Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: 3.52.1 -> 3.54 #91746

Merged
merged 2 commits into from Jul 17, 2020
Merged

nss: 3.52.1 -> 3.54 #91746

merged 2 commits into from Jul 17, 2020

Conversation

ajs124
Copy link
Member

@ajs124 ajs124 commented Jun 29, 2020

Motivation for this change

This has been out for a bit and the FireFox release due tomorrow requires 3.53+
As noted in #89438, there are some issues with this update. They were most likely introduced in nss-dev/nss@eee8f82.

Looking at how we're building this, I noticed that we're using the legacy build system.
The new one depends on gyp, which depends on python2. That's not great, but at least it works.

The patches are commented out, because with them it fails

cc @andir @vcunat

TODO
  • test if anything besides compiling works
  • fix patches
  • test cross compiling
  • test darwin

@vcunat
Copy link
Member

vcunat commented Jun 29, 2020

Unfortunately this is currently based on staging commit where firefox fails to build with

/nix/store/c9lv38avybpz0laav8dy3455bpnamqqk-stdenv-linux/setup: line 100: /nix/store/r322iwc2b61r53rgdxw8l9d4hgwhzcbi-gcc-wrapper-9.3.0/nix-support/libcxx-cxxflags: No such file or directory

EDIT: cross-ref: #85189 (comment) (solved)

@ajs124 ajs124 mentioned this pull request Jul 2, 2020
@vcunat vcunat mentioned this pull request Jul 2, 2020
10 tasks
@ajs124 ajs124 marked this pull request as ready for review July 2, 2020 22:14
@vcunat
Copy link
Member

vcunat commented Jul 3, 2020

For now I just tried building these atop current staging-next (x86_64 NixOS). Firefox 77 and 78 (#92043) both started up and showed some pages OK.

Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see no issue with this. EDIT: looked at upstream release notes, too.

@ajs124 ajs124 marked this pull request as draft July 5, 2020 18:31
@ajs124 ajs124 force-pushed the upd/nss-3.54 branch 2 times, most recently from ccc22cc to e152e55 Compare July 5, 2020 21:19
@ajs124
Copy link
Member Author

ajs124 commented Jul 5, 2020

There another instance of patching .mk files, in postPatch. That's darwin specific though and I don't have any 🍎 hardware.

Also: we might not want merge this as is, because it will break at least firefox-est-68, see #92043

@vcunat
Copy link
Member

vcunat commented Jul 5, 2020

The errors seem to be about some changes in C++ class inheritance:

In file included from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:11,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/certverifier/NSSCertDBTrustDomain.h:191:18: error: 'virtual mozilla::psm::NSSCe
  191 |   virtual Result CheckRevocation(
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/security/apps/AppTrustDomain.h:10,
                 from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:9,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/nix/store/d1z0ywdpfygvsbi35ngyc47fz5ddzc1d-nss-3.54-dev/include/nss/mozpkix/pkixtypes.h:279:18: warning: 'virt
  279 |   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:11,
                 from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/certverifier/NSSCertDBTrustDomain.h:191:18: warning:   by 'virtual mozilla::psm
  191 |   virtual Result CheckRevocation(
      |                  ^~~~~~~~~~~~~~~
In file included from /build/firefox-68.10.0/obj-x86_64-pc-linux-gnu/security/apps/Unified_cpp_security_apps0.c
/build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp: In function 'nsresult {anonymous}::VerifyCer
/build/firefox-68.10.0/security/apps/AppSignatureVerification.cpp:628:18: error: cannot declare variable 'trust
  628 |   AppTrustDomain trustDomain(builtChain, nullptr);
      |                  ^~~~~~~~~~~

@vcunat
Copy link
Member

vcunat commented Jul 5, 2020

If they planned full compatibility, I wouldn't see a reason for this line in there:

NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR.

Perhaps we'll (eventually) be forced to use a different NSS versions for ESR and non-ESR :-/

@jtojnar jtojnar mentioned this pull request Jul 5, 2020
@ajs124
Copy link
Member Author

ajs124 commented Jul 6, 2020

I also tested 3.53.1, the current LTS release, but 68esr (which is still supported for at least one release, I think?) doesn't compile with that, either.
So what are the options here? Duplicate NSS? Drop 68esr before upstream does? If you're running master/unstable you're probably not running a firefox ESR and it'll have to be dropped by 20.09 anyways.

@ajs124
Copy link
Member Author

ajs124 commented Jul 9, 2020

I asked upstream and they said the "intended" version for ESR 68 is 3.44.4. They also opened this issue https://bugzilla.mozilla.org/show_bug.cgi?id=1651505

I don't feel like I'm in the position to make a decision on if we should have two versions of NSS, drop ESR 68 or whatever else to do, so I'll probably have to leave this as is, for now.

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

@GrahamcOfBorg build nss
(let's try darwin)

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

Cross gets broken by this PR 😞 I tried usual x86_64 -> armv7l. First issue with wrong python2 is fixed by switching to buildPackages.python2. After that it won't work due to the build system passing -m64 to the compiler.

@vcunat
Copy link
Member

vcunat commented Jul 12, 2020

As for firefox-esr, bringing back extra nss_3_44 attribute isn't hard, so I'd go that way (I tested the build locally).

@ajs124
Copy link
Member Author

ajs124 commented Jul 13, 2020

Cross gets broken by this PR disappointed I tried usual x86_64 -> armv7l. First issue with wrong python2 is fixed by switching to buildPackages.python2. After that it won't work due to the build system passing -m64 to the compiler.

Yeah, turns out I didn't remember how nixpkgs uses "host"…

It still fails like this, though:

  [287/833] if [ ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -o ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ]; then armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/f
reebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rs
p && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -
f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; else armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4
p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-l
inux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.
tmp && if ! cmp -s /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; then mv /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnuea
bihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ; fi; fi
  FAILED: /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC 
  if [ ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -o ! -e /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ]; then armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/free
bl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { arm
v6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '
; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; else armv6l-unknown-linux-gnueabihf-gcc -shared -Wl,--version-script,obj/lib/freebl/freebl3.gen/out.freebl_hash.def -Wl,--gc-sections -Wl,-z,defs -z noexecstack -o /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb
8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so -Wl,-soname=libfreebl3.so @/nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.rsp && { armv6l-unknown-linux-gnueabihf-readelf -d /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnuea
bihf/lib/libfreebl3.so | grep SONAME ; armv6l-unknown-linux-gnueabihf-nm -gD -f p /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so | cut -f1-2 -d' '; } > /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp && if 
! cmp -s /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC; then mv /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/l
ibfreebl3.so.tmp /nix/store/bp86d2msz2bl7m3l9mad4p1i4smkkrb8-nss-3.54-armv6l-unknown-linux-gnueabihf/lib/libfreebl3.so.TOC ; fi; fi                                                                                                                                                                                            
  /nix/store/357bnhz05gbfvhih538fx19f7hbx76h3-armv6l-unknown-linux-gnueabihf-binutils-2.31.1/bin/armv6l-unknown-linux-gnueabihf-ld:obj/lib/freebl/freebl3.gen/out.freebl_hash.def:0: syntax error in VERSION script                                                                                                            
  collect2: error: ld returned 1 exit status                                                                                                                                                                                                                                                                                   
  ninja: build stopped: subcommand failed.                                                                                                                                                                                                                                                                                     

@ajs124 ajs124 marked this pull request as ready for review July 15, 2020 16:23
@ajs124 ajs124 marked this pull request as draft July 15, 2020 16:24
@ajs124
Copy link
Member Author

ajs124 commented Jul 15, 2020

@vcunat cross compilation should work now. I've asked upstream what's up with them trying to run a target (or build in nixpkgs terms) binary during build.

@dasJ
Copy link
Member

dasJ commented Jul 15, 2020

@GrahamcOfBorg build nss

@flokli
Copy link
Contributor

flokli commented Jul 17, 2020

@GrahamcOfBorg build nss

@flokli
Copy link
Contributor

flokli commented Jul 17, 2020

The darwin builders seem stuck again.

Let's merge this into staging, if it breaks the darwin build, it can still be fixed during the staging cycle.

@ajs124 ajs124 marked this pull request as ready for review July 17, 2020 21:56
@flokli flokli merged commit ab1cbc8 into NixOS:staging Jul 17, 2020
@ajs124 ajs124 deleted the upd/nss-3.54 branch July 17, 2020 22:06
vcunat added a commit that referenced this pull request Jul 19, 2020
vcunat added a commit that referenced this pull request Jul 19, 2020
@vcunat
Copy link
Member

vcunat commented Jul 20, 2020

Well, darwin is broken: https://hydra.nixos.org/build/124134212

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants