diff mbox series

[bug#71832,v6,2/3] gnu: Add nss-rapid.

Message ID 20240817193240.27089-3-ian@retrospec.tv
State New
Headers show
Series Update LibreWolf to 129.0.1-1; add nss-rapid | expand

Commit Message

Ian Eure Aug. 17, 2024, 7:32 p.m. UTC 
* gnu/packages/nss.scm (nss-rapid): New variable.

Change-Id: I2bdd2119fb0c857feae9eb2e47a28909b8228cd7
---
 gnu/packages/nss.scm | 67 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Comments

Vagrant Cascadian Aug. 17, 2024, 10:46 p.m. UTC | #1 
On 2024-08-17, Ian Eure wrote:
> * gnu/packages/nss.scm (nss-rapid): New variable.
>
> Change-Id: I2bdd2119fb0c857feae9eb2e47a28909b8228cd7
> ---
>  gnu/packages/nss.scm | 67 ++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 67 insertions(+)

Unfortunately, this failed to build:

error: in phase 'check': uncaught exception:
%exception #<&invoke-error program: "faketime" arguments: ("2024-08-17" "./nss/tests/all.sh") exit-status: 1 term-signal: #f stop-signal: #f>
phase `check' failed after 1983.7 seconds
command "faketime" "2024-08-17" "./nss/tests/all.sh" failed with status 1
builder for `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed with exit code 1
build of /gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv failed
View build log at '/var/log/guix/drvs/nh/zx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv.gz'.
guix build: error: build of `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed


live well,
  vagrant
Vagrant Cascadian Aug. 17, 2024, 11:33 p.m. UTC | #2 
On 2024-08-17, Vagrant Cascadian wrote:
> On 2024-08-17, Ian Eure wrote:
>> * gnu/packages/nss.scm (nss-rapid): New variable.
>>
>> Change-Id: I2bdd2119fb0c857feae9eb2e47a28909b8228cd7
>> ---
>>  gnu/packages/nss.scm | 67 ++++++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 67 insertions(+)
>
> Unfortunately, this failed to build:
>
> error: in phase 'check': uncaught exception:
> %exception #<&invoke-error program: "faketime" arguments: ("2024-08-17" "./nss/tests/all.sh") exit-status: 1 term-signal: #f stop-signal: #f>
> phase `check' failed after 1983.7 seconds
> command "faketime" "2024-08-17" "./nss/tests/all.sh" failed with status 1
> builder for `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed with exit code 1
> build of /gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv failed
> View build log at '/var/log/guix/drvs/nh/zx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv.gz'.
> guix build: error: build of `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed

Hrm. The build log was truncated and I could not find the actual
errors. There were two test suite failures... :/

I tried to build it again and it worked this time... hrm.

live well,
  vagrant
Ian Eure Aug. 17, 2024, 11:51 p.m. UTC | #3 
Thank you for taking a look.  It seems like the build process crashed when running the extensive test suite.  Both these packages are resource-intensive to build.  A machine with 16gb RAM and no swap will OOM, but a 24gb machine can complete them.  Perhaps there's a clue in dmesg?

I built both nss-rapid and librewolf locally and made sure they seemed to work prior to sending the patch series.

On August 17, 2024 4:33:14 PM PDT, Vagrant Cascadian <vagrant@debian.org> wrote:
>On 2024-08-17, Vagrant Cascadian wrote:
>> On 2024-08-17, Ian Eure wrote:
>>> * gnu/packages/nss.scm (nss-rapid): New variable.
>>>
>>> Change-Id: I2bdd2119fb0c857feae9eb2e47a28909b8228cd7
>>> ---
>>>  gnu/packages/nss.scm | 67 ++++++++++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 67 insertions(+)
>>
>> Unfortunately, this failed to build:
>>
>> error: in phase 'check': uncaught exception:
>> %exception #<&invoke-error program: "faketime" arguments: ("2024-08-17" "./nss/tests/all.sh") exit-status: 1 term-signal: #f stop-signal: #f>
>> phase `check' failed after 1983.7 seconds
>> command "faketime" "2024-08-17" "./nss/tests/all.sh" failed with status 1
>> builder for `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed with exit code 1
>> build of /gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv failed
>> View build log at '/var/log/guix/drvs/nh/zx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv.gz'.
>> guix build: error: build of `/gnu/store/nhzx27ndgbhsbl0kjnv49xsy3xdy0a66-nss-rapid-3.103.drv' failed
>
>Hrm. The build log was truncated and I could not find the actual
>errors. There were two test suite failures... :/
>
>I tried to build it again and it worked this time... hrm.
>
>live well,
>  vagrant
Vagrant Cascadian Aug. 18, 2024, 2 a.m. UTC | #4 
On 2024-08-17, Ian Eure wrote:
> Thank you for taking a look.  It seems like the build process crashed
> when running the extensive test suite.  Both these packages are
> resource-intensive to build.  A machine with 16gb RAM and no swap will
> OOM, but a 24gb machine can complete them.  Perhaps there's a clue in
> dmesg?

I got a successful build of both nss-rapid and librewolf even only with
16gb of ram and 2.5gb of swap (maybe newer versions ... actually use
less resources?!) ... it just took two tries to build nss-rapid! :)

Have not actually run it yet... because foolishly I built it on a
headless system and need to transfer it over somewhere else to actually
test it... but so far looks promising.

live well,
  vagrant
Vagrant Cascadian Aug. 18, 2024, 3:38 a.m. UTC | #5 
On 2024-08-17, Ian Eure wrote:
> diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
> index 9224a8ed5a..1a684e6146 100644
> --- a/gnu/packages/nss.scm
> +++ b/gnu/packages/nss.scm
...
> +;; nss should track ESRs, but currently doesn't.  3.102.1 is the current ESR.
> +
>  (define-public nss
>    (package
>      (name "nss")

Though I largely agree with the logic (e.g. nss *should* probably be
packaging ESR versions in general)... it seems a little weird to include
a comment about what the packaging for nss *should* do, even though it
is not (yet) doing it... similar with embedding a specific "current"
version, which will obviously become inaccurate before too long...

Alternately, maybe moving the comment to where the nss version is
actually defined; to give someone pause when considering updating the
version?

Or maybe this belongs in a separate discussion on guix-devel and/or bug?


> +;; nss-rapid tracks the rapid release channel.  Unless your package requires a
> +;; newer version, you should prefer the `nss' package, which tracks the ESR
> +;; channel.
> +;;
> +;; See https://wiki.mozilla.org/NSS:Release_Versions
> +;; and https://wiki.mozilla.org/Rapid_Release_Model
> +
> +(define-public nss-rapid

Mixed feelings on rapid vs. latest ... latest is a bit more consistent
with other guix packages, though "rapid" is the terminology that
upstream uses here.


Both those points are, in my opinion, quite minor; I would not want to
block on those points alone!


live well,
  vagrant
Ian Eure Aug. 18, 2024, 3:48 a.m. UTC | #6 
Vagrant Cascadian <vagrant@debian.org> writes:

> [[PGP Signed Part:Undecided]]
> On 2024-08-17, Ian Eure wrote:
>> diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
>> index 9224a8ed5a..1a684e6146 100644
>> --- a/gnu/packages/nss.scm
>> +++ b/gnu/packages/nss.scm
> ...
>> +;; nss should track ESRs, but currently doesn't.  3.102.1 is 
>> the current ESR.
>> +
>>  (define-public nss
>>    (package
>>      (name "nss")
>
> Though I largely agree with the logic (e.g. nss *should* 
> probably be
> packaging ESR versions in general)... it seems a little weird to 
> include
> a comment about what the packaging for nss *should* do, even 
> though it
> is not (yet) doing it... similar with embedding a specific 
> "current"
> version, which will obviously become inaccurate before too 
> long...
>
> Alternately, maybe moving the comment to where the nss version 
> is
> actually defined; to give someone pause when considering 
> updating the
> version?
>
> Or maybe this belongs in a separate discussion on guix-devel 
> and/or bug?
>

I started a discussion about nss earlier this year[1], and some of 
the changes in this patch set are a result of that.  The long and 
short of it is that nss should track ESRs only, and it could do 
that now, but the process to update it is murky to me due to it 
causing a lot of rebuilds.  I asked for some advice on that a 
couple days ago[2].  The comment is left in the hopes that a 
well-meaning contributor doesn’t update it to a non-ESR version 
before the ESR updates can be worked out, which would set the 
timeline for that change back by a year.

If you have guidance on how to update a package low in the graph, 
I’d appreciate hearing!


>
>> +;; nss-rapid tracks the rapid release channel.  Unless your 
>> package requires a
>> +;; newer version, you should prefer the `nss' package, which 
>> tracks the ESR
>> +;; channel.
>> +;;
>> +;; See https://wiki.mozilla.org/NSS:Release_Versions
>> +;; and https://wiki.mozilla.org/Rapid_Release_Model
>> +
>> +(define-public nss-rapid
>
> Mixed feelings on rapid vs. latest ... latest is a bit more 
> consistent
> with other guix packages, though "rapid" is the terminology that
> upstream uses here.
>

Yes, agreed that the terminology situation isn’t ideal.  I don’t 
have a strong preference, but neither is there concensus around 
"latest."  In the absence of strong concensus, and to avoid 
bikeshedding, I opted for reusing upstream terminology, but 
clarifying that in the package description and synopsis.  I 
frankly do not care which is adopted, and it can be updated any 
time, since this is high in the package graph.  I do think that if 
the package is named "nss-rapid", the synopsis/description should 
indicate that this is upstreams Rapid Release channel.  It 
currently does, but would need some trivial editing should the 
package name change.


> Both those points are, in my opinion, quite minor; I would not 
> want to
> block on those points alone!
>

I agree, and I appreciate your pragmatic approach here.

Thanks,

  — Ian


[1]: 
https://lists.gnu.org/archive/html/guix-devel/2024-06/msg00318.html
[2]: 
https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00074.html
diff mbox series

Patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 9224a8ed5a..1a684e6146 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -106,6 +106,8 @@  (define-public nspr-4.32
               (base32
                "0v3zds1id71j5a5si42a658fjz8nv2f6zp6w4gqrqmdr6ksz8sxv"))))))
 
+;; nss should track ESRs, but currently doesn't.  3.102.1 is the current ESR.
+
 (define-public nss
   (package
     (name "nss")
@@ -303,6 +305,71 @@  (define-public nss/fixed
                          (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
                        (format #t "test suite not run~%"))))))))))))
 
+;; nss-rapid tracks the rapid release channel.  Unless your package requires a
+;; newer version, you should prefer the `nss' package, which tracks the ESR
+;; channel.
+;;
+;; See https://wiki.mozilla.org/NSS:Release_Versions
+;; and https://wiki.mozilla.org/Rapid_Release_Model
+
+(define-public nss-rapid
+  (package
+   (inherit nss)
+   (name "nss-rapid")
+   (version "3.103")
+   (source (origin
+             (inherit (package-source nss))
+             (uri (let ((version-with-underscores
+                         (string-join (string-split version #\.) "_")))
+                    (string-append
+                     "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+                     "releases/NSS_" version-with-underscores "_RTM/src/"
+                     "nss-" version ".tar.gz")))
+             (sha256
+              (base32
+               "0qp9rs226rr6gh51b42cdbydr4mj80cli3bfqhh7bp3jyxbvcjkv"))))
+   (arguments
+    (substitute-keyword-arguments (package-arguments nss)
+      ((#:phases phases)
+       #~(modify-phases #$phases
+           (replace 'check
+             (lambda* (#:key tests? #:allow-other-keys)
+               (if tests?
+                   (begin
+                     ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+                     ;; testing.  The latter requires a working DNS or /etc/hosts.
+                     (setenv "DOMSUF" "localdomain")
+                     (setenv "USE_IP" "TRUE")
+                     (setenv "IP_ADDRESS" "127.0.0.1")
+
+                     ;; This specific test is looking at performance "now
+                     ;; verify that we can quickly dump a database", and
+                     ;; we're not testing performance here (especially
+                     ;; since we're using faketime), so raise the
+                     ;; threshold
+                     (substitute* "nss/tests/dbtests/dbtests.sh"
+                       ((" -lt 5") " -lt 50"))
+
+                     ;; Since the test suite is very lengthy, run the test
+                     ;; suite once, not thrice as done by default, by
+                     ;; selecting only the 'standard' cycle.
+                     (setenv "NSS_CYCLES" "standard")
+
+                     ;; The "PayPalEE.cert" certificate expires every six months,
+                     ;; leading to test failures:
+                     ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
+                     ;; work around that, set the time to roughly the release date.
+                     (invoke "faketime" "2024-08-17" "./nss/tests/all.sh"))
+                   (format #t "test suite not run~%"))))))))
+   (synopsis "Network Security Services (Rapid Release)")
+   (description
+    "Network Security Services (@dfn{NSS}) is a set of libraries designed to
+support cross-platform development of security-enabled client and server
+applications.  Applications built with NSS can support SSL v2 and v3, TLS,
+PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
+security standards.
+
+This package tracks the Rapid Release channel, which updates frequently.")))
 (define-public nsncd
   (package
     (name "nsncd")