Package: src:nettle Version: 3.9.1-2 Tags: patch in Message-ID: cpffs17kwvd....@shipon.lysator.liu.se on the nettle-bugs mailing list, Niels Möller observed some new tests to identify side-channel silence that depend on valgrind, but their CI is only running on x86-64.
It looks to me like none of the valgrind tests are being run during
build on the debian buildd network. It could help the upstream project
to get verified valgrind results.
The attached patch runs the valgrind tests during build, but i also note
that it causes a build failure on amd64 platforms, because of what
appears to be data-dependent branching during RSA decryption. I've
raised that concern on the upstream nettle-bugs mailing list (and Cc'ed
Magnus) to try to figure out what we should do to avoid this negative
result. So it's probably not safe yet to just apply this patch
unilaterally (at least not in unstable -- maybe in experimental for now
to get records from the various build daemons that build experimental?)
But the fact that there is a negative result which the current build
process doesn't catch suggests that we should probably be running the
tests in more detail.
--dkg
commit 036e3794b169f8b0bfe306bc6db1ac47d9527da7
Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Wed Nov 15 12:45:19 2023 -0500
Run tests under valgrind during build
diff --git a/debian/control b/debian/control
index ce51f75b..c16150b5 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends:
libgmp-dev,
m4,
texinfo,
+ valgrind <!nocheck>,
Standards-Version: 4.6.2
Vcs-Git: https://salsa.debian.org/holmgren/nettle.git
Vcs-Browser: https://salsa.debian.org/holmgren/nettle
diff --git a/debian/rules b/debian/rules
index 3a59ce2b..ff708b22 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,3 +11,6 @@ override_dh_installdocs:
override_dh_auto_configure:
dh_auto_configure -- --enable-fat
+
+execute_after_dh_auto_test:
+ dh_auto_test -- EMULATOR='$$(VALGRIND)'
signature.asc
Description: PGP signature
