On Tue, Mar 14, 2017 at 05:02:12PM -0400, Mark H Weaver wrote:
> This is not really sustainable.  A single build attempt takes 7 hours on
> armhf, and about 40 hours on mips.  When the failure occurs, it causes
> hundreds of other dependency failures, which must be restarted manually,
> one at a time, via the web interface.  (We have a way to restart *all*
> dependency failures, but that results in a huge amount of wasted work
> for Hydra).
> 
> We need test suites to be robust on heavily loaded build machines.

I agree that this situation is not sustainable. If we are committed to
offering substitutes, we can't have such a critical package not building
reliably.

But, it seems unsatisfactory to not update NSS / nss-certs without
working towards a real solution.

Nss-certs provides the CA certificate store in Guix. It does get updated
along with NSS [0], although not in every NSS release.

I think we should find a way to decouple the certificate store from NSS,
since we can't build NSS reliably.

> Is there a compelling reason not to revert this update for now?

Since there were no changes to the certificates between 3.29.2 and
3.29.3, I think it's fine to revert.

[0]
https://wiki.mozilla.org/NSS:Release_Versions