GNU bug report logs -
#33253
nss cannot build
Previous Next
Reported by: Gnu Röoty <walidslack <at> gmail.com>
Date: Sun, 4 Nov 2018 09:54:01 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33253 in the body.
You can then email your comments to 33253 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#33253
; Package
guix
.
(Sun, 04 Nov 2018 09:54:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Gnu Röoty <walidslack <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Sun, 04 Nov 2018 09:54:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
HI from 2 days I build the installation of guixSD to berlin.guixsd.org and
nss-3.36.6 cant build.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#33253
; Package
guix
.
(Sun, 04 Nov 2018 12:53:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
El 2018-11-04 04:52, Gnu Röoty escribió:
> HI from 2 days I build the installation of guixSD to berlin.guixsd.org and nss-3.36.6 cant build.
Errors?
Tested solutions?
Understandings about Guix?
Please provide information so that helping is not so difficult.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#33253
; Package
guix
.
(Sun, 04 Nov 2018 16:31:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 33253 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, 4 Nov 2018 09:52:44 +0000
Gnu Röoty <walidslack <at> gmail.com> wrote:
> HI from 2 days I build the installation of guixSD to
> berlin.guixsd.org and nss-3.36.6 cant build.
This was also reported on guix-help by Brian Woodcox.
Here is some analysis I reported to that thread:
This package does not build reproducibly. At least in the long term:
There are tests that check certificates on temporal validity and that
depends on the system time.
I can reproduce your result with the 3.39 version. It looks like one
certificate is expired. All 6 failing tests look about like this one:
s -d AllDB -pp - PASSED
chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp
-o OID.2.16.840.1.114412.1.1
vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-build-nss
-3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
I don't know how to check the expiration date of PayPalEE.cert.
It looks like upstream has not yet worked on it, as the file was lastly
modified two years ago:
https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
Cmp also this bug that demands non-expiration certificates:
https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
Building 3.40 does not work with just updating version/hashsum.
A quick solution would be to build nss from a Guix git-checkout and
disable tests. But it has many dependencies, so you more or less rebuild the world.
Björn
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Sat, 03 Apr 2021 04:45:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Gnu Röoty <walidslack <at> gmail.com>
:
bug acknowledged by developer.
(Sat, 03 Apr 2021 04:45:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 33253-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> writes:
> On Sun, 4 Nov 2018 09:52:44 +0000
> Gnu Röoty <walidslack <at> gmail.com> wrote:
>
>> HI from 2 days I build the installation of guixSD to
>> berlin.guixsd.org and nss-3.36.6 cant build.
>
> This was also reported on guix-help by Brian Woodcox.
>
> Here is some analysis I reported to that thread:
>
> This package does not build reproducibly. At least in the long term:
> There are tests that check certificates on temporal validity and that
> depends on the system time.
>
> I can reproduce your result with the 3.39 version. It looks like one
> certificate is expired. All 6 failing tests look about like this one:
>
>
> s -d AllDB -pp - PASSED
> chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp
> -o OID.2.16.840.1.114412.1.1
> vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-build-nss
> -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert
> Chain is bad!
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. PayPalEE :
> ERROR -8181: Peer's Certificate has expired.
> Returned value is 1, expected result is pass
> chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert
> with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
>
>
> I don't know how to check the expiration date of PayPalEE.cert.
>
> It looks like upstream has not yet worked on it, as the file was lastly
> modified two years ago:
>
> https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
>
> Cmp also this bug that demands non-expiration certificates:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
>
> Building 3.40 does not work with just updating version/hashsum.
>
> A quick solution would be to build nss from a Guix git-checkout and
> disable tests. But it has many dependencies, so you more or less rebuild the world.
>
>
> Björn
Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the
problematic PayPalEE.cert certificate is now done after faking the time
to a date around the release date with the 'faketime' utility.
As nss builds fine currently, I'm marking this bug as done.
Thanks for the report!
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 01 May 2021 11:24:12 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 71 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.