From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id mEgzBfOAfWbcBQEAqHPOHw:P1 (envelope-from ) for ; Thu, 27 Jun 2024 15:10:43 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id mEgzBfOAfWbcBQEAqHPOHw (envelope-from ) for ; Thu, 27 Jun 2024 17:10:43 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=retrospec.tv header.s=fm1 header.b=IjlbadMS; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=tGoXu1U6; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719501042; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=EOq6ga2hdc8Xtyq1l+OxTdKGwgfqEH7Ioo+m8k2X+RQ=; b=NtR00/42aJ27D1TQ2mybFCYOhi82Dte+eehMyuJURV+gmfJVSy7GYCAfolD4IP0RpTGLEs FU2CuWfV+nP9oxtom4/++ymmsuFcPldnUGh5rICbyoHnE470RCgyYBxvbFtzM3sif433Vz vSNAG8zO2crnOaDrdi2wwkua9gu/pMuBt4s9IsPGAqNw+HN/KnIre2cYw6xwqIOSfBzFoA 5F1dZGeEBz/v9gDxwSQe278yHj1W+Rq7SpOzulpHi7b1ofcdyNRCe9Q6tSx31Pc2Bd8cC8 2S57oeOsP/IOmP2id/SMTeOjmxScfioDi7lG9xJF9Wa+FOVfsKbiBNU7ZVngwg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=retrospec.tv header.s=fm1 header.b=IjlbadMS; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=tGoXu1U6; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719501042; a=rsa-sha256; cv=none; b=X0u3o5wcC+ZH/pUAFqHNjb11ELfG1pCV8jyUW+DrLu6ChVrnyOy+ntNFfI0Exk9gikSKAE CRfaNzxeZ0vgcYHGvkq3wySdudD143jyQjQuj9/1cEF4u7z0nofJprF2SUC1AcMZb2rlxH BEczuz6zi1gtvEpHhFvbrr+9H7I+EHtefY9z9kEGKpePjmTbw1FLEwqz2FgUs5rFy8WUu4 s2Afmsj/m2ao8pQeUnsTEz2swaPWp3yevugeYdQqo5lqo/FtVRfUbWXCCjMOAwhte6i46C Irub0hOaeNgOXi+o/lmVpylrFCNpsrG+OLerSaMa3R5z3D5snyX5vxPG54k58A== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E63DD203BD for ; Thu, 27 Jun 2024 17:10:42 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sMql4-0001y7-SG; Thu, 27 Jun 2024 11:09:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMqkw-0001vG-UD for guix-devel@gnu.org; Thu, 27 Jun 2024 11:09:54 -0400 Received: from fout8-smtp.messagingengine.com ([103.168.172.151]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMqkt-0002UU-S6 for guix-devel@gnu.org; Thu, 27 Jun 2024 11:09:50 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailfout.nyi.internal (Postfix) with ESMTP id CA1F613801BC for ; Thu, 27 Jun 2024 11:09:45 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 27 Jun 2024 11:09:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm1; t=1719500985; x=1719587385; bh=EOq6ga2hdc 8Xtyq1l+OxTdKGwgfqEH7Ioo+m8k2X+RQ=; b=IjlbadMSHS39HeOdHoy55O8TuG ljsdKnGLtQ3XpwVWzVLG72+WZiaH/I21r1lmIPLdSJ7p+xo3kaJcCDLGx7c+G8Vp /FjLyhjP2I3bAI/3pujMvS9pJ6NRA79DrBTdEAVnKs/fCCyAxDQcsIQI3ioYZhAk Fk0zcxOLWoFFIHTQqVWrue81OxU4TfOVDz2P4CNBRfkrGOz+F+yJdgqWxSdmet6I JqdykJ1kDakQKrveM/hjqwBMbytfU8W7FcEY7TNDKmYaa0hUH3Zt6WDZZeu1lPE6 RQ1fu8tRUe0Xow59yIKy7kvstBGmPNzFinVQ4CGAwQVp+gGwG8GCTNOSn/Sg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1719500985; x=1719587385; bh=EOq6ga2hdc8Xtyq1l+OxTdKGwgfq EH7Ioo+m8k2X+RQ=; b=tGoXu1U6Mopw9QtsEditVMJ2JpxWiOAGtRq/eC0MVNyP khQ5wCH69lnwNkTcVbQFj0SHEe3J9gQzcqzOaWO2xgimvzHpzi0CnyitbVgxfHfK +37FCYI1HGaxT72NGcGDg4/Hm5ZL7ZuZyWP73MnQ5eXpjv8xCu3xo5egj5QnwWc+ HjbpB1LFFOk5mHdyjiDKmNhiVckQlYuaBixCq1Cgfr8SUlmKioQVF29O2Pe6YIu0 s7ZLXfKc8EJInbFvScXiZ/775qS8HOz0jnStAxMwjj9+u0mMWK04QDi3SIafiBZz f3icMxB9t0XN6gpWZB0ulsS9+XtwGKtTnR7Ueakp8w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrtdeggdekiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfgfhvffufffkgggtgfesthhqredttd erjeenucfhrhhomhepkfgrnhcugfhurhgvuceoihgrnhesrhgvthhrohhsphgvtgdrthhv qeenucggtffrrghtthgvrhhnpeekieeggeffhfelhffgieffveejjeehvdejffeiieefie etleevudeuleejheehjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehirghnsehrvghtrhhoshhpvggtrdhtvh X-ME-Proxy: Feedback-ID: id9014242:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Thu, 27 Jun 2024 11:09:44 -0400 (EDT) User-agent: mu4e 1.8.13; emacs 28.2 From: Ian Eure To: guix-devel@gnu.org Subject: Proposal: nss updates Date: Thu, 27 Jun 2024 07:13:11 -0700 Message-ID: <87ikxu4e2q.fsf@meson> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=103.168.172.151; envelope-from=ian@retrospec.tv; helo=fout8-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -9.55 X-Migadu-Queue-Id: E63DD203BD X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -9.55 X-TUID: QNvq/RZPKcTh The nss package updates frequently, around once a month. It's=20 also very low in the package graph, so a ton of stuff depends on=20 it. The most recent update was a graft for security fixes, so we=20 didn't have to rebuild everything, but the new Librewolf version=20 once again requires an nss update. I'm considering options to=20 balance update frequency vs. huge rebuilds. Mozilla has strong compatibility guarantees for nss, so the risk=20 of packages breaking is very small. This is purely about the cost=20 in CPU time to build and bandwidth to transfer packages. Mozilla provides an ESR channel for nss, but Guix doesn't use it =E2=80=94= =20 we went from 3.88.1 to 3.99, skipping 3.91, which is the current=20 ESR. I think the default nss in Guix should be the ESR, but we should=20 also have a package for the latest nss, for stuff which needs it.=20 This would let us update to the most recent nss without rebuilding=20 so much, and only eat that cost when there=E2=80=99s a new ESR -- this=20 happens approximately once a year. Concretely: The current nss package should stay how it is. When the next ESR=20 happens, it should update to that (ungrafting nss at the same=20 time), and track ESR releases only from that point forward. I=20 don=E2=80=99t think it would make sense to downgrade the current 3.99=20 package to the 3.91 ESR, so this will be a little funky until that=20 release happens. The latest version of nss should be added as a second package,=20 named "nss-latest", bound to `nss-latest'. It should track=20 updates as frequently as needed. While I=E2=80=99d prefer having the packages named "nss-esr" and "nss", I=20 think the ESR should get the more prominent "nss" name, which=20 should make it easy for developers to do the right thing -- if a=20 bunch of packages depend on nss-latest, we=E2=80=99re back to the initial=20 problem. Code comments documenting this would also be added. We might also want to adopt this approach for nspr. I=E2=80=99m not sure about nss-certs; I think that should probably track=20 the nss ESR, and I don=E2=80=99t think there=E2=80=99s a compelling need fo= r a=20 package tracking the rapid release channel. I do want to improve=20 this package by having it reuse the origin of nss instead of=20 duplicating it. Does all this seem reasonable to everyone? If so, I can start=20 sending patches. Thanks, =E2=80=94 Ian