Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: make reproducible #102156

Merged
merged 1 commit into from Oct 31, 2020
Merged

nss: make reproducible #102156

merged 1 commit into from Oct 31, 2020

Conversation

@zimbatm
Copy link
Member

@zimbatm zimbatm commented Oct 30, 2020

According to
https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129
the FIPS mode is not enabled by default. Yet we generate the .chk files
that are only meant to be used for that mode. I have a sense that those
have been cargo-culted around.

Adding FIPS is still possible but you have to explictily build the lib
with pkgs.nss.override { enableFIPS = true; }

More info on what FIPS is:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6

Other distros wrangling with the same issue:
https://bugzilla.opensuse.org/show_bug.cgi?id=1081723

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@zimbatm zimbatm requested review from ajs124 and illegalprime Oct 30, 2020
@zimbatm
Copy link
Member Author

@zimbatm zimbatm commented Oct 30, 2020

currently building Firefox to test

According to
https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129
the FIPS mode is not enabled by default. Yet we generate the .chk files
that are only meant to be used for that mode. I have a sense that those
have been cargo-culted around.

Adding FIPS is still possible but you have to explictily build the lib
with `pkgs.nss.override { enableFIPS = true; }`

More info on what FIPS is:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6

Other distros wrangling with the same issue:
https://bugzilla.opensuse.org/show_bug.cgi?id=1081723
@zimbatm zimbatm force-pushed the zimbatm:nss-r13y branch from c2ed3ee to 9cce7bc Oct 30, 2020
@zimbatm zimbatm requested a review from aszlig Oct 31, 2020
@aszlig
aszlig approved these changes Oct 31, 2020
@zimbatm zimbatm merged commit 8f2be9a into NixOS:staging Oct 31, 2020
19 of 20 checks passed
19 of 20 checks passed
@github-actions
tests
Details
@github-actions
action
Details
@ofborg
nss, nss.passthru.tests on x86_64-darwin
Details
@ofborg
nss, nss.passthru.tests on aarch64-linux Failure
Details
@ofborg
nss, nss.passthru.tests on x86_64-linux Failure
Details
@ofborg
Evaluation Performance Report Evaluator Performance Report
Details
@github-actions
Wait for ofborg
Details
@ofborg
grahamcofborg-eval ^.^!
Details
@ofborg
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
@ofborg
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
@ofborg
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
@ofborg
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="9cce7bc"; rev="9cce7bccd9b23a3a2d44192dd6dcb724ed0727dc"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
@ofborg
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@zimbatm zimbatm deleted the zimbatm:nss-r13y branch Oct 31, 2020
@flokli flokli mentioned this pull request Nov 1, 2020
10 tasks
@flokli
Copy link
Contributor

@flokli flokli commented Nov 1, 2020

This seems to have broken the build, according to my bisect:

git bisect bad
8f2be9ac36081fd1e9b2395e1662a5189bf917fb is the first bad commit
commit 8f2be9ac36081fd1e9b2395e1662a5189bf917fb
Author: zimbatm <zimbatm@zimbatm.com>
Date:   Sat Oct 31 21:17:26 2020 +0100

    nss: make reproducible (#102156)
    
    According to
    https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129
    the FIPS mode is not enabled by default. Yet we generate the .chk files
    that are only meant to be used for that mode. I have a sense that those
    have been cargo-culted around.
    
    Adding FIPS is still possible but you have to explictily build the lib
    with `pkgs.nss.override { enableFIPS = true; }`
    
    More info on what FIPS is:
    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
    
    Other distros wrangling with the same issue:
    https://bugzilla.opensuse.org/show_bug.cgi?id=1081723

 pkgs/development/libraries/nss/default.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

git bisect start
# bad: [b7ef4d7ddaf553b06329bfebd056f4765ff2de27] Merge pull request #102359 from mweinelt/openldap
git bisect bad b7ef4d7ddaf553b06329bfebd056f4765ff2de27
# good: [26d3fbf21563c52f124551eb60dec5ea17ade8fa] Merge pull request #102310 from r-ryantm/auto-update/git-gone
git bisect good 26d3fbf21563c52f124551eb60dec5ea17ade8fa
# good: [06929e3f286118783e59fbf7e8ac71124f5048b7] gnome3.gpaste: 3.36.3 → 3.38.2
git bisect good 06929e3f286118783e59fbf7e8ac71124f5048b7
# good: [6456e24d570728bc81fa8b070c5e34f83c7425f0] systemd: nixpkgs-fmt
git bisect good 6456e24d570728bc81fa8b070c5e34f83c7425f0
# bad: [b9222f51583f0553229d37ad0aeee1f7822ef656] python3Packages.hidapi: 0.9.0.post3 -> 0.10.0
git bisect bad b9222f51583f0553229d37ad0aeee1f7822ef656
# good: [dfe9e0e4584de3392311947053100898aea92cab] pango: build with libthai
git bisect good dfe9e0e4584de3392311947053100898aea92cab
# good: [7a8d5dc8a676a528186ea0f2ece97e832d784562] Merge master into staging-next
git bisect good 7a8d5dc8a676a528186ea0f2ece97e832d784562
# bad: [b57adad0851ee7171676cfc168518fa23418d265] Merge pull request #101673 from r-ryantm/auto-update/libndctl
git bisect bad b57adad0851ee7171676cfc168518fa23418d265
# bad: [6cc483b6c23821158c0f9310b6f5bacd9d3bfa58] autogen: make reproducible (#102280)
git bisect bad 6cc483b6c23821158c0f9310b6f5bacd9d3bfa58
# bad: [c409f694807e8cd16db8e2affb630073c1aadc48] pythonPackages.pip: make reproducible (#102222)
git bisect bad c409f694807e8cd16db8e2affb630073c1aadc48
# bad: [8f2be9ac36081fd1e9b2395e1662a5189bf917fb] nss: make reproducible (#102156)
git bisect bad 8f2be9ac36081fd1e9b2395e1662a5189bf917fb
# first bad commit: [8f2be9ac36081fd1e9b2395e1662a5189bf917fb] nss: make reproducible (#102156)

I did a nix-build -A nss to bisect this.

@flokli
Copy link
Contributor

@flokli flokli commented Nov 1, 2020

Build log:

builder for '/nix/store/kp7rvh60gki5850a0q65yggg8k6mqb42-nss-3.57.drv' failed with exit code 1; last 10 log lines:
  shrinking RPATHs of ELF executables and libraries in /nix/store/31d3a37mhgi3mvwmk7455rzpd9yfj1gq-nss-3.57-dev
  strip is /nix/store/bnjps68g8ax6abzvys2xpx12imrx8949-binutils-2.31.1/bin/strip
  stripping (with command strip and flags -S) in /nix/store/31d3a37mhgi3mvwmk7455rzpd9yfj1gq-nss-3.57-dev/lib
  patching script interpreter paths in /nix/store/31d3a37mhgi3mvwmk7455rzpd9yfj1gq-nss-3.57-dev
  checking for references to /build/ in /nix/store/31d3a37mhgi3mvwmk7455rzpd9yfj1gq-nss-3.57-dev...
  find: '/nix/store/nv8ki9vpj2x6n4wsf6a0jpwcwvi7gpwl-nss-3.57-tools': No such file or directory
  strip is /nix/store/bnjps68g8ax6abzvys2xpx12imrx8949-binutils-2.31.1/bin/strip
  moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
  Generate a DSA key pair ...
  /nix/store/209pnrqmwdf49ybrkk3j64zbi3kvq7nj-nss-3.57/lib/lib.so: -5950: File not found

@zimbatm zimbatm mentioned this pull request Nov 2, 2020
10 tasks
flokli pushed a commit that referenced this pull request Nov 2, 2020
Fixes a precedence issue from fe9f559

`lib.optionalString <cond> 'text' + 'text2'` will always have 'text2' as
part of the result.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants