Package: src:nettle Version: 3.9.1-2 Tags: patch in Message-ID: cpffs17kwvd....@shipon.lysator.liu.se on the nettle-bugs mailing list, Niels Möller observed some new tests to identify side-channel silence that depend on valgrind, but their CI is only running on x86-64.
It looks to me like none of the valgrind tests are being run during build on the debian buildd network. It could help the upstream project to get verified valgrind results. The attached patch runs the valgrind tests during build, but i also note that it causes a build failure on amd64 platforms, because of what appears to be data-dependent branching during RSA decryption. I've raised that concern on the upstream nettle-bugs mailing list (and Cc'ed Magnus) to try to figure out what we should do to avoid this negative result. So it's probably not safe yet to just apply this patch unilaterally (at least not in unstable -- maybe in experimental for now to get records from the various build daemons that build experimental?) But the fact that there is a negative result which the current build process doesn't catch suggests that we should probably be running the tests in more detail. --dkg
commit 036e3794b169f8b0bfe306bc6db1ac47d9527da7 Author: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Wed Nov 15 12:45:19 2023 -0500 Run tests under valgrind during build diff --git a/debian/control b/debian/control index ce51f75b..c16150b5 100644 --- a/debian/control +++ b/debian/control @@ -8,6 +8,7 @@ Build-Depends: libgmp-dev, m4, texinfo, + valgrind <!nocheck>, Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/holmgren/nettle.git Vcs-Browser: https://salsa.debian.org/holmgren/nettle diff --git a/debian/rules b/debian/rules index 3a59ce2b..ff708b22 100755 --- a/debian/rules +++ b/debian/rules @@ -11,3 +11,6 @@ override_dh_installdocs: override_dh_auto_configure: dh_auto_configure -- --enable-fat + +execute_after_dh_auto_test: + dh_auto_test -- EMULATOR='$$(VALGRIND)'
signature.asc
Description: PGP signature