GNU bug report logs - #33253
nss cannot build

Previous Next

Package: guix;

Reported by: Gnu Röoty <walidslack <at> gmail.com>

Date: Sun, 4 Nov 2018 09:54:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #16 received at 33253-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 33253-done <at> debbugs.gnu.org,
 Gnu Röoty <walidslack <at> gmail.com>
Subject: Re: bug#33253: nss cannot build
Date: Sat, 03 Apr 2021 00:44:11 -0400

Hi,

Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> writes:

> On Sun, 4 Nov 2018 09:52:44 +0000
> Gnu Röoty <walidslack <at> gmail.com> wrote:
>
>> HI from 2 days I build the installation of guixSD to
>> berlin.guixsd.org and nss-3.36.6 cant build.
>
> This was also reported on guix-help by Brian Woodcox.
>
> Here is some analysis I reported to that thread:
>
> This package does not build reproducibly. At least in the long term:
> There are tests that check certificates on temporal validity and that
> depends on the system time.
>
> I can reproduce your result with the 3.39 version. It looks like one
> certificate is expired. All 6 failing tests look about like this one:
>
>
> s -d AllDB -pp       - PASSED
> chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp      
> -o OID.2.16.840.1.114412.1.1 
> vfychain -d AllDB -pp -vv      -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
> -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
> Chain is bad!
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. PayPalEE :
>   ERROR -8181: Peer's Certificate has expired.
> Returned value is 1, expected result is pass
> chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert
> with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED
>
>
> I don't know how to check the expiration date of PayPalEE.cert.
>
> It looks like upstream has not yet worked on it, as the file was lastly
> modified two years ago:
>
> https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert
>
> Cmp also this bug that demands non-expiration certificates:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1330010
>
> Building 3.40 does not work with just updating version/hashsum.
>
> A quick solution would be to build nss from a Guix git-checkout and
> disable tests. But it has many dependencies, so you more or less rebuild the world.
>
>
> Björn

Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the
problematic PayPalEE.cert certificate is now done after faking the time
to a date around the release date with the 'faketime' utility.

As nss builds fine currently, I'm marking this bug as done.

Thanks for the report!

Maxim
This bug report was last modified 4 years and 134 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.