Re: Guix release broken without substitutes on ungrafted openssl
Hi, I overlooked the issue. Here, it is about just building because the test suite is time-dependant. Arf! IHMO, it does not change my previous but unrelated message. :-) Cheers, simon
Re: Guix release broken without substitutes on ungrafted openssl
Leo Famulari skribis: > On Wed, Feb 15, 2023 at 12:15:21PM -0500, Greg Hogan wrote: >> Installing guix from source fails on the build of openssl@1.1.1l. I >> see the same error on my working system (log attached) when executing >> the command below. The issue looks to be caused by OpenSSL's expired >> test certs fixed in 1.1.1p [0]. Guix currently grafts openssl 1.1.1s >> but it seems grafts are not part of the bootstrap process (substitutes >> disabled). >> >> If this is the correct diagnosis then we should be ungrafting before >> future releases any bootstrap dependencies relating to build failures >> (not necessarily for security updates). >> >> My personal fix was to adapt my installation script to iteratively set >> back then reset the clock, as openssl only builds in the past but >> diffutils-boot0 then fails due to newly created files being older than >> distributed files. > > Thanks for the notes. > > I do believe this has been discussed previously, to be found in the > archives! Here: https://issues.guix.gnu.org/58650 I think the most viable/easily feasible option would be to run OpenSSL’s tests under ‘datefudge’, as discussed in the issue above. Ludo’.
Re: Guix release broken without substitutes on ungrafted openssl
Hi, On 2023-02-15, 12:15 -0500, Greg Hogan wrote: > Guix, > > Installing guix from source fails on the build of openssl@1.1.1l. I > see the same error on my working system (log attached) when executing > the command below. The issue looks to be caused by OpenSSL's expired > test certs fixed in 1.1.1p [0]. Guix currently grafts openssl 1.1.1s > but it seems grafts are not part of the bootstrap process (substitutes > disabled). > > If this is the correct diagnosis then we should be ungrafting before > future releases any bootstrap dependencies relating to build failures > (not necessarily for security updates). > > My personal fix was to adapt my installation script to iteratively set > back then reset the clock, as openssl only builds in the past but > diffutils-boot0 then fails due to newly created files being older than > distributed files. > > Greg I was recently building a deb pack of guix for riscv and encountered the same problem, so far I just turned off the tests for openssl@1.1.1l -- Best regards, Aleksandr Vityazev
Re: Guix release broken without substitutes on ungrafted openssl
Hi, On Wed, 15 Feb 2023 at 13:33, Leo Famulari wrote: > I'd guess it's happened 4 times in the last several years. > > It's one of several reasons that rebuilding old Guix releases actually > approaches being a Hard Problem. The issue is from the impure world. ;-) Well, yeah it would probably be difficult to install from scratch Guix v1.0 in some future. However, the hope is that, guix time-machine --commit=v1.0 -- using distant future Guix to run from Guix v1.0. The distant future Guix should be able to deal with the distant future impure world and populate for the past running inside a pure world. For sure, it is a Hard Problem. As I like to say when presenting “guix time-machine”, it is a real world experiment, probably unique, to know what is the size of the time frame where reproducible time-travel is possible. I try to explain that this reproducible time-travel requires three conditions: 1. source code availability 2. Linux kernel compatibility 3. hardware compatibility Now, I would add: 4. being able to communicate with the world via the network Cheers, simon
Re: Guix release broken without substitutes on ungrafted openssl
On Wed, Feb 15, 2023 at 1:33 PM Leo Famulari wrote: > > It only really affects distros like Guix or Nix, so it's our problem to > fix. I forgot to mention that I also needed to switch the pull url from https to http, otherwise git would fail on certificate verification. I believe this is secure with Guix handling the git authentication. I see the same openssl@1.1.1l error when building with the system clock set to 2022/12/19, the date of the 1.4.0 release, so it appears that the release was never bootstrappable without hijinks. For the general case perhaps there could be a way to describe the build environment similar to the manifest and channels. Could a build date be specified and faketime used similar to how Guix makes use of fakeroot? Perhaps this has already been proposed in the archive. Greg
Re: Guix release broken without substitutes on ungrafted openssl
On Wed, Feb 15, 2023 at 12:15:21PM -0500, Greg Hogan wrote: > Installing guix from source fails on the build of openssl@1.1.1l. I > see the same error on my working system (log attached) when executing > the command below. The issue looks to be caused by OpenSSL's expired > test certs fixed in 1.1.1p [0]. Guix currently grafts openssl 1.1.1s > but it seems grafts are not part of the bootstrap process (substitutes > disabled). > > If this is the correct diagnosis then we should be ungrafting before > future releases any bootstrap dependencies relating to build failures > (not necessarily for security updates). > > My personal fix was to adapt my installation script to iteratively set > back then reset the clock, as openssl only builds in the past but > diffutils-boot0 then fails due to newly created files being older than > distributed files. Thanks for the notes. I do believe this has been discussed previously, to be found in the archives! In general, SSL/TLS implementations keep making this... unfortunate mistake in their test suites. It only really affects distros like Guix or Nix, so it's our problem to fix. I'd guess it's happened 4 times in the last several years. It's one of several reasons that rebuilding old Guix releases actually approaches being a Hard Problem.
Guix release broken without substitutes on ungrafted openssl
Guix,
Installing guix from source fails on the build of openssl@1.1.1l. I
see the same error on my working system (log attached) when executing
the command below. The issue looks to be caused by OpenSSL's expired
test certs fixed in 1.1.1p [0]. Guix currently grafts openssl 1.1.1s
but it seems grafts are not part of the bootstrap process (substitutes
disabled).
If this is the correct diagnosis then we should be ungrafting before
future releases any bootstrap dependencies relating to build failures
(not necessarily for security updates).
My personal fix was to adapt my installation script to iteratively set
back then reset the clock, as openssl only builds in the past but
diffutils-boot0 then fails due to newly created files being older than
distributed files.
Greg
[0] https://github.com/openssl/openssl/pull/18446
--8<---cut here---start->8---
$ guix build --no-grafts openssl@1.1.1l
[...]
Test Summary Report
---
../test/recipes/80-test_ssl_new.t(Wstat: 256 Tests: 29
Failed: 1)
Failed test: 12
Non-zero exit status: 1
Files=158, Tests=2636, 285 wallclock secs ( 1.86 usr 0.16 sys +
104.62 cusr 8.73 csys = 115.37 CPU)
Result: FAIL
make[1]: *** [Makefile:208: _tests] Error 1
make[1]: Leaving directory '/tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l'
make: *** [Makefile:205: tests] Error 2
Test suite failed, dumping logs.
error: in phase 'check': uncaught exception:
%exception #< program: "make" arguments: ("test")
exit-status: 2 term-signal: #f stop-signal: #f>
phase `check' failed after 285.6 seconds
command "make" "test" failed with status 2
builder for `/gnu/store/bb29cw1ngmyja9jc1sjf65m91x04kcqz-openssl-1.1.1l.drv'
failed with exit code 1
build of /gnu/store/bb29cw1ngmyja9jc1sjf65m91x04kcqz-openssl-1.1.1l.drv failed
View build log at
'/var/log/guix/drvs/bb/29cw1ngmyja9jc1sjf65m91x04kcqz-openssl-1.1.1l.drv.gz'.
guix build: error: build of
`/gnu/store/bb29cw1ngmyja9jc1sjf65m91x04kcqz-openssl-1.1.1l.drv'
failed
--8<---cut here---end--->8---
29cw1ngmyja9jc1sjf65m91x04kcqz-openssl-1.1.1l.drv.gz
Description: application/gzip
