From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] Remove direct dependencies on the nss-certs certificate store Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Dec 2021 00:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 52690@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164004700513945 (code B ref -1); Tue, 21 Dec 2021 00:37:02 +0000 Received: (at submit) by debbugs.gnu.org; 21 Dec 2021 00:36:45 +0000 Received: from localhost ([127.0.0.1]:51755 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzT92-0003cr-NY for submit@debbugs.gnu.org; Mon, 20 Dec 2021 19:36:44 -0500 Received: from lists.gnu.org ([209.51.188.17]:54336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzT8y-0003cf-Aq for submit@debbugs.gnu.org; Mon, 20 Dec 2021 19:36:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60572) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mzT8x-0004F6-U0 for guix-patches@gnu.org; Mon, 20 Dec 2021 19:36:40 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:42723) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mzT8w-0005kD-5u for guix-patches@gnu.org; Mon, 20 Dec 2021 19:36:39 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 4F4B83200A64; Mon, 20 Dec 2021 19:36:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 20 Dec 2021 19:36:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=pfrZWXqrvPQcB4SoWTcvjINTiOQwYFuQ6fRQl2b2D+0=; b=GOTOQ 59NTP//jlmaqdGRlgq9lCZaNrg1pQlYAV170xUpY085cswiFkekwNlw5DUVYvTwk KFfRKnF4MMxG0+308snJX1jZ2ZjtjJIPROFgDKt3ypX8MrirC+3hdi+sjmuUA2S+ rDF57FMHGWX1j0nVvAOlCQIT2RrtbgN76aYcJk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=pfrZWXqrvPQcB4SoWTcvjINTiOQwY FuQ6fRQl2b2D+0=; b=n2/SqzDpkqbrzEF8ruiY0dV3CfH+F3iNzxbGwj6INwC1k eukSOGD4s31QgLp/f4T/47c3rdHyndiT+UMobty38LYC8vC4Z9uopwGD5X7MjrWW Ru2owBr2jvNqG5J9P/oAKn/JSDUA1UEiTNKZiXoQBrhYffckuWa8cFqIAREWUt68 QPhS8VoK+FwhQzAHj0vv9ZhQygXix2nQIpsEX9UGB0uHkVasQBoEYTIm2dyBiExR LGUerZIu3cuOmyT3iDVTFYxut1J/BrU1gVtHy8Lzk3yCRlbBu6glIHmwWpPYvAjG dr3QecGyHZkeZJUyUVs+KahJUuxaFlpMFcL4iVGZA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddruddtfedgvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepjeeiuedtffelgeduheeghffhudeuueelve evgeegheevffekiefhvedvhfekfedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 20 Dec 2021 19:36:33 -0500 (EST) Date: Mon, 20 Dec 2021 19:36:31 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DSKzsXTgNv66D4D1" Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.19; envelope-from=leo@famulari.name; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --DSKzsXTgNv66D4D1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6. This is a problem because certificates expire. When that happens, the features of these programs that use X.509 certificates will stop working. Instead, packages should look up certificates at run-time in unversioned and well-known locations such as /etc/ssl/certs or via environment variables like $SSL_CERT_DIR. I'll send a patch removing the dependency from ldns. pypy3 does not build anyways because its runpath cannot be successfully validated, but I will investigate anyways after disabling the runpath validator. Icedtea6 is a very complex package. I assume it depends on the certificates directly for a good reason, but I would still appreciate some feedback on it. --DSKzsXTgNv66D4D1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHBIY8ACgkQJkb6MLrK fwhFrg//RRKMHSBGI7wRv3PGE73PQHjr5BLEG8UOS+9B+L5bCQfNRaRgAC2Qz9w6 YmQahn4eX//CfAcysnmxSsjGbPI+JAMSKT+wPKos7KMJHlpB0bEmEF6JPcHg4FoF iEgDhRqQu/CVXnhBIHCVa85jqEdjgugkPnO/wbeNqLN/DTg1noXtFSrj/xwwVHud t+2vvjoBb89p6NXBjDWuw9nNExrVD8XV1Jqz0H6AKRarUSvcEgAcopKbC+Ma816h f/UBzd/BXlxncNT/8zssq5xW+SsIYxWwVgRVjV6ckX2/707WVJzine6eoe+v4tEn O6DYbtnIwxOquY0njnvM4lxgnKM3jVeNzVqrWjKuUCKOypgIE8rbkYkwPR4csbaA W26r7FZXA5kn2cb7RqlalATLoc18n5y/yaSeFSsw+TVMhd46Wx8GjCENvnQvRr2t 1L1xH4FcGcoVs/GmEVN9MOB+z0g8+H48MiWAR73F5CayJVaocrFYN/PWDHShEFcy WHmecWeyvws9ra+zjKq5opBnzj+QOs/aSP3m7lARvPPta8DlpL11iunDamtWnkDV A+XTyvauqFPojR5+M2uzHhfl/TC5/RGH9Yr7p1ifCDMb4/TxbrMgFJLIjzprnHyI czfGQnonIcPvT6lhMzCKRch+lWeuwCAsGCPUs18Gk8CyJkuSYIg= =19Um -----END PGP SIGNATURE----- --DSKzsXTgNv66D4D1-- From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] [PATCH] gnu: ldns: Do not depend directly on nss-certs. References: In-Reply-To: Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Dec 2021 00:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 52690@debbugs.gnu.org Received: via spool by 52690-submit@debbugs.gnu.org id=B52690.164004707314065 (code B ref 52690); Tue, 21 Dec 2021 00:38:02 +0000 Received: (at 52690) by debbugs.gnu.org; 21 Dec 2021 00:37:53 +0000 Received: from localhost ([127.0.0.1]:51761 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzTA9-0003en-1k for submit@debbugs.gnu.org; Mon, 20 Dec 2021 19:37:53 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:54345) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzTA7-0003eb-Px for 52690@debbugs.gnu.org; Mon, 20 Dec 2021 19:37:52 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id F3DA13200E88; Mon, 20 Dec 2021 19:37:45 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 20 Dec 2021 19:37:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=hzkG/M9C06UM8TCcXtk0SEp IUrDmJgbzyB5rk2jhhYo=; b=aCe9K+eTs+pdBpDKwZdiFw8TqcN7gXQmEwPb5EZ vL+6bC6XMmbOEQtqhg37h9+rmd0WzUY40nWwa0qcuwZhmMCX/2Z46QNX0W0jSlnd Od/ymzee/jd7tNUJMVlqmaTTElN5VT2tascirlobatVKKcTcaUuTb8wZAx/bzRVR Zz5c= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=hzkG/M9C06UM8TCcX tk0SEpIUrDmJgbzyB5rk2jhhYo=; b=cy9p7ukFLi+zpEzOUVtUoeA/qkYOEKfgq YI7icLnEMTUJTHGWZF9Syx/Y2e6OLC+W6Y4l2gJEDf3nucFVW1zy4zrroqB0R5vM u4qtR4Qf+eusI4OB+Oh7DjPnaVgsMt3vckvV8pg9kj8jrhWJh5j40Y27JSAyGaop zDYYgPMpSA5xdpgyEZaa23MbwrHU5WXJ1n29Gdj9diX7qrsst+4edFLHvo7TguVR 8AhihTHzxWwo9mpuR4nW3HlFsNpzvbeW2rW0WBS9iN2fDHTUhGLTzilXs3chkDXZ MVSE+n8FmVjnvf8Pt/l+8g7/WDJt0iGMZrXk27b+NAGPYq1c2IYcQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddruddtfedgvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre dttdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepteeuiefgleehkeevffevteffueegueduvd egieffveekuefffeetuddvhffhudfhnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for <52690@debbugs.gnu.org>; Mon, 20 Dec 2021 19:37:45 -0500 (EST) From: Leo Famulari Date: Mon, 20 Dec 2021 19:37:41 -0500 Message-Id: X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) If ldns depends on a particular version of nss-certs, the features that use the certificates will eventually stop working as the certificates expire. Instead, the certificates should be found at run-time. * gnu/packages/dns.scm (ldns)[inputs]: Remove nss-certs. [arguments]: Adjust the value of "--with-ca-path" in #:configure-flags. --- gnu/packages/dns.scm | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index 5c5f95537b..269d312487 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -40,7 +40,6 @@ (define-module (gnu packages dns) #:use-module (gnu packages autotools) #:use-module (gnu packages base) #:use-module (gnu packages bash) - #:use-module (gnu packages certs) #:use-module (gnu packages check) #:use-module (gnu packages curl) #:use-module (gnu packages databases) @@ -178,9 +177,7 @@ (define-public ldns ;; "--with-p5-dns-ldns" (string-append "--with-ssl=" (assoc-ref %build-inputs "openssl")) - (string-append "--with-ca-path=" - (assoc-ref %build-inputs "nss-certs") - "/etc/ssl/certs")) + (string-append "--with-ca-path=/etc/ssl/certs")) #:make-flags (list (string-append "drillbindir=" @@ -210,7 +207,7 @@ (define-public ldns ("python" ,python-wrapper) ("swig" ,swig))) (inputs - (list libpcap nss-certs openssl)) + (list libpcap openssl)) (synopsis "DNS library that facilitates DNS tool programming") (description "LDNS aims to simplify DNS programming, it supports recent RFCs like the DNSSEC documents, and allows developers to easily create -- 2.34.0 From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] [PATCH] gnu: pypy3: Prohibit references to nss-certs. References: In-Reply-To: Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Dec 2021 02:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 52690@debbugs.gnu.org Received: via spool by 52690-submit@debbugs.gnu.org id=B52690.164005491226321 (code B ref 52690); Tue, 21 Dec 2021 02:49:02 +0000 Received: (at 52690) by debbugs.gnu.org; 21 Dec 2021 02:48:32 +0000 Received: from localhost ([127.0.0.1]:51890 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzVCa-0006qS-Lp for submit@debbugs.gnu.org; Mon, 20 Dec 2021 21:48:32 -0500 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:57397) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzVCY-0006qC-Pn for 52690@debbugs.gnu.org; Mon, 20 Dec 2021 21:48:31 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 46C39320090C; Mon, 20 Dec 2021 21:48:24 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 20 Dec 2021 21:48:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=ikcJigpxhE67k362DcWF+Wi CyBhLJEp9IKnriWLwWVU=; b=o9fmJB6E55FSIKTGVUh5QxIgFjGg5gavu/+DN5G LvmZGkxx48hCBlasAx+R/jjvMMlSMfE2YvGHI9S6GMo07tBRpCB0s9Db2bupORWN sknudozvad8yq0wKKc3qE+Pocy++Me6a3loKhi2SIGeOCbcak3rr+Bv5JR/qYWYT v1YE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ikcJigpxhE67k362D cWF+WiCyBhLJEp9IKnriWLwWVU=; b=MhinYV9gPzVrukJL8z3dnpjwx+2KaJxbl +MZE95Q1hOeVGEudAANGkJO70re0MBh0SHt3H3//1jfZ/6irZd26y9yB/nCx/kdC ZJHX+FnXzGXX0jrCEGYwI194JkUa5Rkb1A+PQbfgLS3AngGXELNzzcEfuKMftUut BkagM72K+DmXQE1LE+hKpPk5MgYAUtNWaTwNM2CdETbi5O3VD4bPYQaWrxFWQPYq Al2EbNde/3CZySvMizbxWqgf1LvZc52kzbY4FDh3opoOTJ1TUkHwDaSFd4+fkWAN 6eWdhRHkpldzjbI+FUBhOHh42JLZgpvR8HZbeNxlmQkspnciV/IAg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddruddtfedghedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre dttdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepteeuiefgleehkeevffevteffueegueduvd egieffveekuefffeetuddvhffhudfhnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for <52690@debbugs.gnu.org>; Mon, 20 Dec 2021 21:48:23 -0500 (EST) From: Leo Famulari Date: Mon, 20 Dec 2021 21:48:19 -0500 Message-Id: <5742fb16c598572330f273d8259e1ccfab5b1b03.1640054899.git.leo@famulari.name> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Built packages should not refer to nss-certs, to prevent errant hard-coding of a certificate store version. * gnu/packages/python.scm (pypy3)[arguments]: Add nss-certs to #:disallowed-references. --- gnu/packages/python.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index f0d2fd6eb8..23f188c6f9 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -780,6 +780,7 @@ (define-public pypy3 `(#:tests? #f ;FIXME: 43 out of 364 tests are failing #:modules ((ice-9 ftw) (ice-9 match) (guix build utils) (guix build gnu-build-system)) + #:disallowed-references (,nss-certs) #:phases (modify-phases %standard-phases (delete 'configure) (add-after 'unpack 'patch-source -- 2.34.0 From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] Remove direct dependencies on the nss-certs certificate store Resent-From: Mathieu Othacehe Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Dec 2021 17:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Leo Famulari Cc: 52690@debbugs.gnu.org Received: via spool by 52690-submit@debbugs.gnu.org id=B52690.164054028217777 (code B ref 52690); Sun, 26 Dec 2021 17:39:02 +0000 Received: (at 52690) by debbugs.gnu.org; 26 Dec 2021 17:38:02 +0000 Received: from localhost ([127.0.0.1]:41460 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1XT7-0004cc-Mn for submit@debbugs.gnu.org; Sun, 26 Dec 2021 12:38:02 -0500 Received: from eggs.gnu.org ([209.51.188.92]:42216) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1XT5-0004cI-SD for 52690@debbugs.gnu.org; Sun, 26 Dec 2021 12:38:00 -0500 Received: from [2001:470:142:3::e] (port=59894 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n1XT0-0005vp-H7; Sun, 26 Dec 2021 12:37:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=3WbH3lJ4QzjbF167LIZ2OcDqjfCudBlzhPfau225+wo=; b=VRhb83FjlRmfIRK1eFhA bdyGB+DEMtSCqdOqaJebrl//OB9F4YQtwwwBJpR4b7sisYS1T4Mz7/+FQbPhtB8+dwA2f7+M1aFyk nsvOCh7SUz6sihAD6vVwd1DdHIfCXYWtUVxLUS2b+c1iRAX0ZSwrAShgLk6g2KzryHR1thp/OWkYR kPcaYkjflN/R90f/OT3dLbY30gIGxR9JZr2PJ7i5CHbHCzIlyF7sD6dYBKxgaCIredZ+qSDAdnkG8 4/CQ/d/Mn6GTR9LgtlZD8cCAoOsoUWrxRWYdEOaIGXDYz146GGHv4M+5itd319Lf+Y8lkGdND/3S8 3lOHVOthB126hw==; Received: from [2a01:cb18:832e:5f00:3563:417e:2a38:86d8] (port=48462 helo=meije) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n1XT0-00038W-EV; Sun, 26 Dec 2021 12:37:54 -0500 From: Mathieu Othacehe References: Date: Sun, 26 Dec 2021 18:37:52 +0100 In-Reply-To: (Leo Famulari's message of "Mon, 20 Dec 2021 19:36:31 -0500") Message-ID: <87a6gnp8r3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Leo, > I'll send a patch removing the dependency from ldns. > > pypy3 does not build anyways because its runpath cannot be successfully > validated, but I will investigate anyways after disabling the runpath > validator. The ldns and pypy3 patches make sense to me. Thanks, Mathieu From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] [PATCH] gnu: IcedTea: Prohibit references to nss-certs. References: In-Reply-To: Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Dec 2021 21:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 52690@debbugs.gnu.org Received: via spool by 52690-submit@debbugs.gnu.org id=B52690.16405543685030 (code B ref 52690); Sun, 26 Dec 2021 21:33:02 +0000 Received: (at 52690) by debbugs.gnu.org; 26 Dec 2021 21:32:48 +0000 Received: from localhost ([127.0.0.1]:41730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1b8J-0001J3-TW for submit@debbugs.gnu.org; Sun, 26 Dec 2021 16:32:48 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:48825) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1b8I-0001Il-0a for 52690@debbugs.gnu.org; Sun, 26 Dec 2021 16:32:46 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id B99DB32009C3; Sun, 26 Dec 2021 16:32:39 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Sun, 26 Dec 2021 16:32:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=A7Xf7EGwCx5TGPiZTIekBpA YRbkiFlkby8JvVRS2jLQ=; b=oL9dclhnszf7V78lnnL2RsN3myBrIIot+V/g4TU 1mzuara8quC7b+sGX2buWYeomrSrOWXS2mwAm7z85FJES55mI48HRjvx3rO/jWNy pGPcJSfMKK6RrYiwcO5s88wZv0P2VE8hmJbr5HNnYYP7m7WoaGOp4hii6KjtDrj8 wpc8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=A7Xf7EGwCx5TGPiZT IekBpAYRbkiFlkby8JvVRS2jLQ=; b=EKk+gZEzAphVujra72wmscBkrDLGxBFgw CA0c1HuGBQm1INnnetF7aWxYKXK9krUp4Og8vUFRlfIgKJCMRPGuOVbif87dsn/x x60JqPACM8qKz2/EArB8CM+WGoIN0IP1YVJZvj5xEolEEhnDccIabJ/KdHDfgc8q GrNLpHuce4OT4UXg3QpaDSRaEJ/fqbQIlH1O8SJmv+F03/Ux8tCIQIBbLlKrLaRa klY23dyEUFgIso6jAk+UJfUa8yyWmCmlftEdxQXGjKV1EK11MvuNwIRZHBSgT7uQ QGxgbWors6Xsqy1QjS+0+9JE6yJ0p2QbboP92dYLgqcGl7X6pP9Kg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddruddugedgjeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre dttdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepteeuiefgleehkeevffevteffueegueduvd egieffveekuefffeetuddvhffhudfhnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for <52690@debbugs.gnu.org>; Sun, 26 Dec 2021 16:32:38 -0500 (EST) From: Leo Famulari Date: Sun, 26 Dec 2021 16:32:33 -0500 Message-Id: <6fca92dfa3101c383f62c2569d87ff4e48e63764.1640554102.git.leo@famulari.name> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) I checked, and neither of these packages keep references to nss-certs. So, although this change will cause rebuilds, it shouldn't cause any functional changes. However, my understanding is that the IcedTea packages actually copy the NSS certificate store, so there wouldn't be a reference anyways, but we would have the problem of "software that expires". Built packages should not refer to nss-certs, to prevent errant hard-coding of a certificate store version. * gnu/packages/java.scm (icedtea-7, icedtea-8)[arguments]: Add nss-certs to #:disallowed-references. --- gnu/packages/java.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 0a757b2391..91a16bb53d 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -812,6 +812,8 @@ (define-public icedtea-7 ;; gremlin) doesn't support it yet, so skip this phase. #:validate-runpath? #f + #:disallowed-references (,nss-certs) + #:modules ((guix build utils) (guix build gnu-build-system) (ice-9 match) @@ -1376,7 +1378,8 @@ (define-public icedtea-8 (guix build syscalls) ,@%gnu-build-system-modules) - #:disallowed-references ,(list (gexp-input icedtea-7 "jdk")) + #:disallowed-references ,(list (gexp-input icedtea-7 "jdk") + nss-certs) ,@(substitute-keyword-arguments (package-arguments icedtea-7) ((#:modules modules) -- 2.34.0 From unknown Fri Jun 13 11:08:39 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#52690] Remove direct dependencies on the nss-certs certificate store Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Dec 2021 22:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52690 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Mathieu Othacehe Cc: 52690@debbugs.gnu.org Received: via spool by 52690-submit@debbugs.gnu.org id=B52690.164055852912562 (code B ref 52690); Sun, 26 Dec 2021 22:43:01 +0000 Received: (at 52690) by debbugs.gnu.org; 26 Dec 2021 22:42:09 +0000 Received: from localhost ([127.0.0.1]:41768 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1cDQ-0003GY-Vj for submit@debbugs.gnu.org; Sun, 26 Dec 2021 17:42:09 -0500 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:58827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n1cDH-0003FF-4Y for 52690@debbugs.gnu.org; Sun, 26 Dec 2021 17:42:07 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 595CE32002E2; Sun, 26 Dec 2021 17:41:53 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 26 Dec 2021 17:41:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=NXiQsm4wbchryGYAhglbgC1g NSVFtPAkHSmKXtVI9aY=; b=sIW2+5oVRHGpoGddUCd0scRRaSsy22BQugjtdkEm OZYIoRzih7KoZ+1w19O48yECuSc784uFGspUXB4NMx05f4VtA2WvBNG66ytXJy9d sJr5XGC/FC0BJeiFEZjj9Lnk6icUjs8xkIneb+faZxe8IRt/HM+NvR/rrK0IUlGO xsg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=NXiQsm 4wbchryGYAhglbgC1gNSVFtPAkHSmKXtVI9aY=; b=aYaAyoX6U2xlJ7GIa/R8Th /r8L2X+eZsJGBrSyYSpQHxTeL4zTJFslrjoqlXC+6lTn+HIulWgGFJQMqcxaJF70 bsIUn3o1sBznFhwX22/lS8pirC9wpZ97/yNZxfuuIRkT8qw5R0XWvN2/7s1lGY51 FoCrJo5p9BPsAz9Sqqh/Gtf82h3XoCFCLNzLDOgh63Gul+6Tep014m0JPyCYR5Nj VE9bm1pA75sdxnpLbiHr9mRVD6ycVpsUOzW01x7v73QHcU2b1mh1Hc5Srp3B9f2a FklSD7eOwSYnonTl8shMwpOrovn2jvO7TTgAj9vcLZ0q6bFVbNb883U02he3AsCA == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddruddugedgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpeeukeektdffvddtudegjeegtdevhfeufeeivdejiedtieegtdevjedvjeehffev gfenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 26 Dec 2021 17:41:52 -0500 (EST) Date: Sun, 26 Dec 2021 15:55:19 -0500 From: Leo Famulari Message-ID: References: <87a6gnp8r3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87a6gnp8r3.fsf@gnu.org> X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Sun, Dec 26, 2021 at 06:37:52PM +0100, Mathieu Othacehe wrote: > > Hello Leo, > > > I'll send a patch removing the dependency from ldns. > > > > pypy3 does not build anyways because its runpath cannot be successfully > > validated, but I will investigate anyways after disabling the runpath > > validator. > > The ldns and pypy3 patches make sense to me. Thanks, pushed.