From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id +HQ/K6qMM2aUFgAAqHPOHw:P1 (envelope-from ) for ; Thu, 02 May 2024 14:52:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id +HQ/K6qMM2aUFgAAqHPOHw (envelope-from ) for ; Thu, 02 May 2024 14:52:58 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714654378; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cLAr7dUExfcwVlemdJUxfdJu/Q+tDaZrHV2odXxVpoQ=; b=i+pwCbgE2RvmLadJnayxx7e0A0fK2uwUVOeH0DN1Ywlldf8qZb7kienucpLuxcy/PlrvkY usVnZF5+ysd4qDPL6VZTNbt/Js/kesCcEqyEHq6MwwKNon4MUDSeDeEX09UGaype2tIlJZ zdJ3FrvH9TvHzSjzZsbd/JtUmh00pGiNNvewyxeYHAS1+HhUByo0vJhZ+DTNlmu98ud6ud 6ukTRGL1j6zU4BW3y2FCmA/ae5KtNv42eSPOOE2hAHBPIUSjbMjWWGpngkm66Xaboz7NPd DDgd/J5Vl/3xZSBVuWESxicprD/xf7fFIaUJvDU8ys25/+SH6Xjy4rovuM075g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714654378; a=rsa-sha256; cv=none; b=oKOdW4UEsota903scVC83mLb4NWuymuc+L+Wm7NOOjp5d5k7yBQNNVh4ZmH+woP4FJDl7z eBXpytd27jO10lt9B2f8fJt/ZeC98mlCSvZP5DOTIVeEedVJSZowL2ot6whcPauG6fan0N BKxWDK4rAK4nnNddTba5oIilb3mBAGK0nZMVVTEHK5wkCfikQeoxSHgoBPEidQUc53Fosc LUKUzUPDmbhqF82rJAaZrr30L4uOhBhw9By/L/Ef5qqoahbME2BhAuUhJY16YYnD3+CHO1 lb7wbMFbpizDBydyn9/k7Fi/AK+0ZPL/dL8y3VYgfTGsJbYhYTAJBhPW1+lxKA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7677AB9FA for ; Thu, 2 May 2024 14:52:58 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s2VvW-0007Og-Pw; Thu, 02 May 2024 08:52:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s2VvU-0007OO-ID for bug-guix@gnu.org; Thu, 02 May 2024 08:52:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s2VvU-0007Y6-8r for bug-guix@gnu.org; Thu, 02 May 2024 08:52:40 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s2Vvq-0005bS-1J for bug-guix@gnu.org; Thu, 02 May 2024 08:53:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#40316: [PATCH 3/6] gnu: nss: Make reproducible. Resent-From: Christina O'Donnell Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 02 May 2024 12:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40316 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Vagrant Cascadian , 40316@debbugs.gnu.org Cc: zhengjunjie@iscas.ac.cn, steve@futurile.net Received: via spool by 40316-submit@debbugs.gnu.org id=B40316.171465432421525 (code B ref 40316); Thu, 02 May 2024 12:53:02 +0000 Received: (at 40316) by debbugs.gnu.org; 2 May 2024 12:52:04 +0000 Received: from localhost ([127.0.0.1]:43589 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s2Vut-0005b7-R2 for submit@debbugs.gnu.org; Thu, 02 May 2024 08:52:04 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236]:43496 helo=mutix.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s2Vup-0005ag-3Z for 40316@debbugs.gnu.org; Thu, 02 May 2024 08:52:02 -0400 Received: from [192.168.1.172] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id 4B550A605A8; Thu, 2 May 2024 14:51:35 +0200 (CEST) Message-ID: Date: Thu, 2 May 2024 13:51:34 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Content-Language: en-US References: <87o79vybmn.fsf@wireframe> From: Christina O'Donnell In-Reply-To: <87o79vybmn.fsf@wireframe> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -6.39 X-Migadu-Queue-Id: 7677AB9FA X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -6.39 X-TUID: MJHvdyplfbMZ Hi Vagrant, On 26/04/2024 23:58, Vagrant Cascadian wrote: > On 2024-04-26, Christina O'Donnell wrote: >> gnu/packages/patches/nss-Disable-library-signing.patch: Disable library >> signing to make the build reproducible. >> gnu/packages/nss.scm (nss): Apply this new patch. > Nice! I have reordered my commits to first update to 3.99, before making nss reproducible. The more This is similar to the approach that Nix takes,  though Nix adds a parameter that enables FIPS and shlibsign again. Is it worth adding a parameter to re-enable FIPS? >> diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch >> new file mode 100644 >> index 00000000000..b488d29dcad >> --- /dev/null >> +++ b/gnu/packages/patches/nss-Disable-library-signing.patch >> @@ -0,0 +1,67 @@ >> +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001 >> +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git.cdo@mutix.org> >> +From: Christina O'Donnell >> +Date: Thu, 25 Apr 2024 16:35:50 +0100 >> +Subject: [PATCH] nss: Disable library signing. >> + >> +--- >> + nss/cmd/shlibsign/Makefile | 32 +------------------------------- >> + 1 file changed, 1 insertion(+), 31 deletions(-) > I think it would be good to explain why this patch is included, not just > in the git commit message, but in the patch comments itself. I realize > the patch actually includes a comment about non-determinism, but it is a > bit lost in the diff. Okay I've added a description to the v3 patch. > Also, might be worth briefly explaining why disabling this feature is > unlikely to break anything, etc. I was actually wrong wrong about this on my v1 patch, that did break the FIPS tests. However disabling FIPS is what Nix does by default and all other tests pass without it. I have noticed that Nix parameterizes on whether FIPS is enabled so users can re-enable FIPS if they need it for their use-cases. Is it worth doing something similar here, or would that add too much complexity? > Curious if there might be some way to leave most of the code in place, > disable it... otherwise on version updates it is more likely to result > in conflicts with even minor changes... I've shrunk the patches to be a few lines each. Kind regards, Christina > live well, > vagrant