From unknown Sun Jun 22 08:00:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 13 May 2024 21:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70926 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 70926@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17156363315538 (code B ref -1); Mon, 13 May 2024 21:39:01 +0000 Received: (at submit) by debbugs.gnu.org; 13 May 2024 21:38:51 +0000 Received: from localhost ([127.0.0.1]:35114 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6dNj-0001RG-3C for submit@debbugs.gnu.org; Mon, 13 May 2024 17:38:51 -0400 Received: from lists.gnu.org ([209.51.188.17]:60224) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6dNg-0001RA-Bz for submit@debbugs.gnu.org; Mon, 13 May 2024 17:38:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s6dNU-0003UJ-PP for bug-guix@gnu.org; Mon, 13 May 2024 17:38:40 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s6dNT-0001lw-EB for bug-guix@gnu.org; Mon, 13 May 2024 17:38:36 -0400 Received: from localhost (unknown [45.67.83.168]) by mira.cbaines.net (Postfix) with ESMTPSA id 338FD27BBE2 for ; Mon, 13 May 2024 22:38:33 +0100 (BST) Received: from felis (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 20e8d498 for ; Mon, 13 May 2024 21:38:31 +0000 (UTC) From: Christopher Baines User-Agent: mu4e 1.12.2; emacs 29.3 Date: Mon, 13 May 2024 22:38:29 +0100 Message-ID: <87wmnxz92i.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain I've seen this when updating systems, but it seems like something is wrong with the handling of nss-certs. I'm on a guix revision with nss-certs by default, and when I add nss-certs to my system packages (to simulate not removing it when upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/ doesn't work). My reading of the operating-system-packages code suggests that adding nss-certs shouldn't have any effect, but this doesn't seem to be working. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZCiFVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XemTA//a8rXXqiiYMHplH1+Ky4Yf/MkEbCCRITj 7DsRwLvSuPRWhMkDcaUHYii/XCIMlaZp0L60upR0rKywCA86iQCryB59H2Sv+/5J W4apMNJWvNDfvBDqY5Q586xrQkBnf6lftPN2Vv4seoZ0JbCJ4ar1ZPHydKMmmzYL kfX/K1ro7kY9Rg5pMkbxf/C+3iagGy3LglcTUUE5yEhMIWc6V9tGW/L/0kVOTpZj 4++yvye+7UIcu195j2MqyWZFC5h5VHfHbuZL5TDntV/NCs2v5JNtzb9T7XuGSP2o 8BxWqsV76iBPgt0F1mgtLezAcW9EgjGVLylg2r+3EL+YxFGRpR0AWpwaWmFpKRND hNjZKrsqqMVYH97G6k/wYuW3orruhR/R9zD1Gjf6zpUwkmcLzPaSrsRgZyYh/Fd7 mkytu5NTNVgJ1KnKfT5d18ThJO+iYyJhQ13yB9xJuKRNY71rAkMdYQMYDO61NEOT H2KcTiSc56/bL0zZjXtN0QmiVN2SGrScEwjdyraqqX17i4rafV0GWxtNZNNPgxPr VfsyNYgpnjly9b44abd0lPezS6ZZyXYpIFK8ne0m/OeOpClCcZhSpoB7+0hbQ7jP NI0kfK8y16A4fwKxdReqUaDaDdRsZRhvfUqkiqENYNZAyAlxvn7ItrlxBlZKcoob cq0qLA+WYvg= =mSgS -----END PGP SIGNATURE----- --=-=-=-- From unknown Sun Jun 22 08:00:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 14 May 2024 05:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70926 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Baines , 70926@debbugs.gnu.org Received: via spool by 70926-submit@debbugs.gnu.org id=B70926.171566554430947 (code B ref 70926); Tue, 14 May 2024 05:46:02 +0000 Received: (at 70926) by debbugs.gnu.org; 14 May 2024 05:45:44 +0000 Received: from localhost ([127.0.0.1]:37137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6kyu-000835-2R for submit@debbugs.gnu.org; Tue, 14 May 2024 01:45:44 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:52660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6kyr-00082x-AO for 70926@debbugs.gnu.org; Tue, 14 May 2024 01:45:43 -0400 Received: by mail-lf1-f66.google.com with SMTP id 2adb3069b0e04-51f1b378ca5so8921678e87.1 for <70926@debbugs.gnu.org>; Mon, 13 May 2024 22:45:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715665474; x=1716270274; darn=debbugs.gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=p4a3lkQ5WOPkyXwGAV4dElK/Aohyr2ownYhLH/v0FQ8=; b=NlIswNWGDE94enEOZuGQjsGsLjePfC2LUcBHNcH13bQvRCB/xbe8A9ntCJ9txA3zKq X+Ir37QVWS1CWzYum5yFTeWMpUhT1lSeII3GCfjUyutEoa/gqL9sMKLi2rGy/pM70HrL hgmKfrzRPk7oQjXmapxjRRw3rmEk7jvRqBmB1/Xv+jw8RntUIk60MAVeC25Jy5VTTnR/ Lm836mfd1UDCqB3hny1U7CUJ12IIi/58dtkWNoCh2oXQKd49pyFc5KwxqY7a1dOiDM0x 3Kfxjs+RZgCl7W4+0/WIM6ZyhSlnQQ3RacVMZ46xnbw3znx1kppo/EmDw5HTJrWYV927 Uocg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715665474; x=1716270274; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=p4a3lkQ5WOPkyXwGAV4dElK/Aohyr2ownYhLH/v0FQ8=; b=N6k+DH+2lrmADFGv1QboTGLr4BwqXoySFdnpJ8LybYwlqMZstSwwm2xfYen+U3PIK5 ZBxXwbClr2vv+QJIqLyS2oOqKn8wLpKToka7bSDvGwVxHUGOH2gmekgav2W0OOQFIdjJ M+gnwQEdd/FeE6FtumjpXMPPsn9IOb3u2B1/986uG2npANRgA7su1AIR6WHsn3iLzLKK owRME+ysH+59+2mLonRwmfXTw4KPlgxPv1Uhn3wIVZEL9+ZyoR4ngGhnu8KfeA0ZGi+D EloAp6xURky7tVMHK84nlSTyDpW7IU9vZhbg7CLmnbi4vCscL6Ye8QCMG/viKNjPJBs3 krAA== X-Forwarded-Encrypted: i=1; AJvYcCUZR7wHAM5HOGWxEi8gHLNVSFXsxDAKGNU30yQlIyOozy5NTW9qcoSfjCokvgosOAfQgkniRSDm4i9TeYkRbC6fnj7mKWQ= X-Gm-Message-State: AOJu0Ywsum9idsbzKNtFxsb0Zolewm/jKPzRXYQRcm1aFNE9xxxTd7y2 O73FCTHXTjOeAq9TelIc5OEDmuksogy0kFI160YGB25Nx9C1exV5 X-Google-Smtp-Source: AGHT+IF1kWEhnVwXbYaewpNhYoXMdsb21+Xj+dx3uEyCsKqLSjfclVJpO64LVOt1X/s1tsbnpDoC1g== X-Received: by 2002:a05:6512:3f20:b0:51d:4383:9e59 with SMTP id 2adb3069b0e04-5220f86c902mr8957727e87.0.1715665471983; Mon, 13 May 2024 22:44:31 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b01a2esm677749166b.185.2024.05.13.22.44.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 May 2024 22:44:31 -0700 (PDT) Message-ID: From: Liliana Marie Prikler Date: Tue, 14 May 2024 07:44:30 +0200 In-Reply-To: <87wmnxz92i.fsf@cbaines.net> References: <87wmnxz92i.fsf@cbaines.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines: > I've seen this when updating systems, but it seems like something is > wrong with the handling of nss-certs. >=20 > I'm on a guix revision with nss-certs by default, and when I add > nss-certs to my system packages (to simulate not removing it when > upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/ > doesn't work). I can confirm this on three machines (two of my own, one from a relative): Having nss-certs in the packages field unexpectedly breaks all known certificates. > My reading of the operating-system-packages code suggests that adding > nss-certs shouldn't have any effect, but this doesn't seem to be > working. It would be really nice to detect the mismatching versions if it's based on that. IIUC we graft nss-certs now, so that we can hot-swap stuff like pythons certifi package. Is this use case broken by any chance? Cheers From unknown Sun Jun 22 08:00:15 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Christopher Baines Subject: bug#70926: closed (Re: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems) Message-ID: References: <87r0e2wjb0.fsf@gmail.com> <87wmnxz92i.fsf@cbaines.net> X-Gnu-PR-Message: they-closed 70926 X-Gnu-PR-Package: guix Reply-To: 70926@debbugs.gnu.org Date: Thu, 16 May 2024 03:04:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1715828642-14895-1" This is a multi-part message in MIME format... ------------=_1715828642-14895-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #70926: Having default nss-certs plus nss-certs in operating-system package= s causes problems which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 70926@debbugs.gnu.org. --=20 70926: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D70926 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1715828642-14895-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 70926-done) by debbugs.gnu.org; 16 May 2024 03:03:40 +0000 Received: from localhost ([127.0.0.1]:45968 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s7RP9-0003s1-Vq for submit@debbugs.gnu.org; Wed, 15 May 2024 23:03:40 -0400 Received: from mail-qk1-f175.google.com ([209.85.222.175]:42434) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s7RP8-0003rr-5t for 70926-done@debbugs.gnu.org; Wed, 15 May 2024 23:03:38 -0400 Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-792bdf626beso695136985a.1 for <70926-done@debbugs.gnu.org>; Wed, 15 May 2024 20:03:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715828549; x=1716433349; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=FVWWHFcJeyIg7j3kBgJMas8lNsU1M2VbXmarq+qPlTA=; b=hgBfugY3mdcTiwprmtD0YtcsErUVVWsW/Mz7ESPFp8o+x94cNZ7wHZMVucpJcuvrsq PudngDxqmRK7N6hZhC9VbR8njndviTrtBBv2a5Ff/xcDEzojgZA28Ofu/XTEiZcIY1sH kdN7YcXUKFiyh9e/31REZUIqE13a0+22Q7kmktGUe8q/OI4O8WjPuZEIUPRMxtxGrdQb i9EvmyWQgXdfiSExI4Kf5CmcIQmIYq4fPr2Sbf7u4Cx/KjBw8tOIydhoHOPdAVa939WX 00qaVThtRN6LeHedlJNNXZUUKHLLC5fJ/jYz9MGlAPrAbrN47/uzefbiSoyX8NgR9ZVV P7YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715828549; x=1716433349; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FVWWHFcJeyIg7j3kBgJMas8lNsU1M2VbXmarq+qPlTA=; b=oEDwhysuDGKRKvpoWpKLYGxlZhJ7IHCT6fcS+JnIjwtctRBXEkoaczSN05zt/0vvIx G+EBOdkmVjpn2iU39l0CMV96tat0MCJ53ut4yXZu0qNj7mKUmuF/Wi0muKsayQUklAdX 3XjiQ7VnYhK2GLy53R/zu+PKHgvpTBVxKCVqJn8gVmaD97wd+bn4a6OoExglcKxSrvzt azMdBrlqqwZ1fcD7aIgVarusMtKyP/TTye5TVy+3zdCmhfpOIuS98BLB1mWNLPmMEtu0 wiEOwbw1EmhVltNvbjeQLSLCw7lmjNI7dMrUlnAwPu+Z8WAeweDns/OGxnca3DG1wIzO zZJQ== X-Forwarded-Encrypted: i=1; AJvYcCVtCXWA8jojLNDIqoXYBKhRBx5yAHvPO08fnGjPl1GnvQBjMvDYEP7jbZssR2PeWGAe8xYPsqaj3XDBc0e+WRjhz5ryyAERT7BP7g== X-Gm-Message-State: AOJu0YwiO2fDYGzNAC79TTJu8EacDbcpJ+hokxCWTtHO+Bd4yjcZzX81 Fhs0Re68OMb6sP+m2K+Qp+MjeGBq1ANyEPQ46lMElm+NThXiBdtz8PCASg== X-Google-Smtp-Source: AGHT+IEeJ8xS6HoDdkH0BPwYBPorpSFJBWSOhOrHsmh3pmud7f+r4vG+Vx/SaeCvz53JU+7e+Hcb9Q== X-Received: by 2002:a05:620a:14b2:b0:792:9d7c:d2b0 with SMTP id af79cd13be357-792c6c4e29emr2758172185a.15.1715828549457; Wed, 15 May 2024 20:02:29 -0700 (PDT) Received: from hurd (dsl-205-233-125-107.b2b2c.ca. [205.233.125.107]) by smtp.gmail.com with ESMTPSA id af79cd13be357-792bf27f915sm750645185a.38.2024.05.15.20.02.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 May 2024 20:02:29 -0700 (PDT) From: Maxim Cournoyer To: Liliana Marie Prikler Subject: Re: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems In-Reply-To: (Liliana Marie Prikler's message of "Tue, 14 May 2024 07:44:30 +0200") References: <87wmnxz92i.fsf@cbaines.net> Date: Wed, 15 May 2024 23:02:27 -0400 Message-ID: <87r0e2wjb0.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70926-done Cc: 70926-done@debbugs.gnu.org, Christopher Baines X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Liliana Marie Prikler writes: > Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines: >> I've seen this when updating systems, but it seems like something is >> wrong with the handling of nss-certs. >> >> I'm on a guix revision with nss-certs by default, and when I add >> nss-certs to my system packages (to simulate not removing it when >> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/ >> doesn't work). > I can confirm this on three machines (two of my own, one from a > relative): Having nss-certs in the packages field unexpectedly breaks > all known certificates. > >> My reading of the operating-system-packages code suggests that adding >> nss-certs shouldn't have any effect, but this doesn't seem to be >> working. > It would be really nice to detect the mismatching versions if it's > based on that. IIUC we graft nss-certs now, so that we can hot-swap > stuff like pythons certifi package. Is this use case broken by any > chance? Apparently having multiple nss-certs of the same version is no problem (they get deduped later). The original problem would thus only exist when there are multiple versions of nss-certs listed in packages, as could happen for installer-generated configs that use '(specification->package "nss-certs"), which would pick the latest version and clash with the one in %base-packages. My code could call delete even in the first case, which would clear *all* nss-certs because they were the same object. That's now guarded against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not delete all nss-certs packages when they are the same object."), which I've just pushed. Closing. -- Thanks, Maxim ------------=_1715828642-14895-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 13 May 2024 21:38:51 +0000 Received: from localhost ([127.0.0.1]:35114 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6dNj-0001RG-3C for submit@debbugs.gnu.org; Mon, 13 May 2024 17:38:51 -0400 Received: from lists.gnu.org ([209.51.188.17]:60224) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6dNg-0001RA-Bz for submit@debbugs.gnu.org; Mon, 13 May 2024 17:38:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s6dNU-0003UJ-PP for bug-guix@gnu.org; Mon, 13 May 2024 17:38:40 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s6dNT-0001lw-EB for bug-guix@gnu.org; Mon, 13 May 2024 17:38:36 -0400 Received: from localhost (unknown [45.67.83.168]) by mira.cbaines.net (Postfix) with ESMTPSA id 338FD27BBE2 for ; Mon, 13 May 2024 22:38:33 +0100 (BST) Received: from felis (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 20e8d498 for ; Mon, 13 May 2024 21:38:31 +0000 (UTC) From: Christopher Baines To: bug-guix@gnu.org Subject: Having default nss-certs plus nss-certs in operating-system packages causes problems User-Agent: mu4e 1.12.2; emacs 29.3 Date: Mon, 13 May 2024 22:38:29 +0100 Message-ID: <87wmnxz92i.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain I've seen this when updating systems, but it seems like something is wrong with the handling of nss-certs. I'm on a guix revision with nss-certs by default, and when I add nss-certs to my system packages (to simulate not removing it when upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/ doesn't work). My reading of the operating-system-packages code suggests that adding nss-certs shouldn't have any effect, but this doesn't seem to be working. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZCiFVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XemTA//a8rXXqiiYMHplH1+Ky4Yf/MkEbCCRITj 7DsRwLvSuPRWhMkDcaUHYii/XCIMlaZp0L60upR0rKywCA86iQCryB59H2Sv+/5J W4apMNJWvNDfvBDqY5Q586xrQkBnf6lftPN2Vv4seoZ0JbCJ4ar1ZPHydKMmmzYL kfX/K1ro7kY9Rg5pMkbxf/C+3iagGy3LglcTUUE5yEhMIWc6V9tGW/L/0kVOTpZj 4++yvye+7UIcu195j2MqyWZFC5h5VHfHbuZL5TDntV/NCs2v5JNtzb9T7XuGSP2o 8BxWqsV76iBPgt0F1mgtLezAcW9EgjGVLylg2r+3EL+YxFGRpR0AWpwaWmFpKRND hNjZKrsqqMVYH97G6k/wYuW3orruhR/R9zD1Gjf6zpUwkmcLzPaSrsRgZyYh/Fd7 mkytu5NTNVgJ1KnKfT5d18ThJO+iYyJhQ13yB9xJuKRNY71rAkMdYQMYDO61NEOT H2KcTiSc56/bL0zZjXtN0QmiVN2SGrScEwjdyraqqX17i4rafV0GWxtNZNNPgxPr VfsyNYgpnjly9b44abd0lPezS6ZZyXYpIFK8ne0m/OeOpClCcZhSpoB7+0hbQ7jP NI0kfK8y16A4fwKxdReqUaDaDdRsZRhvfUqkiqENYNZAyAlxvn7ItrlxBlZKcoob cq0qLA+WYvg= =mSgS -----END PGP SIGNATURE----- --=-=-=-- ------------=_1715828642-14895-1-- From unknown Sun Jun 22 08:00:15 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 20 May 2024 09:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70926 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 70926-done@debbugs.gnu.org, Liliana Marie Prikler Received: via spool by 70926-done@debbugs.gnu.org id=D70926.171619799330817 (code D ref 70926); Mon, 20 May 2024 09:40:01 +0000 Received: (at 70926-done) by debbugs.gnu.org; 20 May 2024 09:39:53 +0000 Received: from localhost ([127.0.0.1]:41681 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s8zUm-00080z-Mj for submit@debbugs.gnu.org; Mon, 20 May 2024 05:39:53 -0400 Received: from mira.cbaines.net ([212.71.252.8]:43570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s8zUk-00080r-Sx for 70926-done@debbugs.gnu.org; Mon, 20 May 2024 05:39:51 -0400 Received: from localhost (unknown [212.132.255.10]) by mira.cbaines.net (Postfix) with ESMTPSA id 1180327BBE2; Mon, 20 May 2024 10:39:45 +0100 (BST) Received: from felis (localhost.lan [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 1272bb66; Mon, 20 May 2024 09:39:44 +0000 (UTC) From: Christopher Baines In-Reply-To: <87r0e2wjb0.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 15 May 2024 23:02:27 -0400") References: <87wmnxz92i.fsf@cbaines.net> <87r0e2wjb0.fsf@gmail.com> User-Agent: mu4e 1.12.2; emacs 29.3 Date: Mon, 20 May 2024 10:39:42 +0100 Message-ID: <87bk50u8ip.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Maxim Cournoyer writes: > Hello, > > Liliana Marie Prikler writes: > >> Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines: >>> I've seen this when updating systems, but it seems like something is >>> wrong with the handling of nss-certs. >>>=20 >>> I'm on a guix revision with nss-certs by default, and when I add >>> nss-certs to my system packages (to simulate not removing it when >>> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/ >>> doesn't work). >> I can confirm this on three machines (two of my own, one from a >> relative): Having nss-certs in the packages field unexpectedly breaks >> all known certificates. >> >>> My reading of the operating-system-packages code suggests that adding >>> nss-certs shouldn't have any effect, but this doesn't seem to be >>> working. >> It would be really nice to detect the mismatching versions if it's >> based on that. IIUC we graft nss-certs now, so that we can hot-swap >> stuff like pythons certifi package. Is this use case broken by any >> chance? > > Apparently having multiple nss-certs of the same version is no problem > (they get deduped later). The original problem would thus only exist > when there are multiple versions of nss-certs listed in packages, as > could happen for installer-generated configs that use > '(specification->package "nss-certs"), which would pick the latest > version and clash with the one in %base-packages. > > My code could call delete even in the first case, which would clear > *all* nss-certs because they were the same object. That's now guarded > against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not > delete all nss-certs packages when they are the same object."), which > I've just pushed. Great, thanks for fixing this Maxim! Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmZLGl5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XfAeRAAgbtpnnTxVlgzZa85317xhxWcbTlOJgQG RFj6FCryNaxeNs9fmuLKxZKfChJ/SB7q6Zc2GjlVWRGHRES3JHBxlrQqpoA59JQQ TYOjO4TFh887IC9DDZmLXdk0F7k4xzhVriwuaRD4YPvF+ZQNKfaKu15FyFSPanIu pjUIh0zZH/CMZ7grw1Zgx0h7l5kGNKxwvAY3g5cERyb7r9am5v/j6NCTsHMGO7m9 sURSjDcBia6gbLEhupOiibUabfNqs3FOx1HeqlG5wRAfGQnviTteUgOrp9HdRZik lh9CPeuw3udf1LiRc2fL0aqoOnDTcNgzy3T8HBU4f7lxQfQ+GTyQwNeZZuAeGM+T ZA8VjHV9ZtJ8ELnmg4H1BbYQkn4u3mq+OhBTRyNhO5IX+H2/EoCQZruDN8aJBQjN DJGszPO386rCSJxiGg77ilPpf1bVIR+UHB7jy1u0Leu3jCtlWLHkgX8Mu7ULWkyN LhaWGafiGJnLBAbeZRuqovUcKL/paYzlu2JZBIdEYuLqQCnhrdzGIUqk0B+s5Wdk SfmMNFN66hsrEHMbE+jGPj5Egywh8mbsVkKxnKJdNkAZAfNjEDc6O8TWMaRoOFOg bo0sHSa61+irP8QOfa+PPdoCY94f30nnuBhVVbrB7CYJbq0WrdklGUBHhvky+/OI YrTr+IYzNmA= =exsW -----END PGP SIGNATURE----- --=-=-=--