From patchwork Mon Sep 9 17:55:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Eure X-Patchwork-Id: 67829 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6072627BBEA; Mon, 9 Sep 2024 18:57:38 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7DA2227BBE2 for ; Mon, 9 Sep 2024 18:57:37 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1snidW-00066x-Gh; Mon, 09 Sep 2024 13:57:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1snidL-0005K3-5G for guix-patches@gnu.org; Mon, 09 Sep 2024 13:57:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1snidH-0000bX-7V for guix-patches@gnu.org; Mon, 09 Sep 2024 13:56:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=HfMxkMbpODFDJcRNJTb1cSoCT01RUYZ22MNtDoW7jUw=; b=IGAhyMTR/Dd6gPQKYqdGkrgenjC2YN7x/HffDlCPX5CNTfGtANmWkltwoqZMxSw73iVnhxncPzORgfqd/K6XkeyC3qdDKZhsvr/8jj137PiF04/PQmxLtEJCDRymsQ5M9JFy0E35+seoELw1iU1MVo9Una69buxK7v/CpcvjGU36+1BiVDwWpmWKpjefC6yzc3CqJaEBmEFa0RkvzXZ0GzihI5vjdx+lRsqyebia1mFUOw8DCAzSljFFN26CqZ+Q7/P98Sa9fdxJfnBu6tFFjHkg3vXk7B2O4/6uS1PrbfKhd7QLBSahG4UxlPfObbkoVmu+qLnemONeMgtBH62Xuw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1snidL-0003VT-1i for guix-patches@gnu.org; Mon, 09 Sep 2024 13:57:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73152] [PATCH 3/6] gnu: Add make-nss. Resent-From: Ian Eure Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 09 Sep 2024 17:57:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73152 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73152@debbugs.gnu.org Cc: Ian Eure Received: via spool by 73152-submit@debbugs.gnu.org id=B73152.172590456913371 (code B ref 73152); Mon, 09 Sep 2024 17:57:03 +0000 Received: (at 73152) by debbugs.gnu.org; 9 Sep 2024 17:56:09 +0000 Received: from localhost ([127.0.0.1]:34076 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1snicS-0003TY-8y for submit@debbugs.gnu.org; Mon, 09 Sep 2024 13:56:08 -0400 Received: from fout2-smtp.messagingengine.com ([103.168.172.145]:44627) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1snicL-0003RZ-5F for 73152@debbugs.gnu.org; Mon, 09 Sep 2024 13:56:02 -0400 Received: from phl-compute-03.internal (phl-compute-03.phl.internal [10.202.2.43]) by mailfout.phl.internal (Postfix) with ESMTP id 29B56138018B; Mon, 9 Sep 2024 13:55:52 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Mon, 09 Sep 2024 13:55:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1725904552; x= 1725990952; bh=HfMxkMbpODFDJcRNJTb1cSoCT01RUYZ22MNtDoW7jUw=; b=N DWRChAgRpizz7Y2BcpUQumlA+OBm8SegeZQtMcnXOEfWuxxUTodaHuAOeb8rCxCu t3qe6wCHhqtk18aIQphwD+Vxim/fXai5/tf0OdHoTdJuxV4Rm4qGWN5XIRUmS1KN LAMmoFLcu6E2X24G1vR5zPhRdYhRR9+okSfhumI9UMsWIIX837MebWMx//oKZsFJ nupOX35zQQmFEeQUVgNS91qzET1t7AV27DjEl3+xCjkQq2oT4v2uDFsUi8UoJezK j1Sv2d3eshYhGqr+76RIsuH/KSZdtaqOTkBnbpk4Vqo091iMAiZ8nvgUgcIL9/cW tJPn6i6iGySFVagugAfYQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1725904552; x= 1725990952; bh=HfMxkMbpODFDJcRNJTb1cSoCT01RUYZ22MNtDoW7jUw=; b=l HOAnGiGNmYaDskJDgMw0r2MyBFzPIHjmuFYBIXaRFmKjZKx6D5rCgkTfXErgRuAr OTnn0HM2P79t2OdZgZzFj1JKz/rH4ahBsAMfHaUHButcVCsSvZiFyjTvg4xlWDX1 yzXkFWDu3FQN+y0SRooOUHVCQ3PqRARGXLfH3W8d4sXh6Fy/nMVfoNlgv0TzaEvt j7gV+HY8TCGCgENySyHX3b/stVbDKa38vzmSRBSsHW8MP6H46Oaf8zUFnY5WVz5c p1hWsKbrEr3SYpHDryd8qn5J5CqNvrvTwKiiv3KWaPl3aVM85NRrDzD5gTj5Eule 1YGFmID4zYjdikerxYmjA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudeijedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvve fufffkofgjfhgggfestdekredtredttdenucfhrhhomhepkfgrnhcugfhurhgvuceoihgr nhesrhgvthhrohhsphgvtgdrthhvqeenucggtffrrghtthgvrhhnpeekgfelvdehueefte ekfedvheetueeuledugfetgfelvedvjefffeegfefgvdduueenucffohhmrghinhepmhho iihilhhlrgdrohhrghdpghhnuhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehirghnsehrvghtrhhoshhpvggtrdhtvhdpnhgspghr tghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjeefudehvdesug gvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehirghnsehrvghtrhhoshhpvggt rdhtvh X-ME-Proxy: Feedback-ID: id9014242:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 9 Sep 2024 13:55:51 -0400 (EDT) From: Ian Eure Date: Mon, 9 Sep 2024 10:55:36 -0700 Message-ID: <20240909175540.8156-4-ian@retrospec.tv> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240909175540.8156-1-ian@retrospec.tv> References: <20240909175540.8156-1-ian@retrospec.tv> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/nss.scm (make-nss): New variable. NSS builds require time-shifting to their approximate release date to build repeatably, because it ships with test certificates which expire. To avoid duplicating the whole package definition between `nss' and `nss-rapid', move the bulk of the definition into `make-nss', which accepts a version, hash, and release date, allowing reuse between the two definitions. Change-Id: Iaab1bb167ceed985a3dcde57f7fe35dce3deaa36 --- gnu/packages/nss.scm | 166 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 60b4b34d4e..b51bebda3d 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -94,6 +94,172 @@ (define-public nspr in the Mozilla clients.") (license license:mpl2.0))) +(define* (make-nss #:key version release-date hash) + (package + (name "nss") + ;; IMPORTANT: Also update and test the nss-certs package, which duplicates + ;; version and source to avoid a top-level variable reference & module + ;; cycle. + (version version) + (source + (origin + (method url-fetch) + (uri (let ((version-with-underscores + (string-join (string-split version #\.) "_"))) + (string-append + "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" + "releases/NSS_" version-with-underscores "_RTM/src/" + "nss-" version ".tar.gz"))) + (sha256 + (base32 hash)) + ;; Create nss.pc and nss-config. + (patches (search-patches "nss-3.56-pkgconfig.patch" + "nss-getcwd-nonnull.patch" + "nss-increase-test-timeout.patch")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Delete the bundled copy of these libraries. + (delete-file-recursively "nss/lib/zlib") + (delete-file-recursively "nss/lib/sqlite"))))) + (build-system gnu-build-system) + (outputs '("out" "bin")) + (arguments + (list + #:make-flags + #~(let ((rpath (string-append "-Wl,-rpath=" #$output "/lib/nss"))) + (list "-C" "nss" + (string-append "PREFIX=" #$output) + "NSDISTMODE=copy" + "NSS_USE_SYSTEM_SQLITE=1" + ;; The gtests fail to compile on riscv64. + ;; Skipping them doesn't affect the test suite. + #$@(if (target-riscv64?) + #~("NSS_DISABLE_GTESTS=1") + #~()) + ;; Ensure we are building for the (%current-target-system). + #$@(if (%current-target-system) + #~((string-append + "OS_TEST=" + (string-take #$(%current-target-system) + (string-index #$(%current-target-system) #\-))) + (string-append + "KERNEL=" (cond (#$(target-hurd?) "gnu") + (#$(target-linux?) "linux") + (else "")))) + #~()) + #$@(if (%current-target-system) + #~("CROSS_COMPILE=1") + #~()) + (string-append "NSPR_INCLUDE_DIR=" + (search-input-directory %build-inputs + "include/nspr")) + ;; Add $out/lib/nss to RPATH. + (string-append "RPATH=" rpath) + (string-append "LDFLAGS=" rpath))) + #:modules '((guix build gnu-build-system) + (guix build utils) + (ice-9 ftw) + (ice-9 match) + (srfi srfi-26)) + #:tests? (not (or (%current-target-system) + ;; Tests take more than 30 hours on some architectures. + (target-riscv64?) + (target-ppc32?))) + #:phases + #~(modify-phases %standard-phases + (replace 'configure + (lambda _ + (setenv "CC" #$(cc-for-target)) + (setenv "CCC" #$(cxx-for-target)) + (setenv "NATIVE_CC" "gcc") + ;; No VSX on powerpc-linux. + #$@(if (target-ppc32?) + #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1")) + #~()) + ;; Tells NSS to build for the 64-bit ABI if we are 64-bit system. + #$@(if (target-64bit?) + #~((setenv "USE_64" "1")) + #~()))) + (replace 'check + (lambda* (#:key tests? #:allow-other-keys) + (if tests? + (begin + ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for + ;; testing. The latter requires a working DNS or /etc/hosts. + (setenv "DOMSUF" "localdomain") + (setenv "USE_IP" "TRUE") + (setenv "IP_ADDRESS" "127.0.0.1") + + ;; This specific test is looking at performance "now + ;; verify that we can quickly dump a database", and + ;; we're not testing performance here (especially + ;; since we're using faketime), so raise the + ;; threshold + (substitute* "nss/tests/dbtests/dbtests.sh" + ((" -lt 5") " -lt 50")) + + ;; Since the test suite is very lengthy, run the test + ;; suite once, not thrice as done by default, by + ;; selecting only the 'standard' cycle. + (setenv "NSS_CYCLES" "standard") + + #$@(if (target-64bit?) + '() + ;; The script fails to determine the source + ;; directory when running under 'datefudge' (see + ;; ). Help it. + #~((substitute* "nss/tests/gtests/gtests.sh" + (("SOURCE_DIR=.*") + (string-append "SOURCE_DIR=" (getcwd) "/nss\n"))))) + + ;; The "PayPalEE.cert" certificate expires every six months, + ;; leading to test failures: + ;; . To + ;; work around that, set the time to roughly the release date. + (invoke #$(if (target-64bit?) "faketime" "datefudge") + #$release-date "./nss/tests/all.sh")) + (format #t "test suite not run~%")))) + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bin (string-append (assoc-ref outputs "bin") "/bin")) + (inc (string-append out "/include/nss")) + (lib (string-append out "/lib/nss")) + (obj (match (scandir "dist" (cut string-suffix? "OBJ" <>)) + ((obj) (string-append "dist/" obj))))) + ;; Install nss-config to $out/bin. + (install-file (string-append obj "/bin/nss-config") + (string-append out "/bin")) + (delete-file (string-append obj "/bin/nss-config")) + ;; Install nss.pc to $out/lib/pkgconfig. + (install-file (string-append obj "/lib/pkgconfig/nss.pc") + (string-append out "/lib/pkgconfig")) + (delete-file (string-append obj "/lib/pkgconfig/nss.pc")) + (rmdir (string-append obj "/lib/pkgconfig")) + ;; Install other files. + (copy-recursively "dist/public/nss" inc) + (copy-recursively (string-append obj "/bin") bin) + (copy-recursively (string-append obj "/lib") lib))))))) + (inputs (list sqlite zlib)) + (propagated-inputs (list nspr)) ;required by nss.pc. + (native-inputs (list perl ;for tests + (if (target-64bit?) libfaketime datefudge) + which)) + + ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when + ;; another build is happening concurrently on the same machine. + (properties '((timeout . 216000))) ;60 hours + + (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS") + (synopsis "Network Security Services") + (description + "Network Security Services (@dfn{NSS}) is a set of libraries designed to +support cross-platform development of security-enabled client and server +applications. Applications built with NSS can support SSL v2 and v3, TLS, +PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other +security standards.") + (license license:mpl2.0))) ;; nss should track ESRs, but currently doesn't. 3.102.1 is the current ESR.