the

> core-packages-team branch in my opinion, and the package updates

> could

> maybe as well, but I'd think of it as two separate patch series.

The split that makes sense to me is to send one series to

core-packages-team, consisting of: one patch to use an environment

variable for the release date; a second patch to ungraft nss; and

a third package updatingd nss to the latest ESR. I believe each

patch in this series will cause nss dependents to rebuild, so it

seems preferable to put those into a single series, rather than

turn a 15k package build into a 45k one.

Then, after core-packages-team merges, a second patch to master

which updates nss-rapid to use the environment variable mechainsm.

Since very little depends on this package, it’s safe to update in

master any time.

If that sounds good to you, I’ll close this bug and open a new one

with the first series.

Thank you again for engaging with me on moving forward on this

work.

-- Ian

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73152@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 73152

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date