Re: Value in adding Shepherd requirements to file-systems entries?
> P.S. The code above should read (requirements ...) in the plural. inside shepherd there's a bit of anomaly, but it's called requirement in the public API, and also in the guix side of the config; i.e. it's not plural. -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “Moderation in temper is always a virtue; but moderation in principle is always a vice.” — Thomas Paine (1737–1809)
[PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.
There are 51 new test failures which all appear to be related to FIPS.
For example:
modutil -dbdir
/tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips
-fips true
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has
occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate
(11) - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate
failed 11
Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
gnu/packages/nss.scm | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
(delete-file-recursively "nss/lib/sqlite")
(build-system gnu-build-system)
(outputs '("out" "bin"))
+;; (search-paths
+;; (list (search-path-specification
+;; (variable "LD_LIBRARY_PATH")
+;; (files '("lib")
(arguments
(list
#:make-flags
@@ -161,12 +165,15 @@ (define-public nss
#$@(if (%current-target-system)
#~("CROSS_COMPILE=1")
#~())
+(string-append "NSS_FORCE_FIPS=1")
+(string-append "NSPR_LIB_DIR="
+ (string-append #$nspr "/lib"))
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
;; Add $out/lib/nss to RPATH.
(string-append "RPATH=" rpath)
-(string-append "LDFLAGS=" rpath)))
+(string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
#:modules '((guix build gnu-build-system)
(guix build utils)
(ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
(setenv "DOMSUF" "localdomain")
(setenv "USE_IP" "TRUE")
(setenv "IP_ADDRESS" "127.0.0.1")
+;; (setenv "LD_LIBRARY_PATH"
+;; (string-append (getenv "LD_LIBRARY_PATH")))
;; The "PayPalEE.cert" certificate expires every six
months,
;; leading to test failures:
--
2.41.0
[PATCH 1/6] gnu: nss: Fix cross-compilation.
From: Zheng Junjie
* gnu/packages/nss.scm (nss)[arguments]<#:make-flags>: When
cross-compilation, Add CROSS_COMPILE=1.
<#:phases>: When cross-compilation, Set env NATIVE_CC to gcc.
Change-Id: I5c9559a4b8cecf2cfc6c47d136d69c01a335faaf
Signed-off-by: Zheng Junjie
---
gnu/packages/nss.scm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 7e9ed49ead8..459e53bc1cf 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -154,6 +154,9 @@ (define-public nss
(#$(target-linux?) "linux")
(else ""
#~())
+#$@(if (%current-target-system)
+ #~("CROSS_COMPILE=1")
+ #~())
(string-append "NSPR_INCLUDE_DIR="
(search-input-directory %build-inputs
"include/nspr"))
@@ -175,6 +178,10 @@ (define-public nss
(lambda _
(setenv "CC" #$(cc-for-target))
(setenv "CCC" #$(cxx-for-target))
+ ;; TODO: Set this unconditionally
+ #$@(if (%current-target-system)
+ #~((setenv "NATIVE_CC" "gcc"))
+ #~())
;; No VSX on powerpc-linux.
#$@(if (target-ppc32?)
#~((setenv "NSS_DISABLE_CRYPTO_VSX" "1"))
--
2.41.0
[PATCH 0/6] WIP: nss: Update to 3.99
Hi, I've got as far as making nss 3.98 reproducible, however updating it to 3.99 results in 51 test failures. These are regressions, and worked correctly for 3.98. I'm not entirely sure what the issue is, but I've run out of time to debug it this week, so I'm sending this patch up as is. Up to patch 3 build correctly. Patch 4 is the first one that fails. The issue specifically seems to all be related to FIPS: A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot. If someone could take a look at this and see if there's anything I've missded then I'd appreciate that. Otherwise I'm free to pick it back up again on Tuesday. Let me know if you have any questions. Kind regards, Christina Christina O'Donnell (4): gnu: nss: Make reproducible. gnu: nss: Update to 3.99. gnu: nss-certs: Update to 3.99. WIP: nss: Attempting to resolve FIPS regression. Zheng Junjie (2): gnu: nss: Fix cross-compilation. gnu: nspr: Fix cross-compilation. gnu/packages/certs.scm| 24 +-- gnu/packages/nss.scm | 30 +++-- .../patches/nss-Disable-library-signing.patch | 67 +++ 3 files changed, 111 insertions(+), 10 deletions(-) create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch base-commit: 9a47ef6182b6a36354699efbdbedca17f24cd9b8 -- 2.41.0
[PATCH 2/6] gnu: nspr: Fix cross-compilation.
From: Zheng Junjie
* gnu/packages/nss.scm (nspr)[arguments]<#:configure-flags>: When
cross-compilation, Add HOST_CC=gcc.
Change-Id: I337f217f153f8cc3a713906643d6fab9115056e9
Signed-off-by: Zheng Junjie
---
gnu/packages/nss.scm | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 459e53bc1cf..0baafe2f373 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -71,7 +71,10 @@ (define-public nspr
#~(list "--disable-static"
"--enable-64bit"
(string-append "LDFLAGS=-Wl,-rpath="
- (assoc-ref %outputs "out") "/lib"))
+ (assoc-ref %outputs "out") "/lib")
+ #$@(if (%current-target-system)
+ #~("HOST_CC=gcc")
+ #~()))
;; Use fixed timestamps for reproducibility.
#:make-flags #~'("SH_DATE='1970-01-01 00:00:01'"
;; This is epoch 1 in microseconds.
--
2.41.0
[PATCH 4/6] gnu: nss: Update to 3.99.
gnu/packages/nss.scm (nss): Update to 3.99. Change-Id: Iba6c9dc2956cc0febb62a1c471add899250fa489 --- gnu/packages/nss.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index b608a995577..80667d8affe 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -109,7 +109,7 @@ (define-public nss ;; IMPORTANT: Also update and test the nss-certs package, which duplicates ;; version and source to avoid a top-level variable reference & module ;; cycle. -(version "3.88.1") +(version "3.99") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -120,7 +120,7 @@ (define-public nss "nss-" version ".tar.gz"))) (sha256 (base32 -"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7")) +"1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-3.56-pkgconfig.patch" "nss-getcwd-nonnull.patch" -- 2.41.0
[PATCH 3/6] gnu: nss: Make reproducible.
gnu/packages/patches/nss-Disable-library-signing.patch: Disable library signing to make the build reproducible. gnu/packages/nss.scm (nss): Apply this new patch. Change-Id: I7860bae219ecc4a79423a590c27a1097ae2e7874 --- gnu/packages/nss.scm | 3 +- .../patches/nss-Disable-library-signing.patch | 67 +++ 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/nss-Disable-library-signing.patch diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 0baafe2f373..b608a995577 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -124,7 +124,8 @@ (define-public nss ;; Create nss.pc and nss-config. (patches (search-patches "nss-3.56-pkgconfig.patch" "nss-getcwd-nonnull.patch" - "nss-increase-test-timeout.patch")) + "nss-increase-test-timeout.patch" + "nss-Disable-library-signing.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/nss-Disable-library-signing.patch b/gnu/packages/patches/nss-Disable-library-signing.patch new file mode 100644 index 000..b488d29dcad --- /dev/null +++ b/gnu/packages/patches/nss-Disable-library-signing.patch @@ -0,0 +1,67 @@ +From 4734b834755822f962af29e9395daa7338084e21 Mon Sep 17 00:00:00 2001 +Message-ID: <4734b834755822f962af29e9395daa7338084e21.1714059680.git@mutix.org> +From: Christina O'Donnell +Date: Thu, 25 Apr 2024 16:35:50 +0100 +Subject: [PATCH] nss: Disable library signing. + +--- + nss/cmd/shlibsign/Makefile | 32 +--- + 1 file changed, 1 insertion(+), 31 deletions(-) + +diff --git a/nss/cmd/shlibsign/Makefile b/nss/cmd/shlibsign/Makefile +index a119205..7a85c1d 100644 +--- a/nss/cmd/shlibsign/Makefile b/nss/cmd/shlibsign/Makefile +@@ -43,22 +43,9 @@ EXTRA_SHARED_LIBS += \ + + endif + +- +-# sign any and all shared libraries that contain the word freebl +-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++# Disable library signing as it's non-deterministic + CHECKLIBS = + CHECKLOC = +-else +-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) +-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) +-ifndef NSS_DISABLE_DBM +-CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) +-endif +-CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) +- +-MD_LIB_RELEASE_FILES = $(CHECKLOC) +-ALL_TRASH += $(CHECKLOC) +-endif + + ### + # (5) Execute "global" rules. (OPTIONAL) # +@@ -78,23 +65,6 @@ include $(CORE_DEPTH)/coreconf/rules.mk + + include ../platrules.mk + +-SRCDIR = $(call core_abspath,.) +- +-%.chk: %.$(DLL_SUFFIX) +-ifeq ($(OS_TARGET), OS2) +- cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \ +- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \ +- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<) +-else +-ifeq ($(CROSS_COMPILE),1) +- # do nothing +-else +- cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \ +- $(call core_abspath,$(OBJDIR)) $(OS_TARGET) \ +- $(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<) +-endif +-endif +- + libs: install + ifdef CHECKLOC + $(MAKE) $(CHECKLOC) + +base-commit: 2951778f8e8855bed24754a57ecc43f02a2843dd +-- +2.41.0 + -- 2.41.0
[PATCH 5/6] gnu: nss-certs: Update to 3.99.
gnu/packages/certs.scm (nss-certs-3.88.1): New variable. (nss-certs-3.98): Update and rename to nss-certs-3.99. (nss-certs): Update to 3.99. Change-Id: I2f5f737d44d08497d4f5e0e07557be36d2f1f070 --- gnu/packages/certs.scm | 24 +++- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index 7078c7c8d11..7aa96493fbe 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -125,7 +125,7 @@ (define-public certdata2pem that was originally contributed to Debian.") (license license:isc -(define-public nss-certs +(define-public nss-certs-3.88.1 (package (name "nss-certs") ;; XXX We used to refer to the nss package here, but that eventually caused @@ -188,10 +188,10 @@ (define-public nss-certs (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS;) (license license:mpl2.0))) -(define-public nss-certs-3.98 +(define-public nss-certs-3.99 (package -(inherit nss-certs) -(version "3.98") +(inherit nss-certs-3.88.1) +(version "3.99") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -202,7 +202,21 @@ (define-public nss-certs-3.98 "nss-" version ".tar.gz"))) (sha256 (base32 -"1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm")) +"15il9fsmixa1r4446zq1wl627sg0hz9h67w6kjxz273xz3nl7li7")) + ;; Create nss.pc and nss-config. + (patches (search-patches "nss-3.56-pkgconfig.patch" + "nss-getcwd-nonnull.patch" + "nss-increase-test-timeout.patch" + "nss-Disable-library-signing.patch")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Delete the bundled copy of these libraries. + (delete-file-recursively "nss/lib/zlib") + (delete-file-recursively "nss/lib/sqlite"))) + +(define-public nss-certs + nss-certs-3.99) (define-public le-certs (package -- 2.41.0
Re: Value in adding Shepherd requirements to file-systems entries?
Hi Richard, On Tue, Apr 23 2024, Richard Sent wrote: > I submitted a patch [..] at https://issues.guix.gnu.org/70542. If this > winds up merged I believe your code could be rewritten [as] > > --8<---cut here---start->8--- > (file-system >(device "wallace-server.local:/acct") >(mount-point "/acct") >(type "nfs") >(requirement '(avahi-daemon)) ;resolve .local >;; (flags '(no-atime no-dev no-exec read-only)) >;; (options "proto=tcp6,timeo=300,nolock") >(check? #f) >(mount-may-fail? #t) >(create-mount-point? #t)) > --8<---cut here---end--->8--- Wow, that works! Since this short form is optional and I can always switch back to the previous version, v2 of that patch should be merged without further delay. Thank you for your most valuable contribution! Kind regards, Felix P.S. The code above should read (requirements ...) in the plural.
Re: "Error: Could not set character size"
seems like a `guix pull` and a `guix home reconfigure` resolved it. sorry for the noise. -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “If you wind up with a boring, miserable life because you listened to your mom, your dad, your teacher, your priest, or some guy on TV telling you how to do your shit, then YOU DESERVE IT.” — Frank Zappa (1940–1993), 'The Real Frank Zappa Book' (1989)
Re: API for rewriting package fields ?
On Fri, Apr 26, 2024 at 05:25:47PM +0200, Ricardo Wurmus wrote:
> Nicolas Graves via "Development of GNU Guix and the GNU System distribution."
> writes:
>
> > Is there an interface to rewrite / update a field from a series of
> > packages easily?
>
> We have "update-package-inputs" in (guix upstream), which defines a
> local procedure "update-field". Perhaps you can use that?
>
> What it cannot do yet is *create* a field, e.g. add a native-inputs
> field to add an input when the package currently doesn't have a
> native-inputs field.
There's also the package property updater-extra-{native-,propagated-,}inputs
to add a package even if it's not shown as required by the importer.
--
Efraim Flashner רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature
Re: Managing patches and branches, retrospective and futher changes?
On Wed, Apr 24, 2024 at 02:21:56PM +0100, Christopher Baines wrote: > Hey! > > Almost a year ago, the branching strategy was changed [1][2]. > > 1: https://issues.guix.gnu.org/63459 > 2: https://lists.gnu.org/archive/html/guix-devel/2023-06/msg00024.html > > I think these changes have gone OK, we've had ~27 [3] branches merged in > this manor and I think looking back these changes have been > helpful. Coordination and visibility has improved, and we've been able > to build and test more prior to merging. I'd like to just say that this (without checking the numbers) is almost 10x the number of merges we had previously with just the core-updates/staging branch strategy. > 3: https://issues.guix.gnu.org/search?query=%22Request+for+merging%22 > > There's still room for more improvement though. The current guidance is > here [4], and I've sent a patch for improvements here [5]. > > 4: > https://guix.gnu.org/en/manual/devel/en/html_node/Managing-Patches-and-Branches.html > 5: https://issues.guix.gnu.org/70549 > > Let me know if you have any thoughts or questions! > > Thanks, > > Chris -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted signature.asc Description: PGP signature
Re: Core updates status
On Fri, Apr 26, 2024 at 01:56:12PM +0100, Steve George wrote: > Hi, > > On 25 Apr, Kaelyn wrote: > > Hi, > > > > On Tuesday, April 23rd, 2024 at 11:08 PM, Steve George > > wrote: > (...) > > > - guile-rsvg failing > > > - https://debbugs.gnu.org/cgi/bugreport.cgi?bug=70537 > > > - I'm able to build librsvg@2.56.4 but not guile-rsvg > > > - guile-rsvg@2.18.1 / guile2.2-rsvg > > > - guile-rsvg builds on master - connected? > > > > I've started looking at this build failure this morning, and my initial > > impressions are that a propagated-input is missing. I tried building > > guile-rsvg from core-updates and the build failed with three missing pango > > libraries (ld could not find -lpangocairo-1.0, -lpangoft2-1.0, and > > -lpango-1.0). I tried moving pango from the inputs to the propagated-inputs > > for librsvg, and that fixed the build of guile-rsvg. I'm just not sure if > > that is the right place to propagate it; I haven't yet traced where the > > pango libraries are being added to the linking command, as I've checked the > > pkgconfig files for librsvg, cairo, and a couple of other packages and not > > seen references to pango (which is what makes me think the pango > > propagated-input is needed elsewhere, and not actually in librsvg--but I > > also don't know Rust or what dependencies the rust code in librsvg has). > > That's great, thanks for taking a look. Efraim mentioned that there would be > Rust changes for it. Seeing that librsvg has rust-pango (and some others) in cargo-inputs, and therefore needs pango to build, I think it's safe to move pango (and others as needed) to propagated inputs. Make sure to make the necessary changes to librsvg-2.40 also. I haven't had any problems building the rust based librsvg on core-updates, so I'd suggest leaving that alone for now. -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted signature.asc Description: PGP signature
Re: API for rewriting package fields ?
Nicolas Graves via "Development of GNU Guix and the GNU System distribution." writes: > Is there an interface to rewrite / update a field from a series of > packages easily? We have "update-package-inputs" in (guix upstream), which defines a local procedure "update-field". Perhaps you can use that? What it cannot do yet is *create* a field, e.g. add a native-inputs field to add an input when the package currently doesn't have a native-inputs field. -- Ricardo
Re: Core updates status
Hi, On 25 Apr, Kaelyn wrote: > Hi, > > On Tuesday, April 23rd, 2024 at 11:08 PM, Steve George > wrote: (...) > > - guile-rsvg failing > > - https://debbugs.gnu.org/cgi/bugreport.cgi?bug=70537 > > - I'm able to build librsvg@2.56.4 but not guile-rsvg > > - guile-rsvg@2.18.1 / guile2.2-rsvg > > - guile-rsvg builds on master - connected? > > I've started looking at this build failure this morning, and my initial > impressions are that a propagated-input is missing. I tried building > guile-rsvg from core-updates and the build failed with three missing pango > libraries (ld could not find -lpangocairo-1.0, -lpangoft2-1.0, and > -lpango-1.0). I tried moving pango from the inputs to the propagated-inputs > for librsvg, and that fixed the build of guile-rsvg. I'm just not sure if > that is the right place to propagate it; I haven't yet traced where the pango > libraries are being added to the linking command, as I've checked the > pkgconfig files for librsvg, cairo, and a couple of other packages and not > seen references to pango (which is what makes me think the pango > propagated-input is needed elsewhere, and not actually in librsvg--but I also > don't know Rust or what dependencies the rust code in librsvg has). That's great, thanks for taking a look. Efraim mentioned that there would be Rust changes for it. Steve / Futurile
"Error: Could not set character size"
...when trying to build a guix checkout. to reproduce: $ make doc/images/service-graph.png DOT doc/images/service-graph.png Error: Could not set character size [error message repeated 12 more times] this seems to be an error coming from graphviz. this is all i could find online, which is not very useful: https://gitlab.com/graphviz/graphviz/-/issues/863 maybe this commit a few days ago changed something? looks innocent, though: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4099b12f9f4561d0494c7765b484b53d9073b394 any hints? -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “You cannot transmit wisdom and insight to another person. The seed is already there. A good teacher touches the seed, allowing it to wake up, to sprout, and to grow.” — Thich Nhat Hanh (1926–)
