GNU bug report logs - #33253
nss cannot build

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33253 in the body.
You can then email your comments to 33253 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Gnu Röoty <walidslack <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: nss cannot build
Date: Sun, 4 Nov 2018 09:52:44 +0000

[Message part 1 (text/plain, inline)]

HI from 2 days I build the installation of guixSD to berlin.guixsd.org and
nss-3.36.6 cant build.

[Message part 2 (text/html, inline)]

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Quiliro Ordonez <quiliro <at> riseup.net>
To: bug-guix <at> gnu.org
Subject: Re: bug#33253: nss cannot build
Date: Sun, 04 Nov 2018 04:52:29 -0800

El 2018-11-04 04:52, Gnu Röoty escribió:

> HI from 2 days I build the installation of guixSD to berlin.guixsd.org and nss-3.36.6 cant build.

Errors?
Tested solutions?
Understandings about Guix?

Please provide information so that helping is not so difficult.

Message #11 received at 33253 <at> debbugs.gnu.org (full text, mbox):

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: Gnu Röoty <walidslack <at> gmail.com>
Cc: 33253 <at> debbugs.gnu.org
Subject: Re: bug#33253: nss cannot build
Date: Sun, 4 Nov 2018 17:30:14 +0100

[Message part 1 (text/plain, inline)]

On Sun, 4 Nov 2018 09:52:44 +0000
Gnu Röoty <walidslack <at> gmail.com> wrote:

> HI from 2 days I build the installation of guixSD to
> berlin.guixsd.org and nss-3.36.6 cant build.

This was also reported on guix-help by Brian Woodcox.

Here is some analysis I reported to that thread:

This package does not build reproducibly. At least in the long term:
There are tests that check certificates on temporal validity and that
depends on the system time.

I can reproduce your result with the 3.39 version. It looks like one
certificate is expired. All 6 failing tests look about like this one:


s -d AllDB -pp       - PASSED
chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      
-o OID.2.16.840.1.114412.1.1 
vfychain -d AllDB -pp -vv      -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
-3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1555: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      -o OID.2.16.840.1.114412.1.1  - FAILED


I don't know how to check the expiration date of PayPalEE.cert.

It looks like upstream has not yet worked on it, as the file was lastly
modified two years ago:

https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert

Cmp also this bug that demands non-expiration certificates:

https://bugzilla.mozilla.org/show_bug.cgi?id=1330010

Building 3.40 does not work with just updating version/hashsum.

A quick solution would be to build nss from a Guix git-checkout and
disable tests. But it has many dependencies, so you more or less rebuild the world.


Björn

[Message part 2 (application/pgp-signature, inline)]

Message #16 received at 33253-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 33253-done <at> debbugs.gnu.org,
 Gnu Röoty <walidslack <at> gmail.com>
Subject: Re: bug#33253: nss cannot build
Date: Sat, 03 Apr 2021 00:44:11 -0400

Hi,

Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> writes:

> On Sun, 4 Nov 2018 09:52:44 +0000
> Gnu Röoty <walidslack <at> gmail.com> wrote:
>
>> HI from 2 days I build the installation of guixSD to
>> berlin.guixsd.org and nss-3.36.6 cant build.
>
> This was also reported on guix-help by Brian Woodcox.
>
> Here is some analysis I reported to that thread:
>
> This package does not build reproducibly. At least in the long term:
> There are tests that check certificates on temporal validity and that
> depends on the system time.
>
> I can reproduce your result with the 3.39 version. It looks like one
> certificate is expired. All 6 failing tests look about like this one:
>
>
> s -d AllDB -pp       - PASSED
> chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      
> -o OID.2.16.840.1.114412.1.1 
> vfychain -d AllDB -pp -vv      -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
> -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
> Chain is bad!
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. PayPalEE :
>   ERROR -8181: Peer's Certificate has expired.
> Returned value is 1, expected result is pass
> chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert
> with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
>
>
> I don't know how to check the expiration date of PayPalEE.cert.
>
> It looks like upstream has not yet worked on it, as the file was lastly
> modified two years ago:
>
> https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
>
> Cmp also this bug that demands non-expiration certificates:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
>
> Building 3.40 does not work with just updating version/hashsum.
>
> A quick solution would be to build nss from a Guix git-checkout and
> disable tests. But it has many dependencies, so you more or less rebuild the world.
>
>
> Björn

Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the
problematic PayPalEE.cert certificate is now done after faking the time
to a date around the release date with the 'faketime' utility.

As nss builds fine currently, I'm marking this bug as done.

Thanks for the report!

Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.