From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Subject: bug#33253: nss cannot build Date: Sun, 4 Nov 2018 17:30:14 +0100 Message-ID: <20181104173014.0a56d2dd@alma-ubu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/tpLCyC=R2s8Q6l4hSFkhvBG"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49671) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJLIp-0000i7-6K for bug-guix@gnu.org; Sun, 04 Nov 2018 11:31:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJLIk-00037l-8S for bug-guix@gnu.org; Sun, 04 Nov 2018 11:31:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:58156) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gJLIk-00037Q-31 for bug-guix@gnu.org; Sun, 04 Nov 2018 11:31:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gJLIj-00024N-SB for bug-guix@gnu.org; Sun, 04 Nov 2018 11:31:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Gnu =?UTF-8?Q?R=C3=B6oty?= Cc: 33253@debbugs.gnu.org --Sig_/tpLCyC=R2s8Q6l4hSFkhvBG Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, 4 Nov 2018 09:52:44 +0000 Gnu R=C3=B6oty wrote: > HI from 2 days I build the installation of guixSD to > berlin.guixsd.org and nss-3.36.6 cant build. This was also reported on guix-help by Brian Woodcox. Here is some analysis I reported to that thread: This package does not build reproducibly. At least in the long term: There are tests that check certificates on temporal validity and that depends on the system time. I can reproduce your result with the 3.39 version. It looks like one certificate is expired. All 6 failing tests look about like this one: s -d AllDB -pp - PASSED chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp = =20 -o OID.2.16.840.1.114412.1.1=20 vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-buil= d-nss -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert=20 Chain is bad! PROBLEM WITH THE CERT CHAIN: CERT 0. PayPalEE : ERROR -8181: Peer's Certificate has expired. Returned value is 1, expected result is pass chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert with f= lags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED I don't know how to check the expiration date of PayPalEE.cert. It looks like upstream has not yet worked on it, as the file was lastly modified two years ago: https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.ce= rt Cmp also this bug that demands non-expiration certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=3D1330010 Building 3.40 does not work with just updating version/hashsum. A quick solution would be to build nss from a Guix git-checkout and disable tests. But it has many dependencies, so you more or less rebuild th= e world. Bj=C3=B6rn --Sig_/tpLCyC=R2s8Q6l4hSFkhvBG Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlvfHpYACgkQvyhstlk+X/2UGgCeNOjEgts62kBSjaZU8RFSLLj9 KB0An0bAlIcLxQzTvq4fzO6yz+kekcBo =6Iju -----END PGP SIGNATURE----- --Sig_/tpLCyC=R2s8Q6l4hSFkhvBG--