From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id mDvNBExpQ2bmngAAqHPOHw:P1 (envelope-from ) for ; Tue, 14 May 2024 15:38:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id mDvNBExpQ2bmngAAqHPOHw (envelope-from ) for ; Tue, 14 May 2024 15:38:20 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1715693899; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=/6l3scDUYUoJketPOJmi86hQE2+JY9OFlNBbMKpSPKc=; b=h9vv/Bh6hXxNHswnwraq0hkRTpS+wP+xPwjoduinpvJVFZcYfNjcj2Fdj93pyhC8q6Z91R uluN2M1SbGC/FefM6XEgMlhxkd15JB0th9mDVWn4rna3+RCB3dj7YBZ4NeU1zJHuoLGbw+ lp+KWDw/FMzz8ifDbSHYSq4wJfULYEfe2M51KXdhbVFByRrfDZJTp49ojthu/cpuKNZvCr IHCI2JX2dzG/Xz8h3alZpT7PY+JX38Rb+1usOKAws0pBBmqb8cDVkzWbSAPRpse9IlNvDg elMnsICW7lynJdV9E8kyyKG+jymVcSPd8qtoXMtgRBKNFhsv1Y2p8fJRn1ZlDw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1715693899; a=rsa-sha256; cv=none; b=pn1f6/DO+IfXu1n9ADip0QvXwsYWwGVfBO6zlkr32nY4hjnbiwo6v5kJPVMuYMprLNVocY fnry1aNa+x71whrZHYJlnRQDZwVI82+otubsny5WVQQ4cbK//Z2NM4QQkmKwVKBVhNDgsg sEUJED7aSSwuqvxwhtU4jr7onPJXFPyPve/oS8oXgbeoTzTi62+3fGwz39WizEFyZKVq+m aK/WaqrDHdHhp+Mn/WjayUFgWtYGHe/vTEbe4lJdAzK8wQWydDPcCXMF7AL80jACVeGuyX 64Yh3XQlBRwL5fjDcF8EhMb2KVEhQJBFT5pbl4LEO8rzgiih12NnO0iz41upjw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C92346C217 for ; Tue, 14 May 2024 15:38:19 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s6sM1-0001QA-Mv; Tue, 14 May 2024 09:38:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s6sLy-0001Pq-B1 for bug-guix@gnu.org; Tue, 14 May 2024 09:38:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s6sLx-0007LR-Hp for bug-guix@gnu.org; Tue, 14 May 2024 09:38:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s6sLy-0005Hd-K4 for bug-guix@gnu.org; Tue, 14 May 2024 09:38:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#70663: nss@3.99 is really hard to build Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 14 May 2024 13:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70663 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: "pelzflorian (Florian Pelz)" Cc: 70663@debbugs.gnu.org, Maxim Cournoyer , Ian Eure Received: via spool by 70663-submit@debbugs.gnu.org id=B70663.171569386220297 (code B ref 70663); Tue, 14 May 2024 13:38:02 +0000 Received: (at 70663) by debbugs.gnu.org; 14 May 2024 13:37:42 +0000 Received: from localhost ([127.0.0.1]:39397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6sLe-0005HJ-5q for submit@debbugs.gnu.org; Tue, 14 May 2024 09:37:42 -0400 Received: from mira.cbaines.net ([212.71.252.8]:43512) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6sLc-0005HD-0E for 70663@debbugs.gnu.org; Tue, 14 May 2024 09:37:40 -0400 Received: from localhost (unknown [45.67.83.168]) by mira.cbaines.net (Postfix) with ESMTPSA id 0C2E927BBE2; Tue, 14 May 2024 14:37:37 +0100 (BST) Received: from felis (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id cff97d30; Tue, 14 May 2024 13:37:36 +0000 (UTC) From: Christopher Baines In-Reply-To: <87eda4vfx9.fsf@pelzflorian.de> (pelzflorian@pelzflorian.de's message of "Tue, 14 May 2024 12:36:18 +0200") References: <87plu7xla9.fsf@cbaines.net> <87o798zrtz.fsf@cbaines.net> <87eda4vfx9.fsf@pelzflorian.de> User-Agent: mu4e 1.12.2; emacs 29.3 Date: Tue, 14 May 2024 14:37:35 +0100 Message-ID: <877cfwzf8g.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -5.47 X-Migadu-Queue-Id: C92346C217 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -5.47 X-TUID: VTBG7TcLGkSV --=-=-= Content-Type: text/plain "pelzflorian (Florian Pelz)" writes: > Hello Christopher. > > Christopher Baines writes: >> Had the changes waited for longer, then these failures should have been >> spotted by QA, I would guess that the revision might have failed to be >> processed, and if it was processed successfully, the nss failures should >> have shown up, so maybe we should start requiring [5] that not only are >> changes sent to guix-patches@gnu.org, but that QA processes them (to >> some extent) before merging? >> >> 5: https://guix.gnu.org/manual/devel/en/html_node/Managing-Patches-and-Branches.html# > > Yes, though note that the nss change did provide security fixes: > > commit e584ff08b162c46ef587daca438e97d56bc20b32 > Author: Maxim Cournoyer > Date: Wed Apr 24 11:22:30 2024 -0400 > > gnu: nss: Graft with version 3.98 [security fixes]. > > This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743. > > * gnu/packages/nss.scm (nss) [replacement]: New field. > (nss-3.98): Rename variable to... > (nss/fixed): ... this. Make it a hidden package. > * gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with > nss/fixed. > > Change-Id: I8cc667c53a270dfe00738bf731923f1342036624 > > I suppose the requirement to wait for QA should apply to security fixes > as well? Well, there's a risk in not testing things across multiple machines/architectures at least. The value of getting a security fix merged quickly is reduced if users on some architectures/systems can't use it. There's always going to be trade offs, and that's fine, but the question is more what can be done to try and improve things for the future. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZDaR9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xdx9A/+Iy7qrK5xRz7Uh4//Oyyb4U3MwHQkAL84 0feFaH+RlZhkETWohhK65KN4B2iCEWs0UVRc5IR5FFCnygCDRiIZPU3miO45Xe7B +YCWUPYld26mwlwkH7QneWYSJ5Hb9peamqA9YWhtYZ7aoionZrlybYx0MV5Rpj/K 2lWA0S5Qn0TQKgfF63fN5CLl90DKtCjP/yIwnjE05Ca1SnLA/uJvSWzd8pKKv33Z q4ylaqIuYEQMCDh4X5ag0qr0DtFFn6UluEHMIFIt9NB6+GGzRC2aGdw1bxvLAlpB WXvimaRAD0tIY4FX7+TDOZBUHnrgizNL18SWfADQ9AZ2iLoHKHJNzqqytv8Bq/oA AEzzuSH9y95W88L6qWIYmqM31M1x7AK05m/M9pwHoar4dBp6D099hW+xiF+Hl7Ei UlNXd3TNLzTxZWyy1w0nUrd5QUrBimkrDAvZVehWAN6/uYzarAAF8TruyqTNa+Nd t7SXF/IbD5+qf74gVc7ArD0+arm4SeawPcs3Bihr0xMsXlHZg7SxeUgetRs095jG NSrIhdzs87wdtMAAcapuZJzCen1yj6YJrucYiV5J1hOa2cKQX9P1u6FzYHUbxZ+A EAtCISJ7V/G45euhFAtqVcbEDb1FL/A5jGjhhrthuwI43ou3hGwrTB0vwwGg0O5D 58i8A38ReTo= =2wdF -----END PGP SIGNATURE----- --=-=-=--