Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: enable libpkix build #94188

Merged
merged 1 commit into from
Jul 30, 2020
Merged

nss: enable libpkix build #94188

merged 1 commit into from
Jul 30, 2020

Conversation

ajs124
Copy link
Member

@ajs124 ajs124 commented Jul 29, 2020

This was enabled by default with the old build system, but requires this flag with the new one

Fixes #93955

cc @vcunat

Compared to #94184:
Pro: long term fix
Con: causes more rebuilds

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

this was enabled by default with the old build system, but requires this flag with the new one

fixes #NixOS#93955
@vcunat
Copy link
Member

vcunat commented Jul 29, 2020

So this and temporarily resurrect the current nss "version" just for cacert? (which doesn't retain any reference anyway) EDIT: in order to keep the rebuilds down, revert that part on staging.

@vcunat
Copy link
Member

vcunat commented Jul 29, 2020

Oh scratch my last comment! I forgot that cacert only uses nss.src directly, so this PR won't rebuild that.

@ajs124
Copy link
Member Author

ajs124 commented Jul 29, 2020

Oh scratch my last comment! I forgot that cacert only uses nss.src directly, so this PR won't rebuild that.

Today I learned. That's cool, then we can probably just go with this.

Could use some more testers from #93955, maybe.

@ghost
Copy link

ghost commented Jul 29, 2020

Slack works, Discord also works. It seems it fixes the issue #93955. thank you very much @ajs124 @vcunat.

@vcunat
Copy link
Member

vcunat commented Jul 29, 2020

I tried firefox, though it shouldn't be a surprise that it appears to still work OK.

Copy link
Member

@dotlambda dotlambda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm writing this from qutebrowser built from this PR, works great!

@vcunat
Copy link
Member

vcunat commented Jul 30, 2020

It's quite unfortunate that the missing component of NSS wasn't detected during build time (by the packages needing that). Let's have a look at diff in files for NSS after this commit (3.54) and before the build-system change (3.52.1):

@@ -5,16 +5,12 @@
 result/lib:
 libfreebl3.chk
 libfreebl3.so
-libfreeblpriv3.chk
 libfreeblpriv3.so
-libgtest1.so
-libgtestutil.so
 libnss3.so
 libnssckbi.so
 libnssckbi-testlib.so
 libnssdbm3.chk
 libnssdbm3.so
-libnsspem.so
 libnsssysinit.so
 libnssutil3.so
 libpkcs11testmodule.so
@@ -69,6 +65,7 @@
 keythi.h
 lowkeyi.h
 lowkeyti.h
+mozpkix
 nssb64.h
 nssb64t.h
 nssbase.h
@@ -88,7 +85,6 @@
 nssilock.h
 nsslocks.h
 nsslowhash.h
-nsspem.h
 nssrwlk.h
 nssrwlkt.h
 nssutil.h
@@ -145,8 +141,24 @@
 utilparst.h
 utilrename.h
 
+result-dev/include/nss/mozpkix:
+Input.h
+nss_scoped_ptrs.h
+pkixcheck.h
+pkixder.h
+pkix.h
+pkixnss.h
+pkixtypes.h
+pkixutil.h
+Result.h
+test
+Time.h
+
+result-dev/include/nss/mozpkix/test:
+pkixtestnss.h
+pkixtestutil.h
+
 result-dev/lib:
-libcrmf.a
 pkgconfig
 
 result-dev/lib/pkgconfig:
@@ -162,6 +174,7 @@
 addbuiltin
 atob
 baddbdir
+blake2b_gtest
 bltest
 btoa
 certdb_gtest
@@ -181,15 +194,19 @@
 ecperf
 encodeinttest
 fbectest
-fipstest
+freebl_gtest
 httpserv
+hw-support
 listsuites
 lowhashtest
 makepqg
 mangle
 modutil
+mozpkix_gtest
+mpi_tests
 multinit
 nonspr10
+nss
 nss_bogo_shim
 nss-policy-check
 ocspclnt
@@ -208,6 +225,7 @@
 pk1sign
 pkix-errcodes
 pp
+prng_gtest
 pwdecrypt
 remtest
 rsaperf
@@ -218,7 +236,6 @@
 shlibsign
 signtool
 signver
-smime
 smime_gtest
 softoken_gtest
 ssl_gtest

Suspects: libnsspem and smime.

EDIT: I retried the diff on the same version (3.52.1) only changing the build system, but that seemed uninteresting – only brought one additional difference (missing pkix-errcodes tool).

Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I hope it will be fine. And this PR certainly seems to be a significant improvement anyway.

  • libnsspem seems typically packaged separately
  • the smime tool doesn't seem even packaged for Debian/Ubuntu

@vcunat vcunat merged commit a45f68c into NixOS:master Jul 30, 2020
@ajs124 ajs124 deleted the nss-libpkix branch July 30, 2020 11:26
@ajs124
Copy link
Member Author

ajs124 commented Jul 30, 2020

OK, I hope it will be fine. And this PR certainly seems to be a significant improvement anyway.

* libnsspem seems typically [packaged separately](https://repology.org/project/nss-pem/versions)

* the smime tool doesn't seem even packaged for Debian/Ubuntu

Sorry for overlooking this when doing the makefile -> gyp switch.

The PEM story is this whole weird thing where we ship this ancient patch introduced in #112
Other distros use this. I'm still not entirely clear on how to test any of this, as I'm sure I've stated before.

@billksun
Copy link
Contributor

Yep, this PR fixes my problem with openconnect-sso as well, which relies on qtwebengine. A big thank you to @ajs124, @vcunat, and everyone in the other related issues that jumped on this problem so quickly!

vcunat added a commit that referenced this pull request Aug 1, 2020
This reverts commit 34432ad.
It's apparently not needed after merge a45f68c (PR #94188)
braack pushed a commit to braack/nixpkgs that referenced this pull request Oct 29, 2020
This reverts commit 34432ad.
It's apparently not needed after merge a45f68c (PR NixOS#94188)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

NSS issue prevent apps to connect anymore
4 participants