From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id 0J/qNqOIM2aujgAAqHPOHw:P1 (envelope-from ) for ; Thu, 02 May 2024 14:35:48 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id 0J/qNqOIM2aujgAAqHPOHw (envelope-from ) for ; Thu, 02 May 2024 14:35:47 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714653347; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cCKRaDTpOqYqY9lRAFUVrT84THYtl3RLniJ0j79yYuI=; b=En0ci1PBr/Pfh3+YUo5GyWdDxRt0L1m0hT/SaDDHm/dc4hXPYllL7UABz1MIUW1ZR0wkgU 3sdEBAStCJYyCad+Ok3tVBt4dL9NjMAtyJnkFuBlSl8MsASKtLmh/EuIx20uws21Z5oOp0 lSmCKDJThUSw/4n6vDSvKMWLnFA2ULNxb2QKrzoTX6at8x+erroe1TIxriQkLy0G37it7o B/cMzA+gRZrnh5ekk5uayzm+/LHSsMan/GXp8Qef+wmr2jskkN9AW0svMlLmZPufNW/kWh 7NpH/CV0LZJul2IHYkoMFin67eKAUaeVPpcZqnEegYbeyQJ0U15H3R6VRyr7XQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714653347; a=rsa-sha256; cv=none; b=L9TB2m09czbWiU6fxcLeYvUj2B/AynDSoIRGiW5w/jdtbakyhQoHM61E6T9p4FDQt8ZBVG PaUJc7aP4BLxBoZCS5YUGaGEJvl1ZRM4lcPLBOWoiETDHdOCq9NTMc4fGe6cVyCJXQk2vs 1Zqly5Jrw1hq0e6bmAkVXCangGBxppbJ8WqTiO/w9r6aOOo4mrdkkZr3JwPtXmZngOgz1y 5h6TDo0vhxu3pjjVNenuIJGRryD56vLZP4NP0bgfMcagYXR0zuUw6rf3s9deaLSn/DuzG2 4zMKygQFCxWxkOw3GdpUMWJuB09+y24dg/yo5ypRK4lyxgRo8PQhyIJoIlUDeg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8790150E55 for ; Thu, 2 May 2024 14:35:46 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s2Veb-0007uG-Fy; Thu, 02 May 2024 08:35:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s2Ve7-0007pO-0B for bug-guix@gnu.org; Thu, 02 May 2024 08:34:44 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s2Ve4-0004Ma-HK for bug-guix@gnu.org; Thu, 02 May 2024 08:34:41 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s2VeP-0002cN-Vv for bug-guix@gnu.org; Thu, 02 May 2024 08:35:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#40316: [PATCH v3 5/5] gnu: nss: Make reproducible. Resent-From: Christina O'Donnell Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 02 May 2024 12:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40316 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 40316@debbugs.gnu.org Cc: Christina O'Donnell , zhengjunjie@iscas.ac.cn, vagrant@reproducible-builds.org, steve@futurile.net Received: via spool by 40316-submit@debbugs.gnu.org id=B40316.171465325210005 (code B ref 40316); Thu, 02 May 2024 12:35:01 +0000 Received: (at 40316) by debbugs.gnu.org; 2 May 2024 12:34:12 +0000 Received: from localhost ([127.0.0.1]:43477 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s2Vdb-0002bI-LS for submit@debbugs.gnu.org; Thu, 02 May 2024 08:34:12 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236]:33264 helo=mutix.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s2VdX-0002an-Oq for 40316@debbugs.gnu.org; Thu, 02 May 2024 08:34:09 -0400 Received: from [86.132.246.87] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id DCCDBA63B4C; Thu, 2 May 2024 14:33:44 +0200 (CEST) From: Christina O'Donnell Date: Thu, 2 May 2024 13:33:40 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.89 X-Spam-Score: -4.89 X-Migadu-Queue-Id: 8790150E55 X-Migadu-Scanner: mx13.migadu.com X-TUID: bHWKykf+liOY gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is required because FIPS relies on libraries signed with shlibsign, which is inherently non-determinstic. This removes all non-determinism from this package. Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227 Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5 Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1 --- gnu/packages/nss.scm | 6 +++- .../nss-define-NSS_FIPS_DISABLED.patch | 29 ++++++++++++++++ .../patches/nss-disable-shlibsign.patch | 33 +++++++++++++++++++ 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 6795e59d28..404baaf550 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -124,7 +124,9 @@ (define-public nss ;; Create nss.pc and nss-config. (patches (search-patches "nss-3.56-pkgconfig.patch" "nss-getcwd-nonnull.patch" - "nss-increase-test-timeout.patch")) + "nss-increase-test-timeout.patch" + "nss-disable-shlibsign.patch" + "nss-define-NSS_FIPS_DISABLED.patch")) (modules '((guix build utils))) (snippet '(begin @@ -202,6 +204,8 @@ (define-public nss (setenv "DOMSUF" "localdomain") (setenv "USE_IP" "TRUE") (setenv "IP_ADDRESS" "127.0.0.1") + (setenv "NSS_CYCLES" "standard") + (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy") ;; The "PayPalEE.cert" certificate expires every six months, ;; leading to test failures: diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch new file mode 100644 index 0000000000..40ac66e365 --- /dev/null +++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch @@ -0,0 +1,29 @@ +From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Christina O'Donnell +Date: Thu, 2 May 2024 12:34:40 +0100 +Subject: [PATCH] Define NSS_FIPS_DISABLED. + +Disable FIPS as it depends on shlibsign which is non-deterministic. +--- + nss/coreconf/config.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk +index 741bbee..e02e5d2 100644 +--- a/nss/coreconf/config.mk ++++ b/nss/coreconf/config.mk +@@ -215,7 +215,7 @@ endif + # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support + # executing the startup tests at library load time. + ifndef NSS_FORCE_FIPS +-DEFINES += -DNSS_NO_INIT_SUPPORT ++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED + endif + + ifdef NSS_SEED_ONLY_DEV_URANDOM + +base-commit: 490a62da7d23b579fab71a84e2107f414187738d +-- +2.41.0 + diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch b/gnu/packages/patches/nss-disable-shlibsign.patch new file mode 100644 index 0000000000..591af76449 --- /dev/null +++ b/gnu/packages/patches/nss-disable-shlibsign.patch @@ -0,0 +1,33 @@ +From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001 +Message-ID: <85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org> +From: Christina O'Donnell +Date: Wed, 1 May 2024 19:44:09 +0100 +Subject: [PATCH] nss: Disable shlibsign. + +This is required as it generates a new key each time it is run through a +non-deterministic process. +--- + nss/cmd/shlibsign/sign.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh +index 5551c5f..baf1dea 100644 +--- a/nss/cmd/shlibsign/sign.sh ++++ b/nss/cmd/shlibsign/sign.sh +@@ -45,7 +45,9 @@ WIN*) + export LIBRARY_PATH + ADDON_PATH=${1}/lib:${4}:$ADDON_PATH + export ADDON_PATH +- echo "${2}"/shlibsign -v -i "${5}" +- "${2}"/shlibsign -v -i "${5}" ++ # Disable lib signing as it generates its keys through a non-deterministic ++ # process. ++ # echo "${2}"/shlibsign -v -i "${5}" ++ # "${2}"/shlibsign -v -i "${5}" + ;; + esac + +base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b +-- +2.41.0 + -- 2.41.0