Package: guix-patches;
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Mon, 9 Sep 2024 17:54:02 UTC
Severity: normal
Tags: patch
Done: Ian Eure <ian <at> retrospec.tv>
To reply to this bug, email your comments to 73152 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:54:02 GMT) Full text and rfc822 format available.Ian Eure <ian <at> retrospec.tv>:guix-patches <at> gnu.org.
(Mon, 09 Sep 2024 17:54:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: guix-patches <at> gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 0/6] NSS updates Date: Mon, 9 Sep 2024 10:52:48 -0700
Hello, This is a first pass at getting the nss packages into shape, as I proposed earlier this year[1]. Many packages depend on nss, so these patches need to be applied to a new branch -- my suggestion is `nss-updates', but I have no strong preference. This patch series: - Ungrafts nss - Factors out package creation into the `make-nss' procedure. - Updates nss and nss-rapid to use that procedure. - Updates nss and nss-certs to 3.102.1, the current ESR. - Updates nss-rapid to 3.104, the latest release. - Removes nspr-4.32, as it doesn’t appear to be used by anything. [1]: https://lists.gnu.org/archive/html/guix-devel/2024-06/msg00318.html Ian Eure (6): gnu: Remove nss/fixed. gnu: Remove nspr-4.32. gnu: Add make-nss. gnu: nss: Update to 3.102.1. gnu: nss-rapid: Update to 3.104. gnu: nss-certs: Update to 3.102.1. gnu/packages/certs.scm | 4 +- gnu/packages/nss.scm | 208 +++++++++++------------------------------ 2 files changed, 59 insertions(+), 153 deletions(-) -- 2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:56:01 GMT) Full text and rfc822 format available.Message #8 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 1/1] gnu: nss-certs: Update to 3.102.1. Date: Mon, 9 Sep 2024 10:55:33 -0700
* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.
Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10
---
gnu/packages/certs.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.102.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
"nss-" version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:02 GMT) Full text and rfc822 format available.Message #11 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 1/6] gnu: Remove nss/fixed. Date: Mon, 9 Sep 2024 10:55:34 -0700
* gnu/packages/nss.scm (nss/fixed): Delete variable.
Change-Id: I0a071a8c3c4a9e2a24b873177402735912192212
---
gnu/packages/nss.scm | 51 --------------------------------------------
1 file changed, 51 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6c60e9fbae..718a3ba4c0 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -271,57 +271,6 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss/fixed
- (let ((actual-version "3.99"))
- (hidden-package
- (package
- (inherit nss)
- (version (string-append actual-version ".0")) ;for grafts requirements
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split actual-version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" actual-version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))))
-
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
;; channel.
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:02 GMT) Full text and rfc822 format available.Message #14 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 2/6] gnu: Remove nspr-4.32. Date: Mon, 9 Sep 2024 10:55:35 -0700
* gnu/packages/nss.scm (nspr-4.32): Delete variable.
Change-Id: I05c97fe6fc32d045618334df118a84836c0d0261
---
gnu/packages/nss.scm | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 718a3ba4c0..60b4b34d4e 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,18 +94,6 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
-(define-public nspr-4.32
- (package
- (inherit nspr)
- (version "4.32")
- (source (origin
- (method url-fetch)
- (uri (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
- version "/src/nspr-" version ".tar.gz"))
- (sha256
- (base32
- "0v3zds1id71j5a5si42a658fjz8nv2f6zp6w4gqrqmdr6ksz8sxv"))))))
;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:03 GMT) Full text and rfc822 format available.Message #17 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 3/6] gnu: Add make-nss. Date: Mon, 9 Sep 2024 10:55:36 -0700
* gnu/packages/nss.scm (make-nss): New variable.
NSS builds require time-shifting to their approximate release date to build
repeatably, because it ships with test certificates which expire. To avoid
duplicating the whole package definition between `nss' and `nss-rapid', move
the bulk of the definition into `make-nss', which accepts a version, hash, and
release date, allowing reuse between the two definitions.
Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
---
gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 60b4b34d4e..b51bebda3d 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -94,6 +94,172 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
+(define* (make-nss #:key version release-date hash)
+ (package
+ (name "nss")
+ ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
+ ;; version and source to avoid a top-level variable reference & module
+ ;; cycle.
+ (version version)
+ (source
+ (origin
+ (method url-fetch)
+ (uri (let ((version-with-underscores
+ (string-join (string-split version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" version ".tar.gz")))
+ (sha256
+ (base32 hash))
+ ;; Create nss.pc and nss-config.
+ (patches (search-patches "nss-3.56-pkgconfig.patch"
+ "nss-getcwd-nonnull.patch"
+ "nss-increase-test-timeout.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Delete the bundled copy of these libraries.
+ (delete-file-recursively "nss/lib/zlib")
+ (delete-file-recursively "nss/lib/sqlite")))))
+ (build-system gnu-build-system)
+ (outputs '("out" "bin"))
+ (arguments
+ (list
+ #:make-flags
+ #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
+ (list "-C" "nss"
+ (string-append "PREFIX=" #$output)
+ "NSDISTMODE=copy"
+ "NSS_USE_SYSTEM_SQLITE=1"
+ ;; The gtests fail to compile on riscv64.
+ ;; Skipping them doesn't affect the test suite.
+ #$@(if (target-riscv64?)
+ #~("NSS_DISABLE_GTESTS=1")
+ #~())
+ ;; Ensure we are building for the (%current-target-system).
+ #$@(if (%current-target-system)
+ #~((string-append
+ "OS_TEST="
+ (string-take #$(%current-target-system)
+ (string-index #$(%current-target-system) #\-)))
+ (string-append
+ "KERNEL=" (cond (#$(target-hurd?) "gnu")
+ (#$(target-linux?) "linux")
+ (else ""))))
+ #~())
+ #$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
+ (string-append "NSPR_INCLUDE_DIR="
+ (search-input-directory %build-inputs
+ "include/nspr"))
+ ;; Add $out/lib/nss to RPATH.
+ (string-append "RPATH=" rpath)
+ (string-append "LDFLAGS=" rpath)))
+ #:modules '((guix build gnu-build-system)
+ (guix build utils)
+ (ice-9 ftw)
+ (ice-9 match)
+ (srfi srfi-26))
+ #:tests? (not (or (%current-target-system)
+ ;; Tests take more than 30 hours on some architectures.
+ (target-riscv64?)
+ (target-ppc32?)))
+ #:phases
+ #~(modify-phases %standard-phases
+ (replace 'configure
+ (lambda _
+ (setenv "CC" #$(cc-for-target))
+ (setenv "CCC" #$(cxx-for-target))
+ (setenv "NATIVE_CC" "gcc")
+ ;; No VSX on powerpc-linux.
+ #$@(if (target-ppc32?)
+ #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
+ #~())
+ ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
+ #$@(if (target-64bit?)
+ #~((setenv "USE_64" "1"))
+ #~())))
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
+
+ ;; This specific test is looking at performance "now
+ ;; verify that we can quickly dump a database", and
+ ;; we're not testing performance here (especially
+ ;; since we're using faketime), so raise the
+ ;; threshold
+ (substitute* "nss/tests/dbtests/dbtests.sh"
+ ((" -lt 5") " -lt 50"))
+
+ ;; Since the test suite is very lengthy, run the test
+ ;; suite once, not thrice as done by default, by
+ ;; selecting only the 'standard' cycle.
+ (setenv "NSS_CYCLES" "standard")
+
+ #$@(if (target-64bit?)
+ '()
+ ;; The script fails to determine the source
+ ;; directory when running under 'datefudge' (see
+ ;; <https://issues.guix.gnu.org/72239>). Help it.
+ #~((substitute* "nss/tests/gtests/gtests.sh"
+ (("SOURCE_DIR=.*")
+ (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
+
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke #$(if (target-64bit?) "faketime" "datefudge")
+ #$release-date "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (bin (string-append (assoc-ref outputs "bin") "/bin"))
+ (inc (string-append out "/include/nss"))
+ (lib (string-append out "/lib/nss"))
+ (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
+ ((obj) (string-append "dist/" obj)))))
+ ;; Install nss-config to $out/bin.
+ (install-file (string-append obj "/bin/nss-config")
+ (string-append out "/bin"))
+ (delete-file (string-append obj "/bin/nss-config"))
+ ;; Install nss.pc to $out/lib/pkgconfig.
+ (install-file (string-append obj "/lib/pkgconfig/nss.pc")
+ (string-append out "/lib/pkgconfig"))
+ (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
+ (rmdir (string-append obj "/lib/pkgconfig"))
+ ;; Install other files.
+ (copy-recursively "dist/public/nss" inc)
+ (copy-recursively (string-append obj "/bin") bin)
+ (copy-recursively (string-append obj "/lib") lib)))))))
+ (inputs (list sqlite zlib))
+ (propagated-inputs (list nspr)) ;required by nss.pc.
+ (native-inputs (list perl ;for tests
+ (if (target-64bit?) libfaketime datefudge)
+ which))
+
+ ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
+ ;; another build is happening concurrently on the same machine.
+ (properties '((timeout . 216000))) ;60 hours
+
+ (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+ (synopsis "Network Security Services")
+ (description
+ "Network Security Services (@dfn{NSS}) is a set of libraries designed to
+support cross-platform development of security-enabled client and server
+applications. Applications built with NSS can support SSL v2 and v3, TLS,
+PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
+security standards.")
+ (license license:mpl2.0)))
;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:03 GMT) Full text and rfc822 format available.Message #20 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 4/6] gnu: nss: Update to 3.102.1. Date: Mon, 9 Sep 2024 10:55:37 -0700
gnu/packages/nss.scm (nss): Update to 3.102.1.
Change-Id: Ic24624279b1d2efbe6f4dd82cb73cc63f50f2e14
---
gnu/packages/nss.scm | 172 +++----------------------------------------
1 file changed, 10 insertions(+), 162 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b51bebda3d..b4fdd13abc 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -261,169 +261,17 @@ (define* (make-nss #:key version release-date hash)
security standards.")
(license license:mpl2.0)))
-;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
-
(define-public nss
- (package
- (name "nss")
- ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
- ;; version and source to avoid a top-level variable reference & module
- ;; cycle.
- (version "3.99")
- (source (origin
- (method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
- (build-system gnu-build-system)
- (outputs '("out" "bin"))
- (arguments
- (list
- #:make-flags
- #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss")))
- (list "-C" "nss"
- (string-append "PREFIX=" #$output)
- "NSDISTMODE=copy"
- "NSS_USE_SYSTEM_SQLITE=1"
- ;; The gtests fail to compile on riscv64.
- ;; Skipping them doesn't affect the test suite.
- #$@(if (target-riscv64?)
- #~("NSS_DISABLE_GTESTS=1")
- #~())
- ;; Ensure we are building for the (%current-target-system).
- #$@(if (%current-target-system)
- #~((string-append
- "OS_TEST="
- (string-take #$(%current-target-system)
- (string-index #$(%current-target-system) #\-)))
- (string-append
- "KERNEL=" (cond (#$(target-hurd?) "gnu")
- (#$(target-linux?) "linux")
- (else ""))))
- #~())
- #$@(if (%current-target-system)
- #~("CROSS_COMPILE=1")
- #~())
- (string-append "NSPR_INCLUDE_DIR="
- (search-input-directory %build-inputs
- "include/nspr"))
- ;; Add $out/lib/nss to RPATH.
- (string-append "RPATH=" rpath)
- (string-append "LDFLAGS=" rpath)))
- #:modules '((guix build gnu-build-system)
- (guix build utils)
- (ice-9 ftw)
- (ice-9 match)
- (srfi srfi-26))
- #:tests? (not (or (%current-target-system)
- ;; Tests take more than 30 hours on some architectures.
- (target-riscv64?)
- (target-ppc32?)))
- #:phases
- #~(modify-phases %standard-phases
- (replace 'configure
- (lambda _
- (setenv "CC" #$(cc-for-target))
- (setenv "CCC" #$(cxx-for-target))
- (setenv "NATIVE_CC" "gcc")
- ;; No VSX on powerpc-linux.
- #$@(if (target-ppc32?)
- #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
- #~())
- ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
- #$@(if (target-64bit?)
- #~((setenv "USE_64" "1"))
- #~())))
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- #$@(if (target-64bit?)
- '()
- ;; The script fails to determine the source
- ;; directory when running under 'datefudge' (see
- ;; <https://issues.guix.gnu.org/72239>). Help it.
- #~((substitute* "nss/tests/gtests/gtests.sh"
- (("SOURCE_DIR=.*")
- (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke #$(if (target-64bit?) "faketime" "datefudge")
- "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))
- (replace 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let* ((out (assoc-ref outputs "out"))
- (bin (string-append (assoc-ref outputs "bin") "/bin"))
- (inc (string-append out "/include/nss"))
- (lib (string-append out "/lib/nss"))
- (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>))
- ((obj) (string-append "dist/" obj)))))
- ;; Install nss-config to $out/bin.
- (install-file (string-append obj "/bin/nss-config")
- (string-append out "/bin"))
- (delete-file (string-append obj "/bin/nss-config"))
- ;; Install nss.pc to $out/lib/pkgconfig.
- (install-file (string-append obj "/lib/pkgconfig/nss.pc")
- (string-append out "/lib/pkgconfig"))
- (delete-file (string-append obj "/lib/pkgconfig/nss.pc"))
- (rmdir (string-append obj "/lib/pkgconfig"))
- ;; Install other files.
- (copy-recursively "dist/public/nss" inc)
- (copy-recursively (string-append obj "/bin") bin)
- (copy-recursively (string-append obj "/lib") lib)))))))
- (inputs (list sqlite zlib))
- (propagated-inputs (list nspr)) ;required by nss.pc.
- (native-inputs (list perl ;for tests
- (if (target-64bit?) libfaketime datefudge)
- which))
-
- ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
- ;; another build is happening concurrently on the same machine.
- (properties '((timeout . 216000))) ;60 hours
-
- (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
- (synopsis "Network Security Services")
- (description
- "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications. Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
- (license license:mpl2.0)))
+ (let ((base (make-nss
+ #:version "3.102.1"
+ #:release-date "2024-07-24"
+ #:hash "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l")))
+ (package
+ (inherit base)
+ (synopsis (string-append (package-synopsis base) " (ESR)"))
+ (description
+ (string-append (package-description base) "
+This package tracks the Extended Support Release channel.")))))
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:03 GMT) Full text and rfc822 format available.Message #23 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 5/6] gnu: nss-rapid: Update to 3.104. Date: Mon, 9 Sep 2024 10:55:38 -0700
* gnu/packages/nss.scm (nss-rapid): Update to 3.104.
Change-Id: I22772d75a98a479a65717ea7bcbfbb7986bd0c77
---
gnu/packages/nss.scm | 67 ++++++++------------------------------------
1 file changed, 11 insertions(+), 56 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index b4fdd13abc..b53e6e22cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -281,63 +281,18 @@ (define-public nss
;; and https://wiki.mozilla.org/Rapid_Release_Model
(define-public nss-rapid
- (package
- (inherit nss)
- (name "nss-rapid")
- (version "3.103")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "0qp9rs226rr6gh51b42cdbydr4mj80cli3bfqhh7bp3jyxbvcjkv"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-08-17" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))
- (synopsis "Network Security Services (Rapid Release)")
- (description
- "Network Security Services (@dfn{NSS}) is a set of libraries designed to
-support cross-platform development of security-enabled client and server
-applications. Applications built with NSS can support SSL v2 and v3, TLS,
-PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.
+ (let ((base (make-nss
+ #:version "3.104"
+ #:release-date "2024-08-30"
+ #:hash "13mca2y92sm05kxb40qvlkq8l93ghmrhh0s3iawpc7idc8ik4xp2")))
+ (package
+ (inherit base)
+ (name (string-append (package-name base) "-rapid"))
+ (synopsis (string-append (package-synopsis base) " (Rapid Release)"))
+ (description
+ (string-append (package-description base) "
+This package tracks the Rapid Release channel, which updates frequently.")))))
-This package tracks the Rapid Release channel, which updates frequently.")))
(define-public nsncd
(package
(name "nsncd")
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Mon, 09 Sep 2024 17:57:04 GMT) Full text and rfc822 format available.Message #26 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 6/6] gnu: nss-certs: Update to 3.102.1. Date: Mon, 9 Sep 2024 10:55:39 -0700
* gnu/packages/certs.scm (nss-certs): Update to 3.102.1.
Change-Id: Ibb0b39ef97e04afc37c62c5dc23ab93eef1c1f10
---
gnu/packages/certs.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..9756b089c0 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,7 +133,7 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.102.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -144,7 +144,7 @@ (define-public nss-certs
"nss-" version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1k1pjxz0ab4lg8xqggbb8pw77c1q8h4bldi09z4pj5g4hwsjv62l"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.46.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 10 Sep 2024 18:01:02 GMT) Full text and rfc822 format available.Message #29 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv>, 73152 <at> debbugs.gnu.org Subject: Re: [PATCH 3/6] gnu: Add make-nss. Date: Tue, 10 Sep 2024 19:59:14 +0200
Am Montag, dem 09.09.2024 um 10:55 -0700 schrieb Ian Eure: > * gnu/packages/nss.scm (make-nss): New variable. > NSS builds require time-shifting to their approximate release date to > build repeatably, because it ships with test certificates which > expire. To avoid duplicating the whole package definition between > `nss' and `nss-rapid', move the bulk of the definition into `make- > nss', which accepts a version, hash, and release date, allowing reuse > between the two definitions. > > Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36 > --- Note: the explanation should come before the ChangeLog. Cheers
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Sun, 16 Feb 2025 14:48:02 GMT) Full text and rfc822 format available.Message #32 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Christopher Baines <mail <at> cbaines.net> To: Ian Eure <ian <at> retrospec.tv> Cc: 73152 <at> debbugs.gnu.org Subject: Re: [bug#73152] [PATCH 3/6] gnu: Add make-nss. Date: Sun, 16 Feb 2025 14:47:28 +0000
[Message part 1 (text/plain, inline)]
Ian Eure <ian <at> retrospec.tv> writes:
> * gnu/packages/nss.scm (make-nss): New variable.
> NSS builds require time-shifting to their approximate release date to build
> repeatably, because it ships with test certificates which expire. To avoid
> duplicating the whole package definition between `nss' and `nss-rapid', move
> the bulk of the definition into `make-nss', which accepts a version, hash, and
> release date, allowing reuse between the two definitions.
>
> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36
> ---
> gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 166 insertions(+)
I'm not sure the refactoring here is overall helpful, I think I
understand the motivation but I think it would be simpler and more
readable to stick with the package inheritance approach.
If you just need to change the source, plus the faketime date in
nss-rapid, but want to avoid replacing the entire check phase, maybe you
could change the nss package to use an environment variable
(e.g. GUIX_CHECK_FAKETIME_DATE) for this, and set this environment
variable in a single phase.
So in nss you'd have:
(add-before 'check 'set-GUIX_CHECK_FAKETIME_DATE
(lambda _
(setenv "GUIX_CHECK_FAKETIME_DATE" "2024-01-23")))
(replace 'check
(lambda* (#:key tests? #:allow-other-keys)
...
(invoke #$(if (target-64bit?) "faketime" "datefudge")
(getenv "GUIX_CHECK_FAKETIME_DATE") "./nss/tests/all.sh")))
Then in nss-rapid you'd just do
(replace 'set-GUIX_CHECK_FAKETIME_DATE
(lambda _
(setenv "GUIX_CHECK_FAKETIME_DATE" "2024-08-30")))
Maybe there's a more elegant way to share a value between phases in the
builder, but I think even doing it via an environment variable is still
preferable than using a procedure to create the package. I've spent many
hours debugging complex functional and performance related issues caused
by procedures returning packages, and while it's a powerful tool, it's
something to be avoided unless necessary.
In terms of how to make this kind of change, I'd split it in to two
parts. Introducing the environment variable can definately go to the
core-packages-team branch in my opinion, and the package updates could
maybe as well, but I'd think of it as two separate patch series.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Sun, 16 Feb 2025 18:49:02 GMT) Full text and rfc822 format available.Message #35 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: Christopher Baines <mail <at> cbaines.net> Cc: 73152 <at> debbugs.gnu.org Subject: Re: [bug#73152] [PATCH 3/6] gnu: Add make-nss. Date: Sun, 16 Feb 2025 10:48:38 -0800
Hi Christopher, Christopher Baines <mail <at> cbaines.net> writes: > Ian Eure <ian <at> retrospec.tv> writes: > >> * gnu/packages/nss.scm (make-nss): New variable. >> NSS builds require time-shifting to their approximate release >> date to build >> repeatably, because it ships with test certificates which >> expire. To avoid >> duplicating the whole package definition between `nss' and >> `nss-rapid', move >> the bulk of the definition into `make-nss', which accepts a >> version, hash, and >> release date, allowing reuse between the two definitions. >> >> Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36 >> --- >> gnu/packages/nss.scm | 166 >> +++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 166 insertions(+) > > I'm not sure the refactoring here is overall helpful, I think I > understand the motivation but I think it would be simpler and > more > readable to stick with the package inheritance approach. > > If you just need to change the source, plus the faketime date in > nss-rapid, but want to avoid replacing the entire check phase, > maybe you > could change the nss package to use an environment variable > (e.g. GUIX_CHECK_FAKETIME_DATE) for this, and set this > environment > variable in a single phase. > > So in nss you'd have: > > (add-before 'check 'set-GUIX_CHECK_FAKETIME_DATE > (lambda _ > (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-01-23"))) > (replace 'check > (lambda* (#:key tests? #:allow-other-keys) > ... > (invoke #$(if (target-64bit?) "faketime" "datefudge") > (getenv "GUIX_CHECK_FAKETIME_DATE") > "./nss/tests/all.sh"))) > > Then in nss-rapid you'd just do > > (replace 'set-GUIX_CHECK_FAKETIME_DATE > (lambda _ > (setenv "GUIX_CHECK_FAKETIME_DATE" "2024-08-30"))) > > Maybe there's a more elegant way to share a value between phases > in the > builder, but I think even doing it via an environment variable > is still > preferable than using a procedure to create the package. I've > spent many > hours debugging complex functional and performance related > issues caused > by procedures returning packages, and while it's a powerful > tool, it's > something to be avoided unless necessary. Thank you very much for the detailed review and suggestion. I like the environment variable approach a lot, and will send an updated patch series which uses it. I agree with you that straightforward package definitions are preferable, and this is a much simpler approach. > In terms of how to make this kind of change, I'd split it in to > two > parts. Introducing the environment variable can definately go to > the > core-packages-team branch in my opinion, and the package updates > could > maybe as well, but I'd think of it as two separate patch series. The split that makes sense to me is to send one series to core-packages-team, consisting of: one patch to use an environment variable for the release date; a second patch to ungraft nss; and a third package updatingd nss to the latest ESR. I believe each patch in this series will cause nss dependents to rebuild, so it seems preferable to put those into a single series, rather than turn a 15k package build into a 45k one. Then, after core-packages-team merges, a second patch to master which updates nss-rapid to use the environment variable mechainsm. Since very little depends on this package, it’s safe to update in master any time. If that sounds good to you, I’ll close this bug and open a new one with the first series. Thank you again for engaging with me on moving forward on this work. -- Ian
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:02 GMT) Full text and rfc822 format available.Message #38 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 1/6] gnu: nspr: Update to 4.36. Date: Tue, 6 May 2025 15:51:03 -0700
* gnu/packages/nss.scm (nspr): Update to 4.36.
Change-Id: Iac06cba18730773438f9de4e00376c0213bf4c15
---
gnu/packages/nss.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index f253edce99..73b010eea9 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -47,7 +47,7 @@ (define-module (gnu packages nss)
(define-public nspr
(package
(name "nspr")
- (version "4.35")
+ (version "4.36")
(source (origin
(method url-fetch)
(uri (string-append
@@ -55,7 +55,7 @@ (define-public nspr
version "/src/nspr-" version ".tar.gz"))
(sha256
(base32
- "13xwda56yhp1w7v02qvlxvlqiniw8kr4g3fxlljmv6wnlmz2k8vy"))))
+ "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))
(build-system gnu-build-system)
(inputs
(list perl ;for 'compile-et.pl'
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:02 GMT) Full text and rfc822 format available.Message #41 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 2/6] gnu: Remove nss/fixed. Date: Tue, 6 May 2025 15:51:04 -0700
* gnu/packages/nss.scm (nss/fixed): Delete variable.
Change-Id: Iaff60eed7eb9e000da27f899973b230939bfb41a
---
gnu/packages/nss.scm | 51 --------------------------------------------
1 file changed, 51 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 73b010eea9..ab238330a4 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -260,57 +260,6 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss/fixed
- (let ((actual-version "3.99"))
- (hidden-package
- (package
- (inherit nss)
- (version (string-append actual-version ".0")) ;for grafts requirements
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split actual-version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" actual-version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))))
-
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
;; channel.
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:03 GMT) Full text and rfc822 format available.Message #44 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 3/6] gnu: nss: Store the package release date in an environment variable. Date: Tue, 6 May 2025 15:51:05 -0700
* gnu/packages/nss.scm (nss): Store the package release date in an environment
variable.
Change-Id: Ic3708c0a32e2fc15b0400e42611735f33839b78b
---
gnu/packages/nss.scm | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index ab238330a4..abaee7e980 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -172,6 +172,13 @@ (define-public nss
(target-ppc32?)))
#:phases
#~(modify-phases %standard-phases
+ ;; The "PayPalEE.cert" certificate expires every six months, leading
+ ;; to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To work
+ ;; around that, set the time to roughly the release date.
+ (add-after 'unpack 'set-release-date
+ (lambda _
+ (setenv "GUIX_NSS_RELEASE_DATE" "2024-01-23")))
(replace 'configure
(lambda _
(setenv "CC" #$(cc-for-target))
@@ -212,12 +219,12 @@ (define-public nss
(("SOURCE_DIR=.*")
(string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke #$(if (target-64bit?) "faketime" "datefudge")
- "2024-01-23" "./nss/tests/all.sh"))
+
+ (let ((release-date (getenv "GUIX_NSS_RELEASE_DATE")))
+ (when (string=? "" release-date)
+ (raise-exception "`GUIX_NSS_RELEASE_DATE' unset"))
+ (invoke #$(if (target-64bit?) "faketime" "datefudge")
+ release-date "./nss/tests/all.sh")))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:03 GMT) Full text and rfc822 format available.Message #47 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 4/6] gnu: nss: Clean up. Date: Tue, 6 May 2025 15:51:06 -0700
Platform-specific build conditionals currently use ungexp to inject code into
the build phase: #$@(if ... #~(...) #~(...)). Change these to use unless/when
where appropriate, and ungexp the test value instead of the whole form.
* gnu/packages/nss.scm (nss): Clean up gexps.
* gnu/packages/nss.scm (nss): Extract URI code into `nss-uri'.
* gnu/packages/nss.scm (nss-uri): New variable.
Change-Id: I5843eb5bf80f01650e0e87a9c479d5d1ab187f9e
---
gnu/packages/nss.scm | 46 ++++++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index abaee7e980..1deb92c00f 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,8 +95,16 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
-
-;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
+(define (nss-uri version)
+ (let* ((versions (string-split version #\.))
+ (directory-version (string-join versions "_"))
+ ;; 3.101.3 release has a typo in the filename.
+ (filename-version
+ (if (string=? "3.101.3" version) "3.101_3" version)))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" directory-version "_RTM/src/"
+ "nss-" filename-version ".tar.gz")))
(define-public nss
(package
@@ -107,12 +115,7 @@ (define-public nss
(version "3.99")
(source (origin
(method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
+ (uri (nss-uri version))
(sha256
(base32
"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
@@ -185,13 +188,12 @@ (define-public nss
(setenv "CCC" #$(cxx-for-target))
(setenv "NATIVE_CC" "gcc")
;; No VSX on powerpc-linux.
- #$@(if (target-ppc32?)
- #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
- #~())
+ (when #$(target-ppc32?)
+ (setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
+
;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
- #$@(if (target-64bit?)
- #~((setenv "USE_64" "1"))
- #~())))
+ (when #$(target-64bit?)
+ (setenv "USE_64" "1"))))
(replace 'check
(lambda* (#:key tests? #:allow-other-keys)
(if tests?
@@ -210,15 +212,13 @@ (define-public nss
(substitute* "nss/tests/dbtests/dbtests.sh"
((" -lt 5") " -lt 50"))
- #$@(if (target-64bit?)
- '()
- ;; The script fails to determine the source
- ;; directory when running under 'datefudge' (see
- ;; <https://issues.guix.gnu.org/72239>). Help it.
- #~((substitute* "nss/tests/gtests/gtests.sh"
- (("SOURCE_DIR=.*")
- (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
-
+ (unless #$(target-64bit?)
+ ;; The script fails to determine the source
+ ;; directory when running under 'datefudge' (see
+ ;; <https://issues.guix.gnu.org/72239>). Help it.
+ ((substitute* "nss/tests/gtests/gtests.sh"
+ (("SOURCE_DIR=.*")
+ (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
(let ((release-date (getenv "GUIX_NSS_RELEASE_DATE")))
(when (string=? "" release-date)
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:04 GMT) Full text and rfc822 format available.Message #50 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 5/6] gnu: nss: Update to 3.101.3. Date: Tue, 6 May 2025 15:51:07 -0700
* gnu/packages/nss.scm (nss): Update to 3.101.3.
Change-Id: Iaf474377f0441e6ee16bcb30265fec6de3d9c76a
---
gnu/packages/nss.scm | 24 +++++++++-----
.../patches/nss-disable-broken-tests.patch | 33 +++++++++++++++++++
2 files changed, 49 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/nss-disable-broken-tests.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 1deb92c00f..424fa5cc66 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -42,7 +42,9 @@ (define-module (gnu packages nss)
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages sqlite)
- #:use-module (gnu packages time))
+ #:use-module (gnu packages time)
+ #:use-module (srfi srfi-1)
+ #:use-module (srfi srfi-26))
(define-public nspr
(package
@@ -112,17 +114,18 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.99")
+ (version "3.101.3")
(source (origin
(method url-fetch)
(uri (nss-uri version))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1gkpbyh90aw9yhjnyj1bsp79s2bxab886d9ihkaw1i2kzqfvf3dg"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-broken-tests.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -181,7 +184,7 @@ (define-public nss
;; around that, set the time to roughly the release date.
(add-after 'unpack 'set-release-date
(lambda _
- (setenv "GUIX_NSS_RELEASE_DATE" "2024-01-23")))
+ (setenv "GUIX_NSS_RELEASE_DATE" "2025-02-05")))
(replace 'configure
(lambda _
(setenv "CC" #$(cc-for-target))
@@ -258,13 +261,15 @@ (define-public nss
(properties '((timeout . 216000))) ;60 hours
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
- (synopsis "Network Security Services")
+ (synopsis "Network Security Services (ESR)")
(description
"Network Security Services (@dfn{NSS}) is a set of libraries designed to
support cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSL v2 and v3, TLS,
PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
+security standards.
+
+This package tracks the Extended Support Release (ESR) channel.")
(license license:mpl2.0)))
;; nss-rapid tracks the rapid release channel. Unless your package requires a
@@ -289,7 +294,10 @@ (define-public nss-rapid
"nss-" version ".tar.gz")))
(sha256
(base32
- "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+ "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))
+ (patches
+ (remove (cut string-contains <> "nss-disable-broken-tests.patch")
+ (origin-patches (package-source nss))))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
diff --git a/gnu/packages/patches/nss-disable-broken-tests.patch b/gnu/packages/patches/nss-disable-broken-tests.patch
new file mode 100644
index 0000000000..8d6e101471
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-broken-tests.patch
@@ -0,0 +1,33 @@
+These tests are broken in 3.101.3.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=1964304
+
+--- nss-3.101.3/nss/tests/tools/tools.sh 1969-12-31 16:00:01.000000000 -0800
++++ nss-3.101.3/nss/tests/tools/tools.sh 2025-05-05 16:36:47.835447542 -0700
+@@ -540,26 +540,6 @@
+ ret=$?
+ html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
+ check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- html_msg $ret 19 "Fail to list private key with bad iterator"
+- check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- echo "Fail to list private key with bad salt val=$ret"
+- html_msg $ret 19 "Fail to import private key with bad salt"
+- check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- echo "Fail to import private key with no length val=$ret"
+- html_msg $ret 19 "Fail to import private key with no length"
+- check_tmpfile
+ }
+
+ ############################## tools_p12 ###############################
\ No newline at end of file
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Tue, 06 May 2025 22:52:04 GMT) Full text and rfc822 format available.Message #53 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v2 6/6] gnu: nss-certs: Update to 3.101.3. Date: Tue, 6 May 2025 15:51:08 -0700
* gnu/packages/certs.scm (nss-certs): Update to 3.101.3.
Change-Id: Ibe9aa969046d375eea308594ac1a3c1cf23f75c2
---
gnu/packages/certs.scm | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..08db871bf2 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,18 +133,21 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.101.3")
(source (origin
(method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
+ (uri (let* ((versions (string-split version #\.))
+ (directory-version (string-join versions "_"))
+ ;; 3.101.3 release has a typo in the filename.
+ (filename-version
+ (if (string=? "3.101.3" version) "3.101_3" version)))
(string-append
"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
+ "releases/NSS_" directory-version "_RTM/src/"
+ "nss-" filename-version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1gkpbyh90aw9yhjnyj1bsp79s2bxab886d9ihkaw1i2kzqfvf3dg"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:01 GMT) Full text and rfc822 format available.Message #56 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 2/7] gnu: nspr: Update to 4.36. Date: Wed, 7 May 2025 17:06:04 -0700
* gnu/packages/nss.scm (nspr): Update to 4.36.
Change-Id: Iac06cba18730773438f9de4e00376c0213bf4c15
---
gnu/packages/nss.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index f253edce99..73b010eea9 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -47,7 +47,7 @@ (define-module (gnu packages nss)
(define-public nspr
(package
(name "nspr")
- (version "4.35")
+ (version "4.36")
(source (origin
(method url-fetch)
(uri (string-append
@@ -55,7 +55,7 @@ (define-public nspr
version "/src/nspr-" version ".tar.gz"))
(sha256
(base32
- "13xwda56yhp1w7v02qvlxvlqiniw8kr4g3fxlljmv6wnlmz2k8vy"))))
+ "15b83ipjxrmw0909l5qqz13pbarhp50d6i58vgjx4720y4bw7pjm"))))
(build-system gnu-build-system)
(inputs
(list perl ;for 'compile-et.pl'
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:02 GMT) Full text and rfc822 format available.Message #59 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 1/7] gnu: Remove nspr-4.32. Date: Wed, 7 May 2025 17:06:03 -0700
Nothing uses this, so remove it.
* gnu/packages/nss.scm (nspr-4.32): Delete variable.
Change-Id: I05c97fe6fc32d045618334df118a84836c0d0261
---
gnu/packages/nss.scm | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 8bcb593ed7..f253edce99 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,18 +95,6 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
-(define-public nspr-4.32
- (package
- (inherit nspr)
- (version "4.32")
- (source (origin
- (method url-fetch)
- (uri (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v"
- version "/src/nspr-" version ".tar.gz"))
- (sha256
- (base32
- "0v3zds1id71j5a5si42a658fjz8nv2f6zp6w4gqrqmdr6ksz8sxv"))))))
;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:02 GMT) Full text and rfc822 format available.Message #62 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 3/7] gnu: Remove nss/fixed. Date: Wed, 7 May 2025 17:06:05 -0700
* gnu/packages/nss.scm (nss/fixed): Delete variable.
Change-Id: Iaff60eed7eb9e000da27f899973b230939bfb41a
---
gnu/packages/nss.scm | 51 --------------------------------------------
1 file changed, 51 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 73b010eea9..ab238330a4 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -260,57 +260,6 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss/fixed
- (let ((actual-version "3.99"))
- (hidden-package
- (package
- (inherit nss)
- (version (string-append actual-version ".0")) ;for grafts requirements
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split actual-version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" actual-version ".tar.gz")))
- (sha256
- (base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
-
- ;; This specific test is looking at performance "now
- ;; verify that we can quickly dump a database", and
- ;; we're not testing performance here (especially
- ;; since we're using faketime), so raise the
- ;; threshold
- (substitute* "nss/tests/dbtests/dbtests.sh"
- ((" -lt 5") " -lt 50"))
-
- ;; Since the test suite is very lengthy, run the test
- ;; suite once, not thrice as done by default, by
- ;; selecting only the 'standard' cycle.
- (setenv "NSS_CYCLES" "standard")
-
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))))
-
;; nss-rapid tracks the rapid release channel. Unless your package requires a
;; newer version, you should prefer the `nss' package, which tracks the ESR
;; channel.
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:03 GMT) Full text and rfc822 format available.Message #65 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 4/7] gnu: nss: Store the package release date in an environment variable. Date: Wed, 7 May 2025 17:06:06 -0700
* gnu/packages/nss.scm (nss): Store the package release date in an environment
variable.
Change-Id: Ic3708c0a32e2fc15b0400e42611735f33839b78b
---
gnu/packages/nss.scm | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index ab238330a4..abaee7e980 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -172,6 +172,13 @@ (define-public nss
(target-ppc32?)))
#:phases
#~(modify-phases %standard-phases
+ ;; The "PayPalEE.cert" certificate expires every six months, leading
+ ;; to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To work
+ ;; around that, set the time to roughly the release date.
+ (add-after 'unpack 'set-release-date
+ (lambda _
+ (setenv "GUIX_NSS_RELEASE_DATE" "2024-01-23")))
(replace 'configure
(lambda _
(setenv "CC" #$(cc-for-target))
@@ -212,12 +219,12 @@ (define-public nss
(("SOURCE_DIR=.*")
(string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke #$(if (target-64bit?) "faketime" "datefudge")
- "2024-01-23" "./nss/tests/all.sh"))
+
+ (let ((release-date (getenv "GUIX_NSS_RELEASE_DATE")))
+ (when (string=? "" release-date)
+ (raise-exception "`GUIX_NSS_RELEASE_DATE' unset"))
+ (invoke #$(if (target-64bit?) "faketime" "datefudge")
+ release-date "./nss/tests/all.sh")))
(format #t "test suite not run~%"))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:03 GMT) Full text and rfc822 format available.Message #68 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 5/7] gnu: nss: Clean up. Date: Wed, 7 May 2025 17:06:07 -0700
Platform-specific build conditionals currently use ungexp to inject code into
the build phase: #$@(if ... #~(...) #~(...)). Change these to use unless/when
where appropriate, and ungexp the test value instead of the whole form.
* gnu/packages/nss.scm (nss): Clean up gexps.
* gnu/packages/nss.scm (nss): Extract URI code into `nss-uri'.
* gnu/packages/nss.scm (nss-uri): New variable.
Change-Id: I5843eb5bf80f01650e0e87a9c479d5d1ab187f9e
---
gnu/packages/nss.scm | 46 ++++++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index abaee7e980..1deb92c00f 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -95,8 +95,16 @@ (define-public nspr
in the Mozilla clients.")
(license license:mpl2.0)))
-
-;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.
+(define (nss-uri version)
+ (let* ((versions (string-split version #\.))
+ (directory-version (string-join versions "_"))
+ ;; 3.101.3 release has a typo in the filename.
+ (filename-version
+ (if (string=? "3.101.3" version) "3.101_3" version)))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" directory-version "_RTM/src/"
+ "nss-" filename-version ".tar.gz")))
(define-public nss
(package
@@ -107,12 +115,7 @@ (define-public nss
(version "3.99")
(source (origin
(method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
+ (uri (nss-uri version))
(sha256
(base32
"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
@@ -185,13 +188,12 @@ (define-public nss
(setenv "CCC" #$(cxx-for-target))
(setenv "NATIVE_CC" "gcc")
;; No VSX on powerpc-linux.
- #$@(if (target-ppc32?)
- #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
- #~())
+ (when #$(target-ppc32?)
+ (setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
+
;; Tells NSS to build for the 64-bit ABI if we are 64-bit system.
- #$@(if (target-64bit?)
- #~((setenv "USE_64" "1"))
- #~())))
+ (when #$(target-64bit?)
+ (setenv "USE_64" "1"))))
(replace 'check
(lambda* (#:key tests? #:allow-other-keys)
(if tests?
@@ -210,15 +212,13 @@ (define-public nss
(substitute* "nss/tests/dbtests/dbtests.sh"
((" -lt 5") " -lt 50"))
- #$@(if (target-64bit?)
- '()
- ;; The script fails to determine the source
- ;; directory when running under 'datefudge' (see
- ;; <https://issues.guix.gnu.org/72239>). Help it.
- #~((substitute* "nss/tests/gtests/gtests.sh"
- (("SOURCE_DIR=.*")
- (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
-
+ (unless #$(target-64bit?)
+ ;; The script fails to determine the source
+ ;; directory when running under 'datefudge' (see
+ ;; <https://issues.guix.gnu.org/72239>). Help it.
+ ((substitute* "nss/tests/gtests/gtests.sh"
+ (("SOURCE_DIR=.*")
+ (string-append "SOURCE_DIR=" (getcwd) "/nss\n")))))
(let ((release-date (getenv "GUIX_NSS_RELEASE_DATE")))
(when (string=? "" release-date)
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:04 GMT) Full text and rfc822 format available.Message #71 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 6/7] gnu: nss: Update to 3.101.3. Date: Wed, 7 May 2025 17:06:08 -0700
* gnu/packages/nss.scm (nss): Update to 3.101.3.
Change-Id: Iaf474377f0441e6ee16bcb30265fec6de3d9c76a
---
gnu/packages/nss.scm | 24 +++++++++-----
.../patches/nss-disable-broken-tests.patch | 33 +++++++++++++++++++
2 files changed, 49 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/nss-disable-broken-tests.patch
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 1deb92c00f..424fa5cc66 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -42,7 +42,9 @@ (define-module (gnu packages nss)
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages sqlite)
- #:use-module (gnu packages time))
+ #:use-module (gnu packages time)
+ #:use-module (srfi srfi-1)
+ #:use-module (srfi srfi-26))
(define-public nspr
(package
@@ -112,17 +114,18 @@ (define-public nss
;; IMPORTANT: Also update and test the nss-certs package, which duplicates
;; version and source to avoid a top-level variable reference & module
;; cycle.
- (version "3.99")
+ (version "3.101.3")
(source (origin
(method url-fetch)
(uri (nss-uri version))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1gkpbyh90aw9yhjnyj1bsp79s2bxab886d9ihkaw1i2kzqfvf3dg"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
+ "nss-increase-test-timeout.patch"
+ "nss-disable-broken-tests.patch"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -181,7 +184,7 @@ (define-public nss
;; around that, set the time to roughly the release date.
(add-after 'unpack 'set-release-date
(lambda _
- (setenv "GUIX_NSS_RELEASE_DATE" "2024-01-23")))
+ (setenv "GUIX_NSS_RELEASE_DATE" "2025-02-05")))
(replace 'configure
(lambda _
(setenv "CC" #$(cc-for-target))
@@ -258,13 +261,15 @@ (define-public nss
(properties '((timeout . 216000))) ;60 hours
(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
- (synopsis "Network Security Services")
+ (synopsis "Network Security Services (ESR)")
(description
"Network Security Services (@dfn{NSS}) is a set of libraries designed to
support cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSL v2 and v3, TLS,
PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
+security standards.
+
+This package tracks the Extended Support Release (ESR) channel.")
(license license:mpl2.0)))
;; nss-rapid tracks the rapid release channel. Unless your package requires a
@@ -289,7 +294,10 @@ (define-public nss-rapid
"nss-" version ".tar.gz")))
(sha256
(base32
- "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))))
+ "12y156frnhaqvwkla1c07gqr2lnp4yb3619g4088kk8qc4jnr95y"))
+ (patches
+ (remove (cut string-contains <> "nss-disable-broken-tests.patch")
+ (origin-patches (package-source nss))))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
diff --git a/gnu/packages/patches/nss-disable-broken-tests.patch b/gnu/packages/patches/nss-disable-broken-tests.patch
new file mode 100644
index 0000000000..8d6e101471
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-broken-tests.patch
@@ -0,0 +1,33 @@
+These tests are broken in 3.101.3.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=1964304
+
+--- nss-3.101.3/nss/tests/tools/tools.sh 1969-12-31 16:00:01.000000000 -0800
++++ nss-3.101.3/nss/tests/tools/tools.sh 2025-05-05 16:36:47.835447542 -0700
+@@ -540,26 +540,6 @@
+ ret=$?
+ html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
+ check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- html_msg $ret 19 "Fail to list private key with bad iterator"
+- check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- echo "Fail to list private key with bad salt val=$ret"
+- html_msg $ret 19 "Fail to import private key with bad salt"
+- check_tmpfile
+-
+- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+- ret=$?
+- echo "Fail to import private key with no length val=$ret"
+- html_msg $ret 19 "Fail to import private key with no length"
+- check_tmpfile
+ }
+
+ ############################## tools_p12 ###############################
\ No newline at end of file
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Thu, 08 May 2025 00:07:05 GMT) Full text and rfc822 format available.Message #74 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 73152 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH v3 7/7] gnu: nss-certs: Update to 3.101.3. Date: Wed, 7 May 2025 17:06:09 -0700
* gnu/packages/certs.scm (nss-certs): Update to 3.101.3.
Change-Id: Ibe9aa969046d375eea308594ac1a3c1cf23f75c2
---
gnu/packages/certs.scm | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index e2de6b168b..08db871bf2 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -133,18 +133,21 @@ (define-public nss-certs
;; FIXME We used to refer to the nss package here, but that eventually caused
;; module cycles. The below is a quick copy-paste job that must be kept in
;; sync manually. Surely there's a better way…?
- (version "3.99")
+ (version "3.101.3")
(source (origin
(method url-fetch)
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
+ (uri (let* ((versions (string-split version #\.))
+ (directory-version (string-join versions "_"))
+ ;; 3.101.3 release has a typo in the filename.
+ (filename-version
+ (if (string=? "3.101.3" version) "3.101_3" version)))
(string-append
"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
+ "releases/NSS_" directory-version "_RTM/src/"
+ "nss-" filename-version ".tar.gz")))
(sha256
(base32
- "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+ "1gkpbyh90aw9yhjnyj1bsp79s2bxab886d9ihkaw1i2kzqfvf3dg"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
--
2.49.0
guix-patches <at> gnu.org:bug#73152; Package guix-patches.
(Sat, 17 May 2025 18:20:02 GMT) Full text and rfc822 format available.Message #77 received at 73152 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: Christopher Baines <mail <at> cbaines.net>, Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: 73152 <at> debbugs.gnu.org Subject: Re: [bug#73152] [PATCH 3/6] gnu: Add make-nss. Date: Sat, 17 May 2025 11:19:14 -0700
Hi Liliana, Christopher, Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes: > Note: the explanation should come before the ChangeLog. Fixed, thanks. Christopher Baines <mail <at> cbaines.net> writes: > Maybe there's a more elegant way to share a value between phases > in the > builder, but I think even doing it via an environment variable > is still > preferable than using a procedure to create the package. I've > spent many > hours debugging complex functional and performance related > issues caused > by procedures returning packages, and while it's a powerful > tool, it's > something to be avoided unless necessary. I adopted this suggestion, and it made for a much cleaner setup. Thank you! The current patch series is working and ready for review. I haven’t rebuilt all the dependent packages (and QA is down, so I’m not sure whether it has, but it’s had a week to do so), but the direct nss/nspr changes build and seem to work for me. > In terms of how to make this kind of change, I'd split it in to > two > parts. Introducing the environment variable can definately go to > the > core-packages-team branch in my opinion, and the package updates > could > maybe as well, but I'd think of it as two separate patch series. This patch series updates nss, but leaves nss-rapid for a later series. I’d prefer not to block this on core-package-team, but if you feel strongly that some or all of these changes should go there, I will direct them. Given that it’s been 8 months since I opened the series and that will extend the timeline greatly, I’m disinclined to complicate things more -- and would likely end up needing to move all the changes to Codeberg with the added delay. WDYT? -- Ian
Ian Eure <ian <at> retrospec.tv>
to control <at> debbugs.gnu.org.
(Sun, 25 May 2025 17:50:01 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.