GNU bug report logs - #33253
nss cannot build

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#33253: closed (nss cannot build)
Date: Sat, 03 Apr 2021 04:45:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sat, 03 Apr 2021 00:44:11 -0400
with message-id <87eefsq8o4.fsf <at> gmail.com>
and subject line Re: bug#33253: nss cannot build
has caused the debbugs.gnu.org bug report #33253,
regarding nss cannot build
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
33253: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33253
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Gnu Röoty <walidslack <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: nss cannot build
Date: Sun, 4 Nov 2018 09:52:44 +0000

[Message part 3 (text/plain, inline)]

HI from 2 days I build the installation of guixSD to berlin.guixsd.org and
nss-3.36.6 cant build.

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 33253-done <at> debbugs.gnu.org,
 Gnu Röoty <walidslack <at> gmail.com>
Subject: Re: bug#33253: nss cannot build
Date: Sat, 03 Apr 2021 00:44:11 -0400

Hi,

Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> writes:

> On Sun, 4 Nov 2018 09:52:44 +0000
> Gnu Röoty <walidslack <at> gmail.com> wrote:
>
>> HI from 2 days I build the installation of guixSD to
>> berlin.guixsd.org and nss-3.36.6 cant build.
>
> This was also reported on guix-help by Brian Woodcox.
>
> Here is some analysis I reported to that thread:
>
> This package does not build reproducibly. At least in the long term:
> There are tests that check certificates on temporal validity and that
> depends on the system time.
>
> I can reproduce your result with the 3.39 version. It looks like one
> certificate is expired. All 6 failing tests look about like this one:
>
>
> s -d AllDB -pp       - PASSED
> chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      
> -o OID.2.16.840.1.114412.1.1 
> vfychain -d AllDB -pp -vv      -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
> -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
> Chain is bad!
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. PayPalEE :
>   ERROR -8181: Peer's Certificate has expired.
> Returned value is 1, expected result is pass
> chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert
> with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
>
>
> I don't know how to check the expiration date of PayPalEE.cert.
>
> It looks like upstream has not yet worked on it, as the file was lastly
> modified two years ago:
>
> https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
>
> Cmp also this bug that demands non-expiration certificates:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
>
> Building 3.40 does not work with just updating version/hashsum.
>
> A quick solution would be to build nss from a Guix git-checkout and
> disable tests. But it has many dependencies, so you more or less rebuild the world.
>
>
> Björn

Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the
problematic PayPalEE.cert certificate is now done after faking the time
to a date around the release date with the 'faketime' utility.

As nss builds fine currently, I'm marking this bug as done.

Thanks for the report!

Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.