From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id gHduNcmuM2ZYhAEAqHPOHw:P1
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 02 May 2024 17:18:34 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0.migadu.com with LMTPS
	id gHduNcmuM2ZYhAEAqHPOHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 02 May 2024 17:18:33 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1714663113;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=ypzUfRQZoAMFxDi/ab1vGThnlbzcqEeax8G/6fOV5iM=;
	b=X2NLFS+2SsS2kH3ldf1d5Nc9vNqcqNpBsSKGEeR4yUMdcXxn7Jw0NBfF8NYKDv7/fI/C6k
	oG+XtrMwNBtAIyM685TzWLKhT5UGjQTc/7PidsuL9o+ZztDeMf3oMSaTsPTRjqp0EEYDuk
	SavA0Rv8xREFtfmUd3XN9VOXyWuHrr7262zn5Gx+GU4Sujmq7YHgiJcsGUGypFhZLAK7fa
	KutJcuLjbSYpSEs2L89SaQ18/kQKWU5X0KgUCnyz17NfBOqX9Fgjn3ydOuVF/TlMgfxTam
	ZN/winuFB+4LDZ7PtgJG+4eO0vcHT5fcY5hxYYCBqMB+JlOrdqkoBiAdwrjuQA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714663113; a=rsa-sha256; cv=none;
	b=RG5imkaFH5NEIrO51O9duH86zTum7V2jGjZEwBtv45oB9ROB9PjQgxCWnO/fG2ft/A9Lke
	MGVBvCCt/1ALusm1PmLI3xvHyFwqoBPPtfUoD2xMSJW+lUuwM0UuR5ymr9qzQiQ6//ySNr
	cqIyNjjCIo0R7XJIu6VP8w203HzLTyxl33x3B/kBcMr0R35A52Lo4t3Z1woKahrZicfezz
	3vXsQPjnnBGI8Mq10hme1I4p+dcbxbjcYnyQgRVKUMya540YmTunaDRRhIuzhdZRHoZmlv
	K6t6NaxDZ2Y/W/HHjYdWkh+Bo5Ia2UcR1hofBgwWkMqrRkY+LPJoUuqHuIPISA==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 974A068A62
	for <larch@yhetil.org>; Thu,  2 May 2024 17:18:33 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces@gnu.org>)
	id 1s2YBx-00063K-JX; Thu, 02 May 2024 11:17:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s2YBp-0005yL-RE
 for bug-guix@gnu.org; Thu, 02 May 2024 11:17:43 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s2YBp-0003Tc-GF
 for bug-guix@gnu.org; Thu, 02 May 2024 11:17:41 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s2YCB-00078v-99
 for bug-guix@gnu.org; Thu, 02 May 2024 11:18:03 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#40316: [PATCH v4 5/5] gnu: nss: Make reproducible.
Resent-From: Christina O'Donnell <cdo@mutix.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Thu, 02 May 2024 15:18:03 +0000
Resent-Message-ID: <handler.40316.B40316.171466302327398@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 40316
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 40316@debbugs.gnu.org
Cc: Christina O'Donnell <cdo@mutix.org>, zhengjunjie@iscas.ac.cn,
 vagrant@reproducible-builds.org, steve@futurile.net
Received: via spool by 40316-submit@debbugs.gnu.org id=B40316.171466302327398
 (code B ref 40316); Thu, 02 May 2024 15:18:03 +0000
Received: (at 40316) by debbugs.gnu.org; 2 May 2024 15:17:03 +0000
Received: from localhost ([127.0.0.1]:44349 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1s2YBD-00077l-5P
 for submit@debbugs.gnu.org; Thu, 02 May 2024 11:17:03 -0400
Received: from vmi993448.contaboserver.net ([194.163.141.236]:59122
 helo=mutix.org) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cdo@mutix.org>) id 1s2YB9-00076m-Lt
 for 40316@debbugs.gnu.org; Thu, 02 May 2024 11:17:00 -0400
Received: from [86.132.246.87]
 (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149])
 (Authenticated sender: cdo)
 by mutix.org (Postfix) with ESMTPSA id 5675CA63B4D;
 Thu,  2 May 2024 17:16:32 +0200 (CEST)
From: Christina O'Donnell <cdo@mutix.org>
Date: Thu,  2 May 2024 16:15:59 +0100
Message-ID: <12fc4d22d99423f78edd650bdd1c9816294dcc56.1714662574.git.cdo@mutix.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1714662574.git.cdo@mutix.org>
References: <cover.1714662574.git.cdo@mutix.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: bug-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Spam-Score: -4.89
X-Migadu-Queue-Id: 974A068A62
X-Migadu-Scanner: mx10.migadu.com
X-Migadu-Spam-Score: -4.89
X-TUID: V06fw+jS3Dlr

gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is inherently
non-determinstic. This removes all non-determinism from this package.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
 gnu/packages/nss.scm                          |  4 ++-
 .../nss-define-NSS_FIPS_DISABLED.patch        | 29 ++++++++++++++++
 .../patches/nss-disable-shlibsign.patch       | 33 +++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..ecc1c5156b 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-                                       "nss-increase-test-timeout.patch"))
+                                       "nss-increase-test-timeout.patch"
+                                       "nss-disable-shlibsign.patch"
+                                       "nss-define-NSS_FIPS_DISABLED.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 0000000000..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: <e89a33daac982107421117ad95ae8443ef316079.1714649801.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+ 
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+-- 
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+     export LIBRARY_PATH
+     ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+     export ADDON_PATH
+-    echo "${2}"/shlibsign -v -i "${5}"
+-    "${2}"/shlibsign -v -i "${5}"
++    # Disable lib signing as it generates its keys through a non-deterministic
++    # process.
++    # echo "${2}"/shlibsign -v -i "${5}"
++    # "${2}"/shlibsign -v -i "${5}"
+     ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+-- 
+2.41.0
+
-- 
2.41.0