Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: 3.52.1 -> 3.54 #91746

Merged
merged 2 commits into from Jul 17, 2020
Merged

nss: 3.52.1 -> 3.54 #91746

merged 2 commits into from Jul 17, 2020

Conversation

@ajs124
Copy link
Member

ajs124 commented Jun 29, 2020

Motivation for this change

This has been out for a bit and the FireFox release due tomorrow requires 3.53+
As noted in #89438, there are some issues with this update. They were most likely introduced in nss-dev/nss@eee8f82.

Looking at how we're building this, I noticed that we're using the legacy build system.
The new one depends on gyp, which depends on python2. That's not great, but at least it works.

The patches are commented out, because with them it fails

cc @andir @vcunat

TODO
  • test if anything besides compiling works
  • fix patches
  • test cross compiling
  • test darwin
@vcunat
Copy link
Member

vcunat commented Jun 29, 2020

Unfortunately this is currently based on staging commit where firefox fails to build with

/nix/store/c9lv38avybpz0laav8dy3455bpnamqqk-stdenv-linux/setup: line 100: /nix/store/r322iwc2b61r53rgdxw8l9d4hgwhzcbi-gcc-wrapper-9.3.0/nix-support/libcxx-cxxflags: No such file or directory

EDIT: cross-ref: #85189 (comment) (solved)

@ajs124 ajs124 mentioned this pull request Jul 2, 2020
@ajs124 ajs124 force-pushed the helsinki-systems:upd/nss-3.54 branch from 555ceb1 to 7335598 Jul 2, 2020
@vcunat vcunat mentioned this pull request Jul 2, 2020
0 of 10 tasks complete
@ajs124 ajs124 marked this pull request as ready for review Jul 2, 2020
@vcunat
Copy link
Member

vcunat commented Jul 3, 2020

For now I just tried building these atop current staging-next (x86_64 NixOS). Firefox 77 and 78 (#92043) both started up and showed some pages OK.

@vcunat vcunat mentioned this pull request Jul 5, 2020
3 of 10 tasks complete
@vcunat
vcunat approved these changes Jul 5, 2020
Copy link
Member

vcunat left a comment

I see no issue with this. EDIT: looked at upstream release notes, too.

@ajs124 ajs124 marked this pull request as draft Jul 5, 2020
@ajs124 ajs124 force-pushed the helsinki-systems:upd/nss-3.54 branch 2 times, most recently from ccc22cc to e152e55 Jul 5, 2020
@ajs124
Copy link
Member Author

ajs124 commented Jul 5, 2020

There another instance of patching .mk files, in postPatch. That's darwin specific though and I don't have any 🍎 hardware.

Also: we might not want merge this as is, because it will break at least firefox-est-68, see #92043

@vcunat
Copy link
Member

vcunat commented Jul 5, 2020

The errors seem to be about some changes in C++ class inheritance:

In file included from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:11,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/certverifier/NSSCertDBTrustDomain.h:191:18: error: 'virtual mozilla::psm::NSSCe
  191 |   virtual Result CheckRevocation(
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/security/apps/AppTrustDomain.h:10,
                 from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:9,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/nix/store/d1z0ywdpfygvsbi35ngyc47fz5ddzc1d-nss-3.54-dev/include/nss/mozpkix/pkixtypes.h:279:18: warning: 'virt
  279 |   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:11,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/certverifier/NSSCertDBTrustDomain.h:191:18: warning:   by 'virtual mozilla::psm
  191 |   virtual Result CheckRevocation(
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp: In function 'nsresult {anonymous}::VerifyCer
/build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:628:18: error: cannot declare variable 'trust
  628 |   AppTrustDomain trustDomain(builtChain, nullptr);
      |                  ^~~~~~~~~~~
@vcunat
Copy link
Member

vcunat commented Jul 5, 2020

If they planned full compatibility, I wouldn't see a reason for this line in there:

NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR.

Perhaps we'll (eventually) be forced to use a different NSS versions for ESR and non-ESR :-/

@jtojnar jtojnar mentioned this pull request Jul 5, 2020
@ajs124
Copy link
Member Author

ajs124 commented Jul 6, 2020

I also tested 3.53.1, the current LTS release, but 68esr (which is still supported for at least one release, I think?) doesn't compile with that, either.
So what are the options here? Duplicate NSS? Drop 68esr before upstream does? If you're running master/unstable you're probably not running a firefox ESR and it'll have to be dropped by 20.09 anyways.

@ajs124
Copy link
Member Author

ajs124 commented Jul 9, 2020

I asked upstream and they said the "intended" version for ESR 68 is 3.44.4. They also opened this issue https://bugzilla.mozilla.org/show_bug.cgi?id=1651505

I don't feel like I'm in the position to make a decision on if we should have two versions of NSS, drop ESR 68 or whatever else to do, so I'll probably have to leave this as is, for now.

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

@GrahamcOfBorg build nss
(let's try darwin)

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

Cross gets broken by this PR 😞 I tried usual x86_64 -> armv7l. First issue with wrong python2 is fixed by switching to buildPackages.python2. After that it won't work due to the build system passing -m64 to the compiler.

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

As for firefox-esr, bringing back extra nss_3_44 attribute isn't hard, so I'd go that way (I tested the build locally).

@ajs124 ajs124 force-pushed the helsinki-systems:upd/nss-3.54 branch from e152e55 to 76ce35a Jul 13, 2020
@ajs124
Copy link
Member Author

ajs124 commented Jul 13, 2020

Cross gets broken by this PR disappointed I tried usual x86_64 -> armv7l. First issue with wrong python2 is fixed by switching to buildPackages.python2. After that it won't work due to the build system passing -m64 to the compiler.

Yeah, turns out I didn't remember how nixpkgs uses "host"…

It still fails like this, though:

  [287/833] if [ ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -o ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ]; then armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/f
reebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rs
p && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -
f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; else armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4
p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-l
inux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.
tmp && if ! cmp -s /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; then mv /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnuea
bihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ; fi; fi
  FAILED: /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC 
  if [ ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -o ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ]; then armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/free
bl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { arm
v6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '
; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; else armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb
8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnuea
bihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp && if 
! cmp -s /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; then mv /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/l
ibfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ; fi; fi                                                                                                                                                                                            
  /nix/store/357bnhz05gbfvhih538fx19f7hbx76h3-armv6l-unknown-linux-gnueabihf-binutils-2.31.1/bin/armv6l-unknown-linux-gnueabihf-ld:obj/lib/freebl/freebl3.gen/out.freebl_hash.def:0: syntax error in VERSION script                                                                                                            
  collect2: error: ld returned 1 exit status                                                                                                                                                                                                                                                                                   
  ninja: build stopped: subcommand failed.                                                                                                                                                                                                                                                                                     
@ajs124 ajs124 marked this pull request as ready for review Jul 15, 2020
@ajs124 ajs124 marked this pull request as draft Jul 15, 2020
@ajs124 ajs124 force-pushed the helsinki-systems:upd/nss-3.54 branch from 76ce35a to 487373f Jul 15, 2020
@ajs124
Copy link
Member Author

ajs124 commented Jul 15, 2020

@vcunat cross compilation should work now. I've asked upstream what's up with them trying to run a target (or build in nixpkgs terms) binary during build.

@dasJ
Copy link
Member

dasJ commented Jul 15, 2020

@GrahamcOfBorg build nss

@flokli
Copy link
Contributor

flokli commented Jul 17, 2020

@GrahamcOfBorg build nss

@flokli
Copy link
Contributor

flokli commented Jul 17, 2020

The darwin builders seem stuck again.

Let's merge this into staging, if it breaks the darwin build, it can still be fixed during the staging cycle.

@ajs124 ajs124 marked this pull request as ready for review Jul 17, 2020
@flokli flokli merged commit ab1cbc8 into NixOS:staging Jul 17, 2020
19 of 20 checks passed
19 of 20 checks passed
nss on x86_64-darwin
Details
(unknown attributes) on x86_64-darwin No attempt
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="487373f"; rev="487373fb2cc021a9b53f889976080bc54d09f178"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
nspr, nspr.passthru.tests, nss, nss.passthru.tests on aarch64-linux Success
Details
nspr, nspr.passthru.tests, nss, nss.passthru.tests on x86_64-linux Success
Details
nss on aarch64-linux Success
Details
nss on x86_64-linux Success
Details
@ajs124 ajs124 deleted the helsinki-systems:upd/nss-3.54 branch Jul 17, 2020
vcunat added a commit that referenced this pull request Jul 19, 2020
/cc nss PR #91746
vcunat added a commit that referenced this pull request Jul 19, 2020
/cc nss PR #91746
@vcunat
Copy link
Member

vcunat commented Jul 20, 2020

Well, darwin is broken: https://hydra.nixos.org/build/124134212

vcunat added a commit that referenced this pull request Jul 21, 2020
/cc nss PR #91746
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.