GNU bug report logs - #33253
nss cannot build

Previous Next

Package: guix;

Reported by: Gnu Röoty <walidslack <at> gmail.com>

Date: Sun, 4 Nov 2018 09:54:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Gnu Röoty <walidslack <at> gmail.com>
Subject: bug#33253: closed (Re: bug#33253: nss cannot build)
Date: Sat, 03 Apr 2021 04:45:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#33253: nss cannot build

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 33253 <at> debbugs.gnu.org.

-- 
33253: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33253
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 33253-done <at> debbugs.gnu.org,
 Gnu Röoty <walidslack <at> gmail.com>
Subject: Re: bug#33253: nss cannot build
Date: Sat, 03 Apr 2021 00:44:11 -0400

Hi,

Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> writes:

> On Sun, 4 Nov 2018 09:52:44 +0000
> Gnu Röoty <walidslack <at> gmail.com> wrote:
>
>> HI from 2 days I build the installation of guixSD to
>> berlin.guixsd.org and nss-3.36.6 cant build.
>
> This was also reported on guix-help by Brian Woodcox.
>
> Here is some analysis I reported to that thread:
>
> This package does not build reproducibly. At least in the long term:
> There are tests that check certificates on temporal validity and that
> depends on the system time.
>
> I can reproduce your result with the 3.39 version. It looks like one
> certificate is expired. All 6 failing tests look about like this one:
>
>
> s -d AllDB -pp       - PASSED
> chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      
> -o OID.2.16.840.1.114412.1.1 
> vfychain -d AllDB -pp -vv      -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
> -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
> Chain is bad!
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. PayPalEE :
>   ERROR -8181: Peer's Certificate has expired.
> Returned value is 1, expected result is pass
> chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert
> with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
>
>
> I don't know how to check the expiration date of PayPalEE.cert.
>
> It looks like upstream has not yet worked on it, as the file was lastly
> modified two years ago:
>
> https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
>
> Cmp also this bug that demands non-expiration certificates:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
>
> Building 3.40 does not work with just updating version/hashsum.
>
> A quick solution would be to build nss from a Guix git-checkout and
> disable tests. But it has many dependencies, so you more or less rebuild the world.
>
>
> Björn

Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the
problematic PayPalEE.cert certificate is now done after faking the time
to a date around the release date with the 'faketime' utility.

As nss builds fine currently, I'm marking this bug as done.

Thanks for the report!

Maxim


[Message part 3 (message/rfc822, inline)]
From: Gnu Röoty <walidslack <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: nss cannot build
Date: Sun, 4 Nov 2018 09:52:44 +0000

[Message part 4 (text/plain, inline)]
HI from 2 days I build the installation of guixSD to berlin.guixsd.org and
nss-3.36.6 cant build.

[Message part 5 (text/html, inline)]
This bug report was last modified 4 years and 134 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.