GNU bug report logs -
#70926
Having default nss-certs plus nss-certs in operating-system packages causes problems
Previous Next
Reported by: Christopher Baines <mail <at> cbaines.net>
Date: Mon, 13 May 2024 21:39:01 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Wed, 15 May 2024 23:02:27 -0400
with message-id <87r0e2wjb0.fsf <at> gmail.com>
and subject line Re: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems
has caused the debbugs.gnu.org bug report #70926,
regarding Having default nss-certs plus nss-certs in operating-system packages causes problems
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
70926: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=70926
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
I've seen this when updating systems, but it seems like something is
wrong with the handling of nss-certs.
I'm on a guix revision with nss-certs by default, and when I add
nss-certs to my system packages (to simulate not removing it when
upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
doesn't work).
My reading of the operating-system-packages code suggests that adding
nss-certs shouldn't have any effect, but this doesn't seem to be
working.
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
Hello,
Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes:
> Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines:
>> I've seen this when updating systems, but it seems like something is
>> wrong with the handling of nss-certs.
>>
>> I'm on a guix revision with nss-certs by default, and when I add
>> nss-certs to my system packages (to simulate not removing it when
>> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
>> doesn't work).
> I can confirm this on three machines (two of my own, one from a
> relative): Having nss-certs in the packages field unexpectedly breaks
> all known certificates.
>
>> My reading of the operating-system-packages code suggests that adding
>> nss-certs shouldn't have any effect, but this doesn't seem to be
>> working.
> It would be really nice to detect the mismatching versions if it's
> based on that. IIUC we graft nss-certs now, so that we can hot-swap
> stuff like pythons certifi package. Is this use case broken by any
> chance?
Apparently having multiple nss-certs of the same version is no problem
(they get deduped later). The original problem would thus only exist
when there are multiple versions of nss-certs listed in packages, as
could happen for installer-generated configs that use
'(specification->package "nss-certs"), which would pick the latest
version and clash with the one in %base-packages.
My code could call delete even in the first case, which would clear
*all* nss-certs because they were the same object. That's now guarded
against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not
delete all nss-certs packages when they are the same object."), which
I've just pushed.
Closing.
--
Thanks,
Maxim
This bug report was last modified 1 year and 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.