Re: Build failure on nss-3.36.1

[Björn Höfling]

On Sat, 3 Nov 2018 21:46:02 -0600
Brian Woodcox  wrote:

> Hi Björn,
> 
> You nailed it.
> 
> Of course, I am not too certain how to use the guix git-checkout
> command.
> 
> Do you or anyone else have an example of how you would build this
> after downloading it?
> 
>   I’ve done a bit of search, but have not come up with much.
> 
> Thanks
> 

Hi Brian,

its described in section "7 Contributing" of the manual:

https://www.gnu.org/software/guix/manual/en/guix.html#Contributing

Please refer to the manual for full details, I will show here in short
out of my head, errors/typos might be included:

git clone https://...guix.gt

cd git

# Now you need to enter an enviromnent where guix' build tools are
# available. You could install everything yourself in a foreign distro
# or via guix package -i ..., but Guix knows it best, so just do a:

guix environment guix

# Next you need to bootstrap and build:

./bootstrap
./configure --localstatedir=/var
make

# Now search source file:
guix package -s "^nss$"
name: nss
version: 3.39
outputs: out bin
systems: x86_64-linux i686-linux armhf-linux aarch64-linux mips64el-linux
dependencies: nspr@4.20 perl@5.26.1 sqlite@3.23.0 zlib@1.2.11
location: gnu/packages/gnuzilla.scm:364:2
[..]

# edit it:

emacs gnu/packages/gnuzilla.scm

#[could also call "guix edit nss" directly]

(arguments
 `(#:parallel-build? #f ; not supported
;; Add this line to arguments:
   #:tests? #f
   #:make-flags
;; Remove this:  (replace 'check ...)

Now run guix from source:

./pre-inst-env guix build nss

Then do whatever you want to from there:

./pre-inst-env guix install ...
./pre-inst-env guix system ...

Note: It is not enough to just build/install nss from here and then go
on with the "normal" guix: Because you changed nss, all dependencies
need to be built too.

And that is basically the world:

./pre-inst-env guix refresh -l nss

Building the following 3119 packages would ensure 8553 dependent packages are 
rebuilt:

So, not sure if that helps you here...

Björn



pgplfYlp7bfXW.pgp
Description: OpenPGP digital signature

Re: Build failure on nss-3.36.1

[Brian Woodcox]

Hi Björn,

You nailed it.

Of course, I am not too certain how to use the guix git-checkout command.

Do you or anyone else have an example of how you would build this after 
downloading it?

  I’ve done a bit of search, but have not come up with much.

Thanks

Re: Build failure on nss-3.36.1

[Brian Woodcox]

So I have tried to debug this a bit, but I am not making much headway.

Apparently the error is:

chains.sh: #718: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags 
-d AllDB -pp  -o OID.2.16.840.1.114412.1.1  - FAILED
chains.sh: Verifying certificate(s)  BrAirWaysBadSig.cert with flags -d AllDB 
-pp  
vfychain -d AllDB -pp -vv   
/tmp/guix-build-nss-3.36.1.drv-0/nss-3.36.1/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
 
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. BrAirWaysBadSig :
  ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is fail


My Guix version is —> guix (GNU Guix) 0.15.0-1.4876bc8

I have attached some files for you info.  Not sure if the attachments will work 
or not, but here goes.

Click to Download
 
environment-variables
5 KB
Click to Download
 
output.log
40.1 MB
Click to Download
 
2gwwhy92zviwl9k74r9vz9ccmgyw91cn-nss-3.36.1.drv
41 MB

Re: Build failure on nss-3.36.1

[Björn Höfling]

Hi,

On Sat, 3 Nov 2018 11:28:26 -0600
Brian Woodcox  wrote:

> I’m getting a build failure when building nss-3.36.1.
> 
> I have the entire log.  Here is the end part of it.
> 
> Any ideas?

This package does not build reproducibly. At least in the long term:
There are tests that check certificates on temporal validity and that
depends on the system time.

I can reproduce your result with the 3.39 version. It looks like one
certificate is expired. All 6 failing tests look about like this one:


s -d AllDB -pp   - PASSED
chains.sh: Verifying certificate(s)  PayPalEE.cert with flags -d AllDB -pp  
-o OID.2.16.840.1.114412.1.1 
vfychain -d AllDB -pp -vv  -o OID.2.16.840.1.114412.1.1  /tmp/guix-build-nss
-3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert 
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1555: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags 
-d AllDB -pp  -o OID.2.16.840.1.114412.1.1  - FAILED


I don't know how to check the expiration date of PayPalEE.cert.

It looks like upstream has not yet worked on it, as the file was lastly
modified two years ago:

https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert

Cmp also this bug that demands non-expiration certificates:

https://bugzilla.mozilla.org/show_bug.cgi?id=1330010

Building 3.40 does not work with just updating version/hashsum.

A quick solution would be to build nss from a Guix git-checkout and
disable tests.

Björn


pgpERhsot5TaX.pgp
Description: OpenPGP digital signature

Re: Build failure on nss-3.36.1

[Gábor Boskovits]

Hello Brian,

Thanks for your help so far.

Brian Woodcox  ezt írta (időpont: 2018. nov. 3., Szo, 
18:48):
>
> Hi,
>
> I have run it a few times with the same output.
>
> I’m using —keep-failed, which I assume is the same as the -K flag.
>
> I have the build directory.  Anything you would like me to do with it.
>

I see two ways forward:
1. please write the guix version, so that we can reproduce
2. if you could send the logs from the failing tests, which you will find
in the build directory somewhere, that would help.

Best regards,
g_bor

Re: Build failure on nss-3.36.1

[Brian Woodcox]

Hi,

I have run it a few times with the same output.

I’m using —keep-failed, which I assume is the same as the -K flag.

I have the build directory.  Anything you would like me to do with it.

Thanks.

> On Nov 3, 2018, at 11:38 AM, Gábor Boskovits  wrote:
> 
> Hello,
> 
> This is a test failure, could you try to build that again to see if it
> fails consistently?
> If it also fails for the second time, then please run guix build with
> -K to keep the build directory, so we can have the test logs.
> 
> Thanks for the report.
> 
> Best regards,
> g_bor

Re: Build failure on nss-3.36.1

[Gábor Boskovits]

Hello,

Brian Woodcox  ezt írta (időpont: 2018. nov. 3., Szo, 
18:29):
>
> I’m getting a build failure when building nss-3.36.1.
>
> I have the entire log.  Here is the end part of it.
>
> Any ideas?
>
> Thanks.
>
> SUMMARY:
> 
> NSS variables:
> --
> HOST=localhost
> DOMSUF=(none)
> BUILD_OPT=
> USE_X32=
> USE_64=1
> NSS_CYCLES=""
> NSS_TESTS=""
> NSS_SSL_TESTS="crl iopr policy"
> NSS_SSL_RUN="cov auth stapling stress"
> NSS_AIA_PATH=
> NSS_AIA_HTTP=
> NSS_AIA_OCSP=
> IOPR_HOSTADDR_LIST=
> PKITS_DATA=
> NSS_DISABLE_HW_AES=
> NSS_DISABLE_PCLMUL=
> NSS_DISABLE_AVX=
> NSS_DISABLE_ARM_NEON=
> NSS_DISABLE_SSSE3=
>
> Tests summary:
> --
> Passed: 52722
> Failed: 6
> Failed with core:   0
> ASan failures:  0
> Unknown status: 12
> TinderboxPrint:Unknown: 12
>
> Backtrace:
>4 (primitive-load "/gnu/store/j2lm2bwnkndbw4vbv5ybfbs3yc6…")
> In ice-9/eval.scm:
>191:35  3 (_ _)
> In srfi/srfi-1.scm:
> 640:9  2 (for-each # …)
> In 
> /gnu/store/f95ghy8mx00fc22nrvswvnpqlfdkf2nk-module-import/guix/build/gnu-build-system.scm:
>799:31  1 (_ _)
> In 
> /gnu/store/f95ghy8mx00fc22nrvswvnpqlfdkf2nk-module-import/guix/build/utils.scm:
> 616:6  0 (invoke _ . _)
>
> /gnu/store/f95ghy8mx00fc22nrvswvnpqlfdkf2nk-module-import/guix/build/utils.scm:616:6:
>  In procedure invoke:
> Throw to key `srfi-34' with args `(# "./nss/tests/all.sh" arguments: () exit-status: 1 term-signal: #f 
> stop-signal: #f] 68fd80>)'.
>
>
This is a test failure, could you try to build that again to see if it
fails consistently?
If it also fails for the second time, then please run guix build with
-K to keep the build directory, so we can have the test logs.

Thanks for the report.

Best regards,
g_bor