Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

[Mark H Weaver]

leo@famulari.name (Leo Famulari) writes:

> lfam pushed a commit to branch master
> in repository guix.
>
> commit 7ab3ea426640e4e7ae798a8f72b3c90b383cb824
> Author: Leo Famulari <leo@famulari.name>
> Date:   Tue Dec 13 18:59:50 2016 -0500
>
>     gnu: nss, nss-certs: Update to 3.27.2.
>     
>     * gnu/packages/gnuzilla.scm (nss): Update to 3.27.2.
>     * gnu/packages/certs.scm (nss-certs): Update to 3.27.2.

Thanks for this, but unfortunately this version of 'nss' seems to
consistently fail its test suite on armhf, or at least it has failed 3
times in a row.

  https://hydra.gnu.org/build/1712083

Given the importance of the proper functioning of this package, I'm not
comfortable disabling the tests.

Do we have reason to believe that this update fixes security flaws?  Is
there a compelling reason not to revert this update until a version is
released that passes the test suite on our supported systems?

     Thanks,
       Mark

Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]

On Tue, Dec 20, 2016 at 01:56:03PM -0500, Mark H Weaver wrote:
> >     gnu: nss, nss-certs: Update to 3.27.2.
> >     
> >     * gnu/packages/gnuzilla.scm (nss): Update to 3.27.2.
> >     * gnu/packages/certs.scm (nss-certs): Update to 3.27.2.
> 
> Thanks for this, but unfortunately this version of 'nss' seems to
> consistently fail its test suite on armhf, or at least it has failed 3
> times in a row.
> 
>   https://hydra.gnu.org/build/1712083

Thanks for pointing this out.

> Given the importance of the proper functioning of this package, I'm not
> comfortable disabling the tests.

I agree.

> Do we have reason to believe that this update fixes security flaws?  Is
> there a compelling reason not to revert this update until a version is
> released that passes the test suite on our supported systems?

Not as far as I know, although I assume there are some sort of trust
"problems" fixed in each release of nss-certs.

I'll revert it and investigate. I'd rather not wait for an upstream fix
if we can help it.

I notice know that this release appears to require a newer version of
nspr than we package [0]:

"The HG tag is NSS_3_27_2_RTM. NSS 3.27.2 requires NSPR 4.13 or newer."

What do you recommend I do? How about I make an nss-updates branch with
updates to nspr, nss, nss-certs, and possibly other updates in (gnu
packages gnuzilla), and build it on Hydra when resources are available?

[0]
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27.2_Release_Notes

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

[Leo Famulari]

On Tue, Dec 20, 2016 at 01:56:03PM -0500, Mark H Weaver wrote:
> leo@famulari.name (Leo Famulari) writes:
> 
> > lfam pushed a commit to branch master
> > in repository guix.
> >
> > commit 7ab3ea426640e4e7ae798a8f72b3c90b383cb824
> > Author: Leo Famulari <leo@famulari.name>
> > Date:   Tue Dec 13 18:59:50 2016 -0500
> >
> >     gnu: nss, nss-certs: Update to 3.27.2.
> >     
> >     * gnu/packages/gnuzilla.scm (nss): Update to 3.27.2.
> >     * gnu/packages/certs.scm (nss-certs): Update to 3.27.2.
> 
> Thanks for this, but unfortunately this version of 'nss' seems to
> consistently fail its test suite on armhf, or at least it has failed 3
> times in a row.
> 
>   https://hydra.gnu.org/build/1712083

At least some of these failures are caused by an expired test
certificate:

https://bugzilla.mozilla.org/show_bug.cgi?id=1323978

This breaks compilation of NSS 3.27.1 and 3.27.2 across all of our
architectures.

Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 1561 bytes --]

On Wed, Dec 21, 2016 at 01:09:38AM -0500, Leo Famulari wrote:
> At least some of these failures are caused by an expired test
> certificate:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1323978
> 
> This breaks compilation of NSS 3.27.1 and 3.27.2 across all of our
> architectures.

With the attached patch, I can build NSS 3.27.1 on x86_64. If we decide
to use this patch, let's build it on its own Hydra branch, because I
suspect there is some non-determinism in the test suite, and I'd rather
not make everyone try building it themselves if it fails on Hydra for
some reason.

By the way, Git shows the upstream patch as binary data, but if you
apply the attached patch to your work tree, there is plain text
annotation you can use to reproduce it. I recreate the annotation here:

Update expired test certificate:
https://bugzilla.mozilla.org/show_bug.cgi?id=1323978

Patch copied from upstream source repository:
https://hg.mozilla.org/projects/nss/rev/03429dfa184e

# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1481895886 -3600
#      Fri Dec 16 14:44:46 2016 +0100
# Node ID 03429dfa184ec0a11bda4e35e6621ee2ab16a928
# Parent  5e7b5e3d301d7c3395ee982e8f082b0babc333c7
Bug 1323978, The PayPalEE test cert has expired, r=bustage

diff -r 5e7b5e3d301d -r 03429dfa184e tests/libpkix/certs/PayPalEE.cert
--- a/nss/tests/libpkix/certs/PayPalEE.cert     Fri Dec 16 13:41:23 2016 +0100
+++ b/nss/tests/libpkix/certs/PayPalEE.cert     Fri Dec 16 14:44:46 2016 +0100
@@ -1,8 +1,9 @@
[... binary data ...]

[-- Attachment #1.2: 0001-gnu-nss-Fix-build-failure-caused-by-expired-test-cer.patch --]
[-- Type: text/plain, Size: 5228 bytes --]

From e19cd9120b7e62f88dd5b0a1fae099d1e01650eb Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 20 Dec 2016 21:29:19 -0500
Subject: [PATCH] gnu: nss: Fix build failure caused by expired test
 certificate.

* gnu/packages/patches/nss-update-expired-test-cert.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss)[source]: Use it.
---
 gnu/local.mk                                            |   1 +
 gnu/packages/gnuzilla.scm                               |   3 ++-
 gnu/packages/patches/nss-update-expired-test-cert.patch | Bin 0 -> 3403 bytes
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-update-expired-test-cert.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3a56c840b..77d8914bd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -741,6 +741,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/node-9077.patch				\
   %D%/packages/patches/nss-pkgconfig.patch			\
+  %D%/packages/patches/nss-update-expired-test-cert.patch	\
   %D%/packages/patches/nvi-assume-preserve-path.patch		\
   %D%/packages/patches/nvi-dbpagesize-binpower.patch		\
   %D%/packages/patches/nvi-db4.patch				\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 07ed2af0b..7439af131 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -203,7 +203,8 @@ in the Mozilla clients.")
                (base32
                 "0sraxk26swlgl7rl742rkfp5k251v5z3lqw9k8ikin0cjfhkfdpx"))
               ;; Create nss.pc and nss-config.
-              (patches (search-patches "nss-pkgconfig.patch"))))
+              (patches (search-patches "nss-pkgconfig.patch"
+                                       "nss-update-expired-test-cert.patch"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
     (arguments
diff --git a/gnu/packages/patches/nss-update-expired-test-cert.patch b/gnu/packages/patches/nss-update-expired-test-cert.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4e7cd6eda46e7b016c92561e0651ade7dc90c91b
GIT binary patch
literal 3403
zcmdT`3se)?8P0?dBm#=zrAKspAe5NoP7*>uP{Knaf{P-eD65mnBpC=vm`Mn@6(zd(
z0&%TxMX4xVA6+Z8zHoiZ3S!p>tBY0<#kykG7YMp2bOuDR?b&WUr>CcLk~8`5|KI=K
z@B9Dz-6WYcs0D}dY%@XP8rXtU78t`x3!x=2+7ZgrTP$WOR4i6ob@K>=0TpGKy5A;J
zC#Li!+Z@^>!gRzqLKBWiCDM>!1&^12S};9~nal*8R7;vNV5^z3kT{wFQzk2k;V_At
zO%!1<kvZ?z(Ca?PZYE7>IA)>5Mv4-Xc$OGQWs(q$7DW^?oW~mht0ush9yRK43b(*!
zW=VQ5iNZ;E5=y`^w1c$3Vd*G=N2FVcY>@^ZO9w<VfDxGjQG^636mnQ7l><PJcRk}t
z0*=Np7?IN<p)&d-hb4fv1OVxZnrzbG@Wg1i_g*l7B8Xap%5Z5AE|*IX9G9SKM2?0?
z6m;SQl*Ek|7!JaN)j_yaBL#>i7?Vmvf^a-UA;A?|ppdA68dcMSQY@GkY1P4RsT>VY
z)8ll8oCMSm6Z5`4upXs)sx}%X!_`*Gg6e2iG=x?Q3&{@_W9;7h?Mg$54TRd9PGpOj
zdQ;+_HAIZb6AFbe+C@Cm5<eU3+?z9Ls0;~}NPBZ85C~xPN2K}}^hZR%LS(c879gWT
z;D`vG5ZE2nz|M&+abQDic7Hcq`Gw(!Z_77-HZ>D+JbD(ma-9S7RrzhM5Y*R^1<Xia
z;LLSM;&A!wq(sCM@EL<A<hw)@IwFc`mx)FU83??Y@xJ{2Hk(bPp<N6oBFvP5h=GuC
zIq*lln~|teN?;YC)5A)NvXZEg?(RgK%%a;cN(qK|yCO0~f=EEulR}$v+N8gXodV{6
zxFtStXY%*q^8_@u*)+E3x7gS>o)(w>6!y5l1Ly1ruN416Y=ZwXHaUU-*?VjX+C=^>
zHaH435Ly#yBv8a1^kWb^@%tpAMmW|);qU4K^If{Tax_yG5i$t)bl1hbdl*h2O&Tj^
zAxuW(EpZNf9<2m9X4Jrx3)rFIy?KHhSq^rnAB!I63E6fCVtseM9Czw$&*TZe{nEDn
zb;FJ&sX4!LxHD+Z>6e*Rdyif9y0b-8Q8##2&8qqLrtL}0NeIUFU(io~oHpx9f5o7n
zw%`Ga>c}Zu553yrdwADhoBb<htvGW0r;ve*>Mm*t-<stYX8tL0Y_+m=@3QzAT+YtB
zRcjna8Ag`nRmVc^aoY<Q&D#_>-|IKkCG|58Hz<6{zkXy(Pi|ju&D<a~->TUc_4Ibh
zYw^l8matF0s&0M0$9VykdC)&Q{$<0R{Ls8@wMjAlo$-m{jZp!=|EUTyX#(Weo6fKj
zmgbjUTJ+WNjXr+m(T<fr$Ya~%_ta<fOBlECwc==8;;9VPaQ(a=jgF1QGoG*=AQn_=
zhaS?L+y_Hxetk!9e1O+Nk16`jRr}aZ*07p7T%+DT;P6ax4De+F+&EqwkD=4P5xQM9
zoW(k{gPRHxtf5fRZQ#ea-8n<RU^`Fvz7BRb<{-Vdfg2Oo4}v;590#^zNq1U5ju-IY
z_7QL)M@J_I=-n?iurlF8IYwXrvJy!N$QLo!5`8OSq(S<@0i~}bR3g-)Li!e<PoPjI
z711&OJWKXVW<@f~!kjT61O#)P=jN-R{5J*&0)Zf)XLD@GYjDpM`Hx~Dj!H-bd5d~N
zA&6rGRxq;122j4wTNoycGJmik5dSWUov-Wxi*_mX2Z7=q8Ddn35utY))Ga|#N*ccf
zxG+fg4Bu?P>U|<;RisY@#0t+LRH?1UCe6ufUSEvf-!lFP#nL)ITh3kPQR>%pbbIPv
zTWC?*a`(+=f^-|V6`wx2ciW?pGtS2zcS1k`;dHF?WXfglO2;;9b;rdG*-^^99@e(1
z{w+?58C2Th8AEp=^8+TBH{2d~on<eZElNe!#d7W2OW14Qn4V~3lM~JiTC5s1fij-I
z4%)5m*B<L~Ydy=OJ)b<@b2RVt3rEi7W^=_lrNg7kcN)W!m4)H+>Ytv{o1*j$g+m7B
zChwjY6%hEWpv`qhT7i!>eMimj#P^3?&MT-r*20Qw4R$C+rR7bYGF9RtRkA_){7`%I
z>!y0wOLr$i2S!wd&ufYNWCL$DJlO;rahriK;xKA~aiaz{X<;p4z<Gi$si@ASQer9z
z`_v?tdfUuHpAF%c9xTvKsB>$kREImFC+C`$v)7F<DO4quDPP$Cxc^imPmq<|uD3o7
zy=JKlJ9y4=Df3!U?WVxLco!aaz`pD7R`!jtU&!9601-&lLiuB`zIlXp@fpv`=%Kcg
z&#xBvXEpfE%6`+=y`&B!YwMQz;#2NsPU7T{9vQ}+X`U$)`@KHXnmf7Sn@JgyJvlBn
zTKZm8iku!CE4z_hGx5IV^8?WC6U2#6y$v&cmiXPu$=@_V^gNjb>1H=!H<d)~CiqQU
z5H}^UQ<|N;bhqBOkH)ip@d9_%^vI48Y2$eUFKt%U{@f*rLyY}wub>k5u!bJ3xJPS6
z{ePkr&8tS@_k;cJvy<_^30?$lxxyOuCGcc=(w*Z5T<ko-|3n*tK1v(9XT^1ELkx)e
zcx~vz<?8ZW=szz1FDfytqI`4uuU~8{8{d(d|Ky-;(|VW46`#7MKC8X?X#C5Q9;4@m
zE-MzTj1G_9TC{3+#fjEg9*zDU!-?XsH?FY(rzSN%i1+w&OHIIlfzY;5a|}o49?MOu
zs9tMbbN5B{QsTh$t?ORAsu{QYh|GTR5692=FQKNXHhlk5d~RTac50s#*Unq+b-Bfj
z<Fc9(mc^|t<X=sD@Y`|8tD{9<N1S>+ed}4<M)u8n-xn<yJEkn3+df0SamC=c8^e<F
z(pLNV${wyd8Cg`g{NaRkqLr(fHscp}soKhhjy;aGjW4fme6peisAGbDtUKrCTzLIT
fYCX63M$rPN)iF;+LkbkH^!tLA*F60EXI0|wa|Vh9

literal 0
HcmV?d00001

-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: 03/03: gnu: nss, nss-certs: Update to 3.27.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 387 bytes --]

On Wed, Dec 21, 2016 at 11:38:00AM -0500, Leo Famulari wrote:
> From e19cd9120b7e62f88dd5b0a1fae099d1e01650eb Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Tue, 20 Dec 2016 21:29:19 -0500
> Subject: [PATCH] gnu: nss: Fix build failure caused by expired test
>  certificate.

I pushed this to the staging branch. We can see if it works in the next
evaluation.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]