bug#62890: Specific graft that's at fault

2024-05-02 Thread Richard Sent 
Hi Guix!

The issue is likely caused by the glibc/fixed graft in (gnu packages
base). When this graft is removed, the the path discussed earlier is
coherent. Other grafts do not appear relevant.

--8<---cut here---start->8---
Building stumpwm
(("/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/share/common-lisp/sbcl/stumpwm"
  :**/
  :*.*.*)
 
("/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/lib/common-lisp/sbcl/stumpwm"
  :**/
  :*.*.*))

(:tree 
"/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/share/common-lisp/sbcl/stumpwm")

Building sbcl-stumpwm-cpu
(("/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/share/common-lisp/sbcl/stumpwm"
  :**/
  :*.*.*)
 
("/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/lib/common-lisp/sbcl/stumpwm"
  :**/
  :*.*.*))

(:tree 
"/gnu/store/w2jw4s7dnw0yfsp5125dpxiyz6lp7v3w-stumpwm-22.11-lib/share/common-lisp/sbcl/stumpwm")
--8<---cut here---end--->8---

Unfortunately stumpwm currently doesn't build on core-updates so I can't
check if the discrepency would occur there where glibc isn't grafted.

How exactly does that graft causes the problem? No clue.

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

bug#70678: guix pull failed on commit 43a4215cad8c6da357f895569c0cedf5e854cee0

2024-05-02 Thread francismb via Bug reports for GNU Guix 

Dear Maintainers,
here on "guix commit: 5010a51fc91aeac5a3b87a3eea04f18f3fe8a3a3",
being able to pull and upgrade (no "guix pull: error: You found a bug").

Regards
Francis

bug#70663: nss@3.99 is really hard to build

2024-05-02 Thread Christina O'Donnell 

Hi,

On 01/05/2024 18:14, Christopher Baines wrote:

Maxim Cournoyer  writes:


Hi Chris,

Christopher Baines  writes:


nss@3.99 is really hard to build, it's so hard and so important that
data.guix.gnu.org is still after two days trying to process [1]. I say
so important because you have to build nss@3.99 to compute the channel
instance derivations for Guix.

I agree that the nss test suite takes a ridiculous amount of time to run
(multiple hours on a fast machine IIRC).  Are we missing a '--fast' test
flag or something to make it run in a more reasonable amount of time?

I did read some of the all.sh script used for the tests and there is
some environment variables you can set here:

   https://github.com/nss-dev/nss/blob/master/tests/all.sh#L70-L82

It seems like there are 4 "cycles", maybe we could just run the standard
cycle or at least check how long they each take.


On my machine building natively on x86_64 I was getting approximately 63 
mins for a full test and 20 mins for just the 'standard' 'cycle'. My 
vote would be to just run 'standard' since that runs all of the tests once.


I can profile individual tests if needed to see if there's any that are 
particularly worth culling, but just the above change is an easy win 
without sacrificing too much test coverage.


Kind regards,

Christina

bug#40316: nss not reproducible

2024-05-02 Thread Christina O'Donnell 

Hi Ludo',

This doesn't look directly related. I haven't seen anything like this 
occur when I build it.


Tangentially, given how long nss takes to build, do you think that it'd 
be worth shaving it down to a single test pass? Currently it runs each 
test up to 3 times, which takes ~1h on my machine with no other build 
running. Running only the standard pass takes 2.5-3x less time, which is 
a huge quality of life improvement.


Kind regards,

Christina

On 02/05/2024 09:15, Ludovic Courtès wrote:

Hi Christina,

Nice work!

Christina O'Donnell  skribis:


I've got as far as making nss 3.98 reproducible, however updating it to 3.99
results in 51 test failures. These are regressions, and worked correctly for
3.98. I'm not entirely sure what the issue is, but I've run out of time to
debug it this week, so I'm sending this patch up as is.

Not sure if this is related, but we’re seeing test failures due to
timing issues right now with 3.98:

   https://issues.guix.gnu.org/70693

Thank you!

Ludo’.

bug#40316: [PATCH v4 5/5] gnu: nss: Make reproducible.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is 
inherently
non-determinstic. This removes all non-determinism from this package.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
 gnu/packages/nss.scm  |  4 ++-
 .../nss-define-NSS_FIPS_DISABLED.patch| 29 
 .../patches/nss-disable-shlibsign.patch   | 33 +++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..ecc1c5156b 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
-   "nss-increase-test-timeout.patch"))
+   "nss-increase-test-timeout.patch"
+   "nss-disable-shlibsign.patch"
+   "nss-define-NSS_FIPS_DISABLED.patch"))
   (modules '((guix build utils)))
   (snippet
'(begin
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch 
b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 00..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: 

+From: Christina O'Donnell 
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
 b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+ 
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+-- 
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch 
b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 00..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: 
<85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git@mutix.org>
+From: Christina O'Donnell 
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
 b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+-echo "${2}"/shlibsign -v -i "${5}"
+-"${2}"/shlibsign -v -i "${5}"
++# Disable lib signing as it generates its keys through a non-deterministic
++# process.
++# echo "${2}"/shlibsign -v -i "${5}"
++# "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+-- 
+2.41.0
+
-- 
2.41.0

bug#40316: [PATCH v4 4/5] gnu: nss-certs: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
 gnu/packages/certs.scm | 24 +++-
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
 that was originally contributed to Debian.")
   (license license:isc
 
-(define-public nss-certs
+(define-public nss-certs-3.88.1
   (package
 (name "nss-certs")
 ;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS;)
 (license license:mpl2.0)))
 
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
   (package
-(inherit nss-certs)
-(version "3.98")
+(inherit nss-certs-3.88.1)
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
+"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+  ;; Create nss.pc and nss-config.
+  (patches (search-patches "nss-3.56-pkgconfig.patch"
+   "nss-getcwd-nonnull.patch"
+   "nss-increase-test-timeout.patch"
+   "nss-Disable-library-signing.patch"))
+  (modules '((guix build utils)))
+  (snippet
+   '(begin
+  ;; Delete the bundled copy of these libraries.
+  (delete-file-recursively "nss/lib/zlib")
+  (delete-file-recursively "nss/lib/sqlite")))
+
+(define-public nss-certs
+  nss-certs-3.99)
 
 (define-public le-certs
   (package
-- 
2.41.0

bug#40316: [PATCH v4 0/5] gnu: nss: Make reproducible.

2024-05-02 Thread Christina O'Donnell 
This patch-set is a slight modification of the previous one with a single 
change:

In the last commit, I have removed the specification of test parameters that
previously reduced the number of tests. This wasn't justified in the commit
message and turned out to be unnecessary anyway.

Christina O'Donnell (3):
  gnu: nss: Update to 3.99.
  gnu: nss-certs: Update to 3.99.
  gnu: nss: Make reproducible.

Zheng Junjie (2):
  gnu: nss: Fix cross-compilation.
  gnu: nspr: Fix cross-compilation.

 gnu/packages/certs.scm| 24 +++---
 gnu/packages/nss.scm  | 22 ++---
 .../nss-define-NSS_FIPS_DISABLED.patch| 29 
 .../patches/nss-disable-shlibsign.patch   | 33 +++
 4 files changed, 98 insertions(+), 10 deletions(-)
 create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
-- 
2.41.0

bug#40316: [PATCH v4 2/5] gnu: nspr: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
   #~(list "--disable-static"
   "--enable-64bit"
   (string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+  #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
   ;; Use fixed timestamps for reproducibility.
   #:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
-- 
2.41.0

bug#40316: [PATCH v4 3/5] gnu: nss: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
 gnu/packages/nss.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
 ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
 ;; version and source to avoid a top-level variable reference & module
 ;; cycle.
-(version "3.88.1")
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
 ;; leading to test failures:
 ;; .  
To
 ;; work around that, set the time to roughly the release 
date.
-(invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+(invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
   (format #t "test suite not run~%"
   (replace 'install
 (lambda* (#:key outputs #:allow-other-keys)
-- 
2.41.0

bug#40316: [PATCH v4 1/5] gnu: nss: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
 (#$(target-linux?) "linux")
 (else ""
#~())
+#$@(if (%current-target-system)
+   #~("CROSS_COMPILE=1")
+   #~())
 (string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
 (lambda _
   (setenv "CC" #$(cc-for-target))
   (setenv "CCC" #$(cxx-for-target))
+  ;; TODO: Set this unconditionally
+  #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
   ;; No VSX on powerpc-linux.
   #$@(if (target-ppc32?)
  #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
-- 
2.41.0

bug#70717: uninformative guix deploy error

2024-05-02 Thread raingloom 
No idea what causes this and the error is not very helpful.
`guix deploy deploy.scm` works
`guix deploy -x deploy.scm -- herd restart unipi` produces this error:
```
guix deploy: sending 0 store items (0 MiB) to 'localhost'...
Backtrace:
In ice-9/boot-9.scm:
  1752:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
  17 (apply-smob/0 #)
In ice-9/boot-9.scm:
724:2 16 (call-with-prompt _ _ #)
In ice-9/eval.scm:
619:8 15 (_ #(#(#)))
In guix/ui.scm:
   2324:7 14 (run-guix . _)
  2287:10 13 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1752:10 12 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
839:4 11 (call-with-status-report _ _)
In ice-9/boot-9.scm:
  1752:10 10 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
   661:37  9 (thunk)
   1300:8  8 (call-with-build-handler _ _)
   1300:8  7 (call-with-build-handler # …)
In guix/scripts/deploy.scm:
   274:23  6 (_)
In srfi/srfi-1.scm:
   460:18  5 (fold # …)
In guix/scripts/deploy.scm:
214:2  4 (_ #< operating-system: #< …> …)
In guix/store.scm:
  2180:25  3 (run-with-store # …)
In guix/remote.scm:
84:17  2 (_ _)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
ERROR:
  1. :
  arguments: (unbound-variable #f "Unbound variable: ~S"
(#{\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0
;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\
x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;\x0;}#)
#f)
  inferior: #f
  stack: ()
```

bug#40316: [PATCH 3/6] gnu: nss: Make reproducible.

2024-05-02 Thread Christina O'Donnell 

Hi Vagrant,

On 26/04/2024 23:58, Vagrant Cascadian wrote:

On 2024-04-26, Christina O'Donnell wrote:

gnu/packages/patches/nss-Disable-library-signing.patch: Disable library
signing to make the build reproducible.
gnu/packages/nss.scm (nss): Apply this new patch.

Nice!


I have reordered my commits to first update to 3.99, before making nss 
reproducible. The more


This is similar to the approach that Nix takes,  though Nix adds a 
parameter that enables FIPS and shlibsign again. Is it worth adding a 
parameter to re-enable FIPS?



diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch 
b/gnu/packages/patches/nss-Disable-library-signing.patch
new file mode 100644
index 000..b488d29dcad
--- /dev/null
+++ b/gnu/packages/patches/nss-Disable-library-signing.patch
@@ -0,0 +1,67 @@
+From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001
+Message-ID: 
<4734b834755822f962af29e9395daa7338084e21.1714059680.git@mutix.org>
+From: Christina O'Donnell 
+Date: Thu, 25 Apr 2024 16:35:50 +0100
+Subject: [PATCH] nss: Disable library signing.
+
+---
+ nss/cmd/shlibsign/Makefile | 32 +---
+ 1 file changed, 1 insertion(+), 31 deletions(-)

I think it would be good to explain why this patch is included, not just
in the git commit message, but in the patch comments itself. I realize
the patch actually includes a comment about non-determinism, but it is a
bit lost in the diff.

Okay I've added a description to the v3 patch.

Also, might be worth briefly explaining why disabling this feature is
unlikely to break anything, etc.


I was actually wrong wrong about this on my v1 patch, that did break the 
FIPS tests. However disabling FIPS is what Nix does by default and all 
other tests pass without it.


I have noticed that Nix parameterizes on whether FIPS is enabled so 
users can re-enable FIPS if they need it for their use-cases. Is it 
worth doing something similar here, or would that add too much complexity?



Curious if there might be some way to leave most of the code in place,
disable it... otherwise on version updates it is more likely to result
in conflicts with even minor changes...


I've shrunk the patches to be a few lines each.

Kind regards,

Christina



live well,
   vagrant

bug#40316: [PATCH v2 0/6] Attempt to make nss reproducible

2024-05-02 Thread Christina O'Donnell 

Hi,

Please disregard my v2 patch. I now see where I went wrong and it's now 
working as expected on my machine.


I've sent an updated (v3) patch which builds successfully on x86_64, 
though I haven't yet tried cross-compiling or confirmed that it's still 
building reproducibly.


Sorry for the noise.

Christina

On 02/05/2024 12:00, Christina O'Donnell wrote:

This patch series is an incomplete attempt to make nss reproducible. Currently
this fails 4 tests due to NSS_FIPS_DISABLED not being respected.

Christina O'Donnell (4):
   gnu: nss: Update to 3.99.
   gnu: nss-certs: Update to 3.99.
   gnu: nss: Attempt to disable FIPS.
   gnu: nss: Disable FIPS in lowhashtest.

Zheng Junjie (2):
   gnu: nss: Fix cross-compilation.
   gnu: nspr: Fix cross-compilation.

  gnu/packages/certs.scm| 24 +++---
  gnu/packages/nss.scm  | 27 ---
  .../nss-disable-fips-in-lowhashtest.patch | 28 
  .../patches/nss-disable-shlibsign.patch   | 33 +++
  4 files changed, 102 insertions(+), 10 deletions(-)
  create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
  create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8

bug#40316: [PATCH v3 4/5] gnu: nss-certs: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
 gnu/packages/certs.scm | 24 +++-
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
 that was originally contributed to Debian.")
   (license license:isc
 
-(define-public nss-certs
+(define-public nss-certs-3.88.1
   (package
 (name "nss-certs")
 ;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS;)
 (license license:mpl2.0)))
 
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
   (package
-(inherit nss-certs)
-(version "3.98")
+(inherit nss-certs-3.88.1)
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
+"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+  ;; Create nss.pc and nss-config.
+  (patches (search-patches "nss-3.56-pkgconfig.patch"
+   "nss-getcwd-nonnull.patch"
+   "nss-increase-test-timeout.patch"
+   "nss-Disable-library-signing.patch"))
+  (modules '((guix build utils)))
+  (snippet
+   '(begin
+  ;; Delete the bundled copy of these libraries.
+  (delete-file-recursively "nss/lib/zlib")
+  (delete-file-recursively "nss/lib/sqlite")))
+
+(define-public nss-certs
+  nss-certs-3.99)
 
 (define-public le-certs
   (package
-- 
2.41.0

bug#40316: [PATCH v3 2/5] gnu: nspr: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
   #~(list "--disable-static"
   "--enable-64bit"
   (string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+  #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
   ;; Use fixed timestamps for reproducibility.
   #:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
-- 
2.41.0

bug#40316: [PATCH v3 5/5] gnu: nss: Make reproducible.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is 
inherently
non-determinstic. This removes all non-determinism from this package.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
Change-Id: I5a52ef3db687a2fe538dfffd744a0fc8515b2cb1
---
 gnu/packages/nss.scm  |  6 +++-
 .../nss-define-NSS_FIPS_DISABLED.patch| 29 
 .../patches/nss-disable-shlibsign.patch   | 33 +++
 3 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..404baaf550 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,9 @@ (define-public nss
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
-   "nss-increase-test-timeout.patch"))
+   "nss-increase-test-timeout.patch"
+   "nss-disable-shlibsign.patch"
+   "nss-define-NSS_FIPS_DISABLED.patch"))
   (modules '((guix build utils)))
   (snippet
'(begin
@@ -202,6 +204,8 @@ (define-public nss
 (setenv "DOMSUF" "localdomain")
 (setenv "USE_IP" "TRUE")
 (setenv "IP_ADDRESS" "127.0.0.1")
+(setenv "NSS_CYCLES" "standard")
+(setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests 
tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
 
 ;; The "PayPalEE.cert" certificate expires every six 
months,
 ;; leading to test failures:
diff --git a/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch 
b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
new file mode 100644
index 00..40ac66e365
--- /dev/null
+++ b/gnu/packages/patches/nss-define-NSS_FIPS_DISABLED.patch
@@ -0,0 +1,29 @@
+From e89a33daac982107421117ad95ae8443ef316079 Mon Sep 17 00:00:00 2001
+Message-ID: 

+From: Christina O'Donnell 
+Date: Thu, 2 May 2024 12:34:40 +0100
+Subject: [PATCH] Define NSS_FIPS_DISABLED.
+
+Disable FIPS as it depends on shlibsign which is non-deterministic.
+---
+ nss/coreconf/config.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 741bbee..e02e5d2 100644
+--- a/nss/coreconf/config.mk
 b/nss/coreconf/config.mk
+@@ -215,7 +215,7 @@ endif
+ # NSS_NO_INIT_SUPPORT is always defined on platforms that don't support
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+-DEFINES += -DNSS_NO_INIT_SUPPORT
++DEFINES += -DNSS_NO_INIT_SUPPORT -DNSS_FIPS_DISABLED
+ endif
+ 
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+
+base-commit: 490a62da7d23b579fab71a84e2107f414187738d
+-- 
+2.41.0
+
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch 
b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 00..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: 
<85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git@mutix.org>
+From: Christina O'Donnell 
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
 b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+-echo "${2}"/shlibsign -v -i "${5}"
+-"${2}"/shlibsign -v -i "${5}"
++# Disable lib signing as it generates its keys through a non-deterministic
++# process.
++# echo "${2}"/shlibsign -v -i "${5}"
++# "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+-- 
+2.41.0
+
-- 
2.41.0

bug#40316: [PATCH v3 3/5] gnu: nss: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
 gnu/packages/nss.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
 ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
 ;; version and source to avoid a top-level variable reference & module
 ;; cycle.
-(version "3.88.1")
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
 ;; leading to test failures:
 ;; .  
To
 ;; work around that, set the time to roughly the release 
date.
-(invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+(invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
   (format #t "test suite not run~%"
   (replace 'install
 (lambda* (#:key outputs #:allow-other-keys)
-- 
2.41.0

bug#40316: [PATCH v3 1/5] gnu: nss: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
 (#$(target-linux?) "linux")
 (else ""
#~())
+#$@(if (%current-target-system)
+   #~("CROSS_COMPILE=1")
+   #~())
 (string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
 (lambda _
   (setenv "CC" #$(cc-for-target))
   (setenv "CCC" #$(cxx-for-target))
+  ;; TODO: Set this unconditionally
+  #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
   ;; No VSX on powerpc-linux.
   #$@(if (target-ppc32?)
  #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
-- 
2.41.0

bug#40316: [PATCH v2 6/6] gnu: nss: Disable FIPS in lowhashtest.

2024-05-02 Thread Christina O'Donnell 
* gnu/packages/nss.scm (nss): Disable FIPS in lowhashtests.
This is required as FIPS is inherently non-deterministic, making the build no
longer reproducible.

Change-Id: I2b294530b017285d0949a1082abaaf3a8fe1f6b5
---
 gnu/packages/nss.scm  |  3 +-
 .../nss-disable-fips-in-lowhashtest.patch | 28 +++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 08e4cb06ee..02081c32e1 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -125,7 +125,8 @@ (define-public nss
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
"nss-increase-test-timeout.patch"
-   "nss-disable-shlibsign.patch"))
+   "nss-disable-shlibsign.patch"
+   
"nss-disable-fips-in-lowhashtest.patch"))
   (modules '((guix build utils)))
   (snippet
'(begin
diff --git a/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch 
b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
new file mode 100644
index 00..c8fc1e7e7a
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
@@ -0,0 +1,28 @@
+From f32bd353c5b741d6da5811fd40681dda80799bfb Mon Sep 17 00:00:00 2001
+Message-ID: 

+From: Christina O'Donnell 
+Date: Wed, 1 May 2024 20:30:15 +0100
+Subject: [PATCH] nss: Disable FIPS in lowhashtest.
+
+---
+ nss/tests/lowhash/lowhash.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nss/tests/lowhash/lowhash.sh b/nss/tests/lowhash/lowhash.sh
+index 2984b9b..9dcc89b 100755
+--- a/nss/tests/lowhash/lowhash.sh
 b/nss/tests/lowhash/lowhash.sh
+@@ -63,7 +63,7 @@ lowhash_test()
+   else
+ TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ OLD_MODE=`echo ${NSS_FIPS}`
+-for fips_mode in 0 1; do
++for fips_mode in 0; do
+   echo "lowhashtest with fips mode=${fips_mode}"
+   export NSS_FIPS=${fips_mode}
+   for TEST in ${TESTS}
+
+base-commit: 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0
+-- 
+2.41.0
+
-- 
2.41.0

bug#40316: [PATCH v2 3/6] gnu: nss: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Update to 3.99.

Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489
---
 gnu/packages/nss.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 0baafe2f37..6795e59d28 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -109,7 +109,7 @@ (define-public nss
 ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
 ;; version and source to avoid a top-level variable reference & module
 ;; cycle.
-(version "3.88.1")
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -120,7 +120,7 @@ (define-public nss
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
@@ -207,7 +207,7 @@ (define-public nss
 ;; leading to test failures:
 ;; .  
To
 ;; work around that, set the time to roughly the release 
date.
-(invoke "faketime" "2022-11-01" "./nss/tests/all.sh"))
+(invoke "faketime" "2024-02-01" "./nss/tests/all.sh"))
   (format #t "test suite not run~%"
   (replace 'install
 (lambda* (#:key outputs #:allow-other-keys)
-- 
2.41.0

bug#40316: [PATCH v2 2/6] gnu: nspr: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.

Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1c..0baafe2f37 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
   #~(list "--disable-static"
   "--enable-64bit"
   (string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+  #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
   ;; Use fixed timestamps for reproducibility.
   #:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
-- 
2.41.0

bug#40316: [PATCH v2 5/6] gnu: nss: Attempt to disable FIPS.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is 
inherently
non-determinstic.

This patch is an incomplete attempt to get the tests to succeed by disabling
inapplicable tests, i.e. tests that depend on FIPS.

I have passed NSS_FIPS_DISABLED=1 to the Makefile however it seems to be
ignoring it for no logical reason.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
---
 gnu/packages/nss.scm  |  8 -
 .../patches/nss-disable-shlibsign.patch   | 33 +++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..08e4cb06ee 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
   ;; Create nss.pc and nss-config.
   (patches (search-patches "nss-3.56-pkgconfig.patch"
"nss-getcwd-nonnull.patch"
-   "nss-increase-test-timeout.patch"))
+   "nss-increase-test-timeout.patch"
+   "nss-disable-shlibsign.patch"))
   (modules '((guix build utils)))
   (snippet
'(begin
@@ -141,6 +142,9 @@ (define-public nss
 (string-append "PREFIX=" #$output)
 "NSDISTMODE=copy"
 "NSS_USE_SYSTEM_SQLITE=1"
+;; No FIPS because it adds non-determinism.
+"NSS_FIPS_DISABLED=1"
+"NSS_NO_INIT_SUPPORT=1"
 ;; The gtests fail to compile on riscv64.
 ;; Skipping them doesn't affect the test suite.
 #$@(if (target-riscv64?)
@@ -202,6 +206,8 @@ (define-public nss
 (setenv "DOMSUF" "localdomain")
 (setenv "USE_IP" "TRUE")
 (setenv "IP_ADDRESS" "127.0.0.1")
+(setenv "NSS_CYCLES" "standard")
+(setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests 
tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
 
 ;; The "PayPalEE.cert" certificate expires every six 
months,
 ;; leading to test failures:
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch 
b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 00..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: 
<85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git@mutix.org>
+From: Christina O'Donnell 
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
 b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+ export LIBRARY_PATH
+ ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+ export ADDON_PATH
+-echo "${2}"/shlibsign -v -i "${5}"
+-"${2}"/shlibsign -v -i "${5}"
++# Disable lib signing as it generates its keys through a non-deterministic
++# process.
++# echo "${2}"/shlibsign -v -i "${5}"
++# "${2}"/shlibsign -v -i "${5}"
+ ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+-- 
+2.41.0
+
-- 
2.41.0

bug#40316: [PATCH v2 1/6] gnu: nss: Fix cross-compilation.

2024-05-02 Thread Christina O'Donnell 
From: Zheng Junjie 

* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.

Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie 
---
 gnu/packages/nss.scm | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead..459e53bc1c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
 (#$(target-linux?) "linux")
 (else ""
#~())
+#$@(if (%current-target-system)
+   #~("CROSS_COMPILE=1")
+   #~())
 (string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
 (lambda _
   (setenv "CC" #$(cc-for-target))
   (setenv "CCC" #$(cxx-for-target))
+  ;; TODO: Set this unconditionally
+  #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
   ;; No VSX on powerpc-linux.
   #$@(if (target-ppc32?)
  #~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))

base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
-- 
2.41.0

bug#40316: [PATCH v2 0/6] Attempt to make nss reproducible

2024-05-02 Thread Christina O'Donnell 
This patch series is an incomplete attempt to make nss reproducible. Currently
this fails 4 tests due to NSS_FIPS_DISABLED not being respected.

Christina O'Donnell (4):
  gnu: nss: Update to 3.99.
  gnu: nss-certs: Update to 3.99.
  gnu: nss: Attempt to disable FIPS.
  gnu: nss: Disable FIPS in lowhashtest.

Zheng Junjie (2):
  gnu: nss: Fix cross-compilation.
  gnu: nspr: Fix cross-compilation.

 gnu/packages/certs.scm| 24 +++---
 gnu/packages/nss.scm  | 27 ---
 .../nss-disable-fips-in-lowhashtest.patch | 28 
 .../patches/nss-disable-shlibsign.patch   | 33 +++
 4 files changed, 102 insertions(+), 10 deletions(-)
 create mode 100644 gnu/packages/patches/nss-disable-fips-in-lowhashtest.patch
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch


base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8
-- 
2.41.0

bug#40316: [PATCH v2 4/6] gnu: nss-certs: Update to 3.99.

2024-05-02 Thread Christina O'Donnell 
gnu/packages/certs.scm (nss-certs-3.88.1): New variable.
(nss-certs-3.98): Update and rename to nss-certs-3.99.
(nss-certs): Update to 3.99.

Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070
---
 gnu/packages/certs.scm | 24 +++-
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 7078c7c8d1..7aa96493fb 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -125,7 +125,7 @@ (define-public certdata2pem
 that was originally contributed to Debian.")
   (license license:isc
 
-(define-public nss-certs
+(define-public nss-certs-3.88.1
   (package
 (name "nss-certs")
 ;; XXX We used to refer to the nss package here, but that eventually caused
@@ -188,10 +188,10 @@ (define-public nss-certs
 (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS;)
 (license license:mpl2.0)))
 
-(define-public nss-certs-3.98
+(define-public nss-certs-3.99
   (package
-(inherit nss-certs)
-(version "3.98")
+(inherit nss-certs-3.88.1)
+(version "3.99")
 (source (origin
   (method url-fetch)
   (uri (let ((version-with-underscores
@@ -202,7 +202,21 @@ (define-public nss-certs-3.98
   "nss-" version ".tar.gz")))
   (sha256
(base32
-"1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
+"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7"))
+  ;; Create nss.pc and nss-config.
+  (patches (search-patches "nss-3.56-pkgconfig.patch"
+   "nss-getcwd-nonnull.patch"
+   "nss-increase-test-timeout.patch"
+   "nss-Disable-library-signing.patch"))
+  (modules '((guix build utils)))
+  (snippet
+   '(begin
+  ;; Delete the bundled copy of these libraries.
+  (delete-file-recursively "nss/lib/zlib")
+  (delete-file-recursively "nss/lib/sqlite")))
+
+(define-public nss-certs
+  nss-certs-3.99)
 
 (define-public le-certs
   (package
-- 
2.41.0

bug#40316: nss not reproducible

2024-05-02 Thread Ludovic Courtès 
Hi Christina,

Nice work!

Christina O'Donnell  skribis:

> I've got as far as making nss 3.98 reproducible, however updating it to 3.99
> results in 51 test failures. These are regressions, and worked correctly for
> 3.98. I'm not entirely sure what the issue is, but I've run out of time to
> debug it this week, so I'm sending this patch up as is.

Not sure if this is related, but we’re seeing test failures due to
timing issues right now with 3.98:

  https://issues.guix.gnu.org/70693

Thank you!

Ludo’.

bug#70456: Request for merging "core-updates" branch

2024-05-02 Thread Ludovic Courtès 
Hi Chris and all,

Christopher Baines  skribis:

> I think keeping the Git commit history clean and representative is
> really important, so to me at least this means core-updates can't be
> merged to master in it's current form, even if the changes overall from
> these 6351 commits are reasonable.
>
> I'm really not sure how to move forward though, I had a go at trying to
> rebuild the branch without introducing the thousands of duplicate
> commits and that produced a branch with 765 commits over master, which
> still seems a lot, but a big improvement over 6351:
>
>   https://git.cbaines.net/guix/log/?h=chris-core-updates-no-duplicates-attempt
>
> That was really hard going though, as there's plenty of merge conflicts
> along the way, and I'm pretty sure I solved some of them
> incorrectly. The resulting branch also differs from core-updates.

Woow, impressive.  How did you go about finding which commits were
duplicates/cherry-picked from master?  Which commit did you start from?

Given everything you’ve explained, it seems to me it’s worth trying to
start from a clean branch like this.

I checked it out (commit da77ea23daa0bfa4a73290dff99b22d6825ff80b) to
get an idea of where we are and got this:

--8<---cut here---start->8---
make[2]: *** No rule to make target 
'gnu/packages/patches/glib-networking-gnutls-binding.patch', needed by 'all-am'.
make[2]: *** No rule to make target 
'gnu/packages/patches/librecad-support-for-boost-1.76.patch', needed by 
'all-am'.
--8<---cut here---end--->8---

It stopped at:

--8<---cut here---start->8---
gnu/packages/sdl.scm:72:2: error: (package (name "sdl2") (version "2.30.1") 
(source (origin (method url-fetch) (uri (string-append 
"https://libsdl.org/release/SDL2-; version ".tar.gz")) (sha256 (base32 
"0fj7gxc7rlzzrafnx9nmf7ws3paxy583fmx7bcbavi6gr3xmy881" (arguments (list 
#:tests? #f #:configure-flags (gexp (append (quote ("--disable-wayland-shared" 
"--enable-video-kmsdrm" "--disable-kmsdrm-shared")) (quote 
("--disable-alsa-shared" "--disable-pulseaudio-shared" "--disable-x11-shared" 
"LDFLAGS=-lGL" #:make-flags (gexp (cons* (string-append 
"LDFLAGS=-Wl,-rpath," (ungexp (this-package-input "eudev")) "/lib" ",-rpath," 
(ungexp (this-package-input "vulkan-loader")) "/lib") (quote ("V=1")) 
(propagated-inputs (list libx11 libcap mesa)) (native-inputs (list pkg-config)) 
(inputs (list libxrandr glu alsa-lib pulseaudio dbus eudev glib ibus-minimal 
libxkbcommon libxcursor vulkan-loader wayland wayland-protocols)) (outputs 
(quote ("out" "debug"))) (synopsis "Cross platform game development library") 
(description "Simple DirectMedia Layer is a cross-platform development library 
designed to\nprovide low level access to audio, keyboard, mouse, joystick, and 
graphics\nhardware.") (home-page "https://libsdl.org/;) (license 
license:bsd-3)): missing field initializers (build-system)
--8<---cut here---end--->8---

I guess these are merge conflicts that weren’t correctly resolved.

This branch rewrites the entire ‘core-updates’ history.  What about
rewriting starting from the first series of “duplicate” commits?  That
should solve the immediate issue while keeping the “known good” history?

Thanks,
Ludo’.