GNU bug report logs - #70663
nss@3.99 is really hard to build

Previous Next

Package: guix;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Tue, 30 Apr 2024 09:18:01 UTC

Severity: normal

Merged with 70771

Done: Marcel van der Boom <marcel <at> hsdev.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Christopher Baines <mail <at> cbaines.net>
To: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
Cc: 70663 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ian Eure <ian <at> retrospec.tv>
Subject: bug#70663: nss <at> 3.99 is really hard to build
Date: Tue, 14 May 2024 14:37:35 +0100

[Message part 1 (text/plain, inline)]
"pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de> writes:

> Hello Christopher.
>
> Christopher Baines <mail <at> cbaines.net> writes:
>> Had the changes waited for longer, then these failures should have been
>> spotted by QA, I would guess that the revision might have failed to be
>> processed, and if it was processed successfully, the nss failures should
>> have shown up, so maybe we should start requiring [5] that not only are
>> changes sent to guix-patches <at> gnu.org, but that QA processes them (to
>> some extent) before merging?
>>
>> 5: https://guix.gnu.org/manual/devel/en/html_node/Managing-Patches-and-Branches.html#
>
> Yes, though note that the nss change did provide security fixes:
>
> commit e584ff08b162c46ef587daca438e97d56bc20b32
> Author: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
> Date:   Wed Apr 24 11:22:30 2024 -0400
>
>     gnu: nss: Graft with version 3.98 [security fixes].
>
>     This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
>
>     * gnu/packages/nss.scm (nss) [replacement]: New field.
>     (nss-3.98): Rename variable to...
>     (nss/fixed): ... this.  Make it a hidden package.
>     * gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
>     nss/fixed.
>
>     Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
>
> I suppose the requirement to wait for QA should apply to security fixes
> as well?

Well, there's a risk in not testing things across multiple
machines/architectures at least. The value of getting a security fix
merged quickly is reduced if users on some architectures/systems can't
use it.

There's always going to be trade offs, and that's fine, but the question
is more what can be done to try and improve things for the future.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 247 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.