From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= Subject: Re: Build failure on nss-3.36.1 Date: Sat, 3 Nov 2018 21:46:14 +0100 Message-ID: <20181103214614.1133f960@alma-ubu> References: <3B8089BF-2CE3-428D-8623-F1E1661E8E6E@inskydata.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/4js7S9qoOoDhcsuSoay4ZHo"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47403) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJ2od-0002MN-Nx for help-guix@gnu.org; Sat, 03 Nov 2018 16:46:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJ2oa-0002hl-FP for help-guix@gnu.org; Sat, 03 Nov 2018 16:46:43 -0400 Received: from m4s11.vlinux.de ([83.151.27.109]:48602 helo=bjoernhoefling.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJ2oS-0002OO-GE for help-guix@gnu.org; Sat, 03 Nov 2018 16:46:36 -0400 In-Reply-To: <3B8089BF-2CE3-428D-8623-F1E1661E8E6E@inskydata.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Brian Woodcox Cc: help-guix@gnu.org --Sig_/4js7S9qoOoDhcsuSoay4ZHo Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On Sat, 3 Nov 2018 11:28:26 -0600 Brian Woodcox wrote: > I=E2=80=99m getting a build failure when building nss-3.36.1. >=20 > I have the entire log. Here is the end part of it. >=20 > Any ideas? This package does not build reproducibly. At least in the long term: There are tests that check certificates on temporal validity and that depends on the system time. I can reproduce your result with the 3.39 version. It looks like one certificate is expired. All 6 failing tests look about like this one: s -d AllDB -pp - PASSED chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp = =20 -o OID.2.16.840.1.114412.1.1=20 vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-buil= d-nss -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert=20 Chain is bad! PROBLEM WITH THE CERT CHAIN: CERT 0. PayPalEE : ERROR -8181: Peer's Certificate has expired. Returned value is 1, expected result is pass chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert with f= lags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED I don't know how to check the expiration date of PayPalEE.cert. It looks like upstream has not yet worked on it, as the file was lastly modified two years ago: https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.ce= rt Cmp also this bug that demands non-expiration certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=3D1330010 Building 3.40 does not work with just updating version/hashsum. A quick solution would be to build nss from a Guix git-checkout and disable tests. Bj=C3=B6rn --Sig_/4js7S9qoOoDhcsuSoay4ZHo Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlveCRcACgkQvyhstlk+X/1fLgCfaYRCaUKpzdvdKly6q5tCPEAY TOcAoIJ1zMwM6Zs0fic7BE39rJXZioru =aL25 -----END PGP SIGNATURE----- --Sig_/4js7S9qoOoDhcsuSoay4ZHo--