From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: 02/05: gnu: nss, nss-certs: Update to 3.29.3. Date: Tue, 14 Mar 2017 17:27:01 -0400 Message-ID: <20170314212701.GA8440@jasmine> References: <20170313174039.25881.89989@vcs0.savannah.gnu.org> <20170313174040.C5C6B20CAB@vcs0.savannah.gnu.org> <878to8qssk.fsf@netris.org> <87innc43ub.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871stzh8rv.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58216) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cntyH-0003Qc-LO for guix-devel@gnu.org; Tue, 14 Mar 2017 17:27:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cntyC-0005rJ-Mu for guix-devel@gnu.org; Tue, 14 Mar 2017 17:27:09 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45279) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cntyC-0005qy-Gw for guix-devel@gnu.org; Tue, 14 Mar 2017 17:27:04 -0400 Content-Disposition: inline In-Reply-To: <871stzh8rv.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 14, 2017 at 05:02:12PM -0400, Mark H Weaver wrote: > This is not really sustainable. A single build attempt takes 7 hours on > armhf, and about 40 hours on mips. When the failure occurs, it causes > hundreds of other dependency failures, which must be restarted manually, > one at a time, via the web interface. (We have a way to restart *all* > dependency failures, but that results in a huge amount of wasted work > for Hydra). >=20 > We need test suites to be robust on heavily loaded build machines. I agree that this situation is not sustainable. If we are committed to offering substitutes, we can't have such a critical package not building reliably. But, it seems unsatisfactory to not update NSS / nss-certs without working towards a real solution. Nss-certs provides the CA certificate store in Guix. It does get updated along with NSS [0], although not in every NSS release. I think we should find a way to decouple the certificate store from NSS, since we can't build NSS reliably. > Is there a compelling reason not to revert this update for now? Since there were no changes to the certificates between 3.29.2 and 3.29.3, I think it's fine to revert. [0] https://wiki.mozilla.org/NSS:Release_Versions --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljIYCIACgkQJkb6MLrK fwjceg/9GG6ZXwuivKmcblERvSIegegGvLWNbCAK7eMxQ8zSPV5S9uujLy+lkmhB V47gHirAKip2hQQxmdoO425XzTC3R9Pa1K66SzOYiOnsUixEn5v9vH+yID+ojWt5 TcnLnJdB3hMyPpz7MaISTnTUT4FAvNCNu9iKI+F3GYzoex38UNHYqIvjHqhGrEB/ pAXM5btFkz9bQO9WBFe/9ij25jgf92rGlGGhmdaTB2wMiapbA+ypaLesW/Ch80nV ql4tYvmZ11Sca32IYavT6yaq3N6fbvKtt7rooWqvIKzmROFpuikS9B2AAcYq2OZb RWr9CKyCvH9V/lbY6VsrI7gHAN+6WEOgOwuPBK/UzdAik5LJ1jr5+biFaxAZ8/3i 55vAlfs7HbGbsyh2YP8Rm1U/jt/na4y4FmGcW013rgm9fc10UGKog1ddnWwY9/oK 5KykC6rK1Tz37nB1YYWmqL7SAwBugFwrmIwZlbL527QPVINl5TqKmUCcz4fJ4azA /YwuZig7Pu6G3lbql5H1TJhHVLR3GzOhMA/mnvp/A5B2jQdQ6i7CbYnUqFcfpxPC r0lTsd0xQ/+2L7EGkCDob98MwfAettgKn0Owx+LGM40zuV68QdF8A2dq47Gza5Ki wajL2gdffnqw+chfDfgtLXrqgBh3CcVlfW7BSQJ3WfQafoYN1u0= =MkQL -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--