From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id uDc+LLJgQ2YbYAAAe85BDQ:P1 (envelope-from ) for ; Tue, 14 May 2024 15:01:38 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id uDc+LLJgQ2YbYAAAe85BDQ (envelope-from ) for ; Tue, 14 May 2024 15:01:38 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Wi3LcXAW; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1715691698; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=bEBv/AGzmi7GXgqX1IUkIwI7bba1a/OcIB7Pbm1ymto=; b=rXrXperfgFaj4wHb+uftZVo+ibXQI4Bo5mXGRaAgNzdTNYgsjkIak9kpUgdRUpu26tjM2n bCNDjmqBr+ML8NtLpx2E1DALsdxLU22oGb64suDKuCokWtkdUkxFC3U0CkrcIvmxIK/WSx gSmuA+b7iqdoUPCdz4BJ/vHr0Ys6m3sfepQiEeZWI4XWwvgqABqPmacR9v0vO6uV0ndxsl zduVeaBuQizLnMP8Ho+cVC2sHa401951VsRW3Wutno/xPcsr6TwKrFnv5DEwG4hgS8x0up ijWepWsHWuT44YcLJhTXWE1Vmi7T7IKSkJZzGahh3hJj5QV3JiAhVSqSDZ1DSg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1715691698; a=rsa-sha256; cv=none; b=j9tHCdhEXmy6nDm76rh5pm7j9Rlnk44OAeUXPLVFeARP5yr8X9X4ZDUtKSfTJ4rL51Ag5V cA60OeHmlsXRcyeOAqg53W1tNgNNZNVW/4M9pplE6InYNX15Af9Q1H8YPBljzNDgi1aaog jOVvJcFLQJA8n6J3wNrjvnbrdFxGkNJbmjt6HBKjpP1TvUwZsoEY6ax2RGXwq60uIAaBlc 6QkoJOYrGtdma+uPUG6OzUb0cMRpx6mB6Tfx1PvIAoIIftbuyFCnJBV2f8HtdXK1kAJRCX XTEF9q8OAdtGadolEzBkfK+D5emtPuMyKXg5JzObQGLpNk08E3k2njavsEKACg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Wi3LcXAW; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3E53673CB for ; Tue, 14 May 2024 15:01:38 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s6rmU-0006gS-Ug; Tue, 14 May 2024 09:01:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s6rm9-0006bC-Kf for bug-guix@gnu.org; Tue, 14 May 2024 09:01:01 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s6rm9-00075h-8T for bug-guix@gnu.org; Tue, 14 May 2024 09:01:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s6rm9-0004jf-S7 for bug-guix@gnu.org; Tue, 14 May 2024 09:01:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#70663: nss@3.99 is really hard to build Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 14 May 2024 13:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70663 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Baines Cc: 70663@debbugs.gnu.org, Ian Eure Received: via spool by 70663-submit@debbugs.gnu.org id=B70663.171569160518103 (code B ref 70663); Tue, 14 May 2024 13:01:01 +0000 Received: (at 70663) by debbugs.gnu.org; 14 May 2024 13:00:05 +0000 Received: from localhost ([127.0.0.1]:39224 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6rlE-0004ht-EQ for submit@debbugs.gnu.org; Tue, 14 May 2024 09:00:05 -0400 Received: from mail-yw1-f181.google.com ([209.85.128.181]:54520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6rlB-0004gp-Dq for 70663@debbugs.gnu.org; Tue, 14 May 2024 09:00:02 -0400 Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-61af74a010aso52458667b3.0 for <70663@debbugs.gnu.org>; Tue, 14 May 2024 06:00:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715691535; x=1716296335; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bEBv/AGzmi7GXgqX1IUkIwI7bba1a/OcIB7Pbm1ymto=; b=Wi3LcXAWiN6rVfJqfT4meT5VH0NMYbLSOEbLtjw6yAs/uPUjyNC41xx+JA1WvpCQkJ KaqkBaBkm8JkyHeq9LdaJ9EKI79nMf/1SbrVZiPeJhA7758yjZIyDA8bbPGOX/Cpwvjl 8+4QACWins7pqJ6P+Axp3ocw6/sIV2kM4CEykKJnIGQRqk0N/mYeL9naoeKssfIHWyq1 V3ERn/nL5GkZ3BVRDl6Od/E1Ob9jeEag01AbVnxJ6i8vx2qsvwZ6gNNm3CY23jpIFOUY jhBzWbkNCPOE/1ww4/kGa6/74jUAEOod/I7Y+T/K4b4jd2f9jg73SVE8Wzqiy5esq1Ov ggzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715691535; x=1716296335; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bEBv/AGzmi7GXgqX1IUkIwI7bba1a/OcIB7Pbm1ymto=; b=X6n2tD3WK1z4wdArzUQRl8zaZ7B84u7h06W2L5/c4GdYGnOA0oDrs7fz+uuTeQ0okY zpQiLkHH+jl+F79myzJiQxFk7P9SJYE35ojTkhy7r1koSGhBtMLLdOn/7Fpno3zJ5tFr SZJ8xPupM+vkujLx1TAyJ77wS8sYlKdeP9yhkvCBRn5/Y06NyMkmtIdfhMsego0MijT1 kh1uIlkwwL7A4VSOESnQem5EXSCJwxx55uXLIUhHDMbtkusLqr+F/yHOoR+utgZkAVP0 vlzCbwj7Hdy9bLAJMukfhRLYog2D1lq6Yvp+Q8g/llGXuvJK8614ahwVtNII3mK1Rl3C dqsg== X-Gm-Message-State: AOJu0YwJjAmqTAYXhvJl5nGsLeNBSAI4leSG+QcGDCraWPhrv+Qqhd2t YkB30qizpgt4tP/7kQrkxplsfaPWX1IZjru0omD10qQrj5uTGxuC891DrQ== X-Google-Smtp-Source: AGHT+IGjZVzVaHiOmLJ9w5Em0D27VH2CFUqAvBMxr/IhYpyaJg+wm7QS2l5+efnvUPlYdZ5nkOEEMg== X-Received: by 2002:a81:4327:0:b0:61a:d846:9858 with SMTP id 00721157ae682-622affa8a04mr118716527b3.20.1715691534533; Tue, 14 May 2024 05:58:54 -0700 (PDT) Received: from hurd (dsl-10-128-5.b2b2c.ca. [72.10.128.5]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43df54d6e47sm68088791cf.28.2024.05.14.05.58.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 05:58:53 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <87o798zrtz.fsf@cbaines.net> (Christopher Baines's message of "Tue, 14 May 2024 10:05:28 +0100") References: <87plu7xla9.fsf@cbaines.net> <87o798zrtz.fsf@cbaines.net> Date: Tue, 14 May 2024 08:58:52 -0400 Message-ID: <87le4czh0z.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -0.77 X-Spam-Score: -0.77 X-Migadu-Queue-Id: 3E53673CB X-Migadu-Scanner: mx11.migadu.com X-TUID: 7tzKc+uJb9gX Hi, Christopher Baines writes: [...] >> I think there's two issues here, was this spotted before merging, and >> what if anything can be done about this now. Where there's not a >> substitute available for nss@3.99, this will affect guix pull/guix >> time-machine, e.g. >> >> =E2=86=92 guix time-machine --commit=3D72308f262c910977e40c2c9f350dc56= 3c0a8437a -- describe >> Updating channel 'guix' from Git repository at 'https://git.savannah.g= nu.org/git/guix.git'... >> substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'.= .. 100.0% >> substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'.= .. 100.0% >> substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'.= .. 100.0% >> nss-3.99.tar.xz 55.2MiB = 13.7MiB/s 00:04 =E2=96=95= =E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2= =96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96=88=E2=96= =88=E2=96=88=E2=96=8F 100.0% >> building /gnu/store/8379qa0y6s7ssjr8gplm5fyw9r5pnxhn-nss-3.99.0.drv... > > So with the changes in #70693 merged, this issue should be fixed going > forward, but the revisions with the broken nss are going to be affected > forever and thus the impact is going to drag on for a while. For > example, data.guix.gnu.org is going to be struggling to process the > revisions with the broken nss for a long while to come. > > Before closing this bug, it would be good to understand more about how > this happened and from that try to think if anything can be done to > prevent similar issues in the future? > > At least from what I can see on the issues, the problem was introduced > with the update to 3.98.0 [3] and then continued with the update to 3.99 > [4]. Given the changes in 70662 were sent to guix-patches and then > merged less than 24 hours later, I'd imagine that wasn't sufficient time > for data.qa.guix.gnu.org to fail attempting to build nss. I think in [3] you meant https://issues.guix.gnu.org/70569, not #70662. Since this was security sensitive, I built it on x86_64, tested it there to ensure that IceCat worked as expected, had others confirmed it worked for them on #guix then pushed. In the past, I've had more patience waiting for QA to build things, but since this is not guaranteed (it sometimes never happened), it seems reasonable to me to promptly push security fixes that were manually built & tested and adjust for any breakage later, if there is any. > 3: https://issues.guix.gnu.org/70662 > 4: https://issues.guix.gnu.org/70618 > > Had the changes waited for longer, then these failures should have been > spotted by QA, I would guess that the revision might have failed to be > processed, and if it was processed successfully, the nss failures should > have shown up, so maybe we should start requiring [5] that not only are > changes sent to guix-patches@gnu.org, but that QA processes them (to > some extent) before merging? I have some apprehensions about that; given the QA build farm is somewhat under-resourced for builds, I fear security changes could be gated for longer periods of time than is reasonable to wait. If we go that route, I think we should dedicate more hardware first. --=20 Thanks, Maxim