Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firefox-esr-68: drop #97612

Merged
merged 1 commit into from Sep 13, 2020
Merged

firefox-esr-68: drop #97612

merged 1 commit into from Sep 13, 2020

Conversation

ajs124
Copy link
Member

@ajs124 ajs124 commented Sep 10, 2020

Motivation for this change

Upstream EOL. This also needs a backport to 20.09, because we missed the branch-off on this.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@worldofpeace worldofpeace added this to To Do in 20.09 Blockers via automation Sep 10, 2020
@worldofpeace worldofpeace added this to the 20.09 milestone Sep 10, 2020
@andir
Copy link
Member

andir commented Sep 10, 2020 via email

@ajs124 ajs124 marked this pull request as ready for review September 10, 2020 01:32
@ofborg ofborg bot requested a review from edolstra September 10, 2020 02:36
@vcunat
Copy link
Member

vcunat commented Sep 10, 2020
edited

Either this or just mark it as insecure for now. I'm not aware for any particular reasons to keep 68 around a bit longer (as insecure), unlike the situation that was with 52 for example.

@ajs124
Copy link
Member Author

ajs124 commented Sep 10, 2020

Why was 52 kept around? Also, this is the only use of nss_3_44 in nixpkgs. That's an ESR release though and we might need it for Firefox 78 if that becomes incompatible with newer nss releases.

@vcunat
Copy link
Member

vcunat commented Sep 10, 2020

Quantum certainly did have some unpleasant consequences, but it's probably best to refer to past threads like #45787

@vcunat
Copy link
Member

vcunat commented Sep 10, 2020

78 has its own branch of nss upstream (3.53), so I don't see why keep 3.44 without FF 68.

@vcunat
Copy link
Member

vcunat commented Sep 10, 2020

BTW, Thunderbird will be an interesting story, as even today's 78 version isn't considered good enough to be default (by upstream) and 68 surely won't be supported for the whole 20.09 cycle.

@flokli
Copy link
Contributor

flokli commented Sep 10, 2020

@ajs124 would you mind also adding the following patch:

From 00cb1b182954d076f814889497c1630641177476 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Thu, 10 Sep 2020 20:40:16 +0200
Subject: [PATCH] nss_3_44: remove

This was only used for firefox-esr-68.
---
 .../networking/browsers/firefox/packages.nix  |   2 +-
 pkgs/development/libraries/nss/3.44.nix       | 144 ------------------
 .../libraries/nss/85_security_load-3.44.patch |  81 ----------
 pkgs/top-level/aliases.nix                    |   1 +
 pkgs/top-level/all-packages.nix               |   1 -
 5 files changed, 2 insertions(+), 227 deletions(-)
 delete mode 100644 pkgs/development/libraries/nss/3.44.nix
 delete mode 100644 pkgs/development/libraries/nss/85_security_load-3.44.patch

diff --git a/pkgs/applications/networking/browsers/firefox/packages.nix b/pkgs/applications/networking/browsers/firefox/packages.nix
index a024fc359d8..a5c017d9490 100644
--- a/pkgs/applications/networking/browsers/firefox/packages.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages.nix
@@ -1,4 +1,4 @@
-{ config, stdenv, lib, callPackage, fetchurl, nss_3_44 }:
+{ config, stdenv, lib, callPackage, fetchurl }:
 
 let
   common = opts: callPackage (import ./common.nix opts) {};
diff --git a/pkgs/development/libraries/nss/3.44.nix b/pkgs/development/libraries/nss/3.44.nix
deleted file mode 100644
index ad58bfccaee..00000000000
--- a/pkgs/development/libraries/nss/3.44.nix
+++ /dev/null
@@ -1,144 +0,0 @@
-{ stdenv, fetchurl, nspr, perl, zlib, sqlite, fixDarwinDylibNames, buildPackages }:
-
-let
-  nssPEM = fetchurl {
-    url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz";
-    sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
-  };
-  version = "3.44.4";
-  underscoreVersion = builtins.replaceStrings ["."] ["_"] version;
-
-in stdenv.mkDerivation rec {
-  pname = "nss";
-  inherit version;
-
-  src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
-    sha256 = "7ec1a52e20fd9a23e1907eeba8f4f2ecd619dac5d20fa023ec5b4faa1843e847";
-  };
-
-  depsBuildBuild = [ buildPackages.stdenv.cc ];
-
-  nativeBuildInputs = [ perl ];
-
-  buildInputs = [ zlib sqlite ]
-    ++ stdenv.lib.optional stdenv.isDarwin fixDarwinDylibNames;
-
-  propagatedBuildInputs = [ nspr ];
-
-  prePatch = ''
-    xz -d < ${nssPEM} | patch -p1
-  '';
-
-  patches =
-    [
-      # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
-      ./85_security_load-3.44.patch
-      ./ckpem.patch
-    ];
-
-  patchFlags = [ "-p0" ];
-
-  postPatch = stdenv.lib.optionalString stdenv.isDarwin ''
-    substituteInPlace nss/coreconf/Darwin.mk --replace '@executable_path/$(notdir $@)' "$out/lib/\$(notdir \$@)"
-  '';
-
-  outputs = [ "out" "dev" "tools" ];
-
-  preConfigure = "cd nss";
-
-  makeFlags = let
-    # NSS's build systems expects aarch32 to be called arm; if we pass in armv6l/armv7l, it
-    # fails with a linker error
-    cpu = if stdenv.hostPlatform.isAarch32 then "arm" else stdenv.hostPlatform.parsed.cpu.name;
-  in [
-    "NSPR_INCLUDE_DIR=${nspr.dev}/include"
-    "NSPR_LIB_DIR=${nspr.out}/lib"
-    "NSDISTMODE=copy"
-    "BUILD_OPT=1"
-    "SOURCE_PREFIX=\$(out)"
-    "NSS_ENABLE_ECC=1"
-    "USE_SYSTEM_ZLIB=1"
-    "NSS_USE_SYSTEM_SQLITE=1"
-    "NATIVE_CC=${buildPackages.stdenv.cc}/bin/cc"
-  ] ++ stdenv.lib.optionals (!stdenv.isDarwin) [
-    # Pass in CPU even if we're not cross compiling, because otherwise it tries to guess with
-    # uname, which can be wrong if e.g. we're compiling for aarch32 on aarch64
-    "OS_TEST=${cpu}"
-    "CPU_ARCH=${cpu}"
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
-    "CROSS_COMPILE=1"
-    "NSS_DISABLE_GTESTS=1" # don't want to build tests when cross-compiling
-  ] ++ stdenv.lib.optional stdenv.is64bit "USE_64=1"
-    ++ stdenv.lib.optional stdenv.isDarwin "CCC=clang++";
-
-  NIX_CFLAGS_COMPILE = "-Wno-error";
-
-  # TODO(@oxij): investigate this: `make -n check` works but `make
-  # check` fails with "no rule", same for "installcheck".
-  doCheck = false;
-  doInstallCheck = false;
-
-  postInstall = ''
-    rm -rf $out/private
-    mv $out/public $out/include
-    mv $out/*.OBJ/* $out/
-    rmdir $out/*.OBJ
-
-    ln -s lib $out/lib64
-
-    # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
-    # https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a
-    NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h | awk '{print $3}'`
-    NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h | awk '{print $3}'`
-    NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h | awk '{print $3}'`
-    PREFIX="$out"
-
-    mkdir -p $out/lib/pkgconfig
-    sed -e "s,%prefix%,$PREFIX," \
-        -e "s,%exec_prefix%,$PREFIX," \
-        -e "s,%libdir%,$PREFIX/lib64," \
-        -e "s,%includedir%,$dev/include/nss," \
-        -e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \
-        -e "s,%NSPR_VERSION%,4.16,g" \
-        pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc
-    chmod 0644 $out/lib/pkgconfig/nss.pc
-
-    sed -e "s,@prefix@,$PREFIX," \
-        -e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \
-        -e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \
-        -e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \
-        pkg/pkg-config/nss-config.in > $out/bin/nss-config
-    chmod 0755 $out/bin/nss-config
-  '';
-
-  postFixup = let
-    isCross = stdenv.hostPlatform != stdenv.buildPlatform;
-    nss = if isCross then buildPackages.nss.tools else "$out";
-  in ''
-    for libname in freebl3 nssdbm3 softokn3
-    do '' +
-    (if stdenv.isDarwin
-     then ''
-       libfile="$out/lib/lib$libname.dylib"
-       DYLD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \
-     '' else ''
-       libfile="$out/lib/lib$libname.so"
-       LD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \
-     '') + ''
-        ${nss}/bin/shlibsign -v -i "$libfile"
-    done
-
-    moveToOutput bin "$tools"
-    moveToOutput bin/nss-config "$dev"
-    moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example
-    rm -f "$out"/lib/*.a
-  '';
-
-  meta = with stdenv.lib; {
-    homepage = "https://developer.mozilla.org/en-US/docs/NSS";
-    description = "A set of libraries for development of security-enabled client and server applications";
-    license = licenses.mpl20;
-    platforms = platforms.all;
-  };
-}
diff --git a/pkgs/development/libraries/nss/85_security_load-3.44.patch b/pkgs/development/libraries/nss/85_security_load-3.44.patch
deleted file mode 100644
index 132d5a96b29..00000000000
--- a/pkgs/development/libraries/nss/85_security_load-3.44.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c
---- nss/cmd/shlibsign/shlibsign.c	2017-01-04 15:24:24.000000000 +0100
-+++ nss/cmd/shlibsign/shlibsign.c	2017-01-24 14:43:31.030420852 +0100
-@@ -875,6 +875,8 @@
-         goto cleanup;
-     }
-     lib = PR_LoadLibrary(libname);
-+    if (!lib)
-+        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
-     assert(lib != NULL);
-     if (!lib) {
-         PR_fprintf(PR_STDERR, "loading softokn3 failed");
-diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/coreconf/config.mk nss/coreconf/config.mk
---- nss/coreconf/config.mk	2017-01-04 15:24:24.000000000 +0100
-+++ nss/coreconf/config.mk	2017-01-24 14:43:47.989432372 +0100
-@@ -202,3 +202,6 @@
- 
- # Hide old, deprecated, TLS cipher suite names when building NSS
- DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
-+
-+# Nix specific stuff.
-+DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"
-diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c
---- nss/lib/pk11wrap/pk11load.c	2017-01-04 15:24:24.000000000 +0100
-+++ nss/lib/pk11wrap/pk11load.c	2017-01-24 14:45:06.883485652 +0100
-@@ -440,6 +440,13 @@
-          * unload the library if anything goes wrong from here on out...
-          */
-         library = PR_LoadLibrary(mod->dllName);
-+        if ((library == NULL) &&
-+            !rindex(mod->dllName, PR_GetDirectorySeparator())) {
-+            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
-+                (PRFuncPtr) &softoken_LoadDSO,
-+                mod->dllName);
-+        }
-+
-         mod->library = (void *)library;
- 
-         if (library == NULL) {
-diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/lib/util/secload.c nss/lib/util/secload.c
---- nss/lib/util/secload.c	2017-01-04 15:24:24.000000000 +0100
-+++ nss/lib/util/secload.c	2017-01-24 14:43:31.030420852 +0100
-@@ -70,9 +70,14 @@
- 
-     /* Remove the trailing filename from referencePath and add the new one */
-     c = strrchr(referencePath, PR_GetDirectorySeparator());
-+    if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
-+               * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
-+        referencePath = NIX_NSS_LIBDIR;
-+        c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
-+    }
-     if (c) {
-         size_t referencePathSize = 1 + c - referencePath;
--        fullName = (char*)PORT_Alloc(strlen(name) + referencePathSize + 1);
-+        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
-         if (fullName) {
-             memcpy(fullName, referencePath, referencePathSize);
-             strcpy(fullName + referencePathSize, name);
-@@ -82,6 +87,11 @@
- #endif
-             libSpec.type = PR_LibSpec_Pathname;
-             libSpec.value.pathname = fullName;
-+            if ((referencePathSize >= 4) &&
-+                (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
-+                memcpy(fullName + referencePathSize -4, "lib", 3);
-+            }
-+            strcpy(fullName + referencePathSize, name);
-             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
- #ifdef PR_LD_ALT_SEARCH_PATH
-                                                        /* allow library's dependencies to be found in the same directory
-@@ -89,6 +99,10 @@
-                                                        | PR_LD_ALT_SEARCH_PATH
- #endif
-                                           );
-+            if (! dlh) {
-+                strcpy(fullName + referencePathSize, name);
-+                dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
-+            }
-             PORT_Free(fullName);
-         }
-     }
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index 0f21c24af67..4018e5589ae 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -340,6 +340,7 @@ mapAliases ({
   nix-review = nixpkgs-review; # added 2019-12-22
   nmap_graphical = nmap-graphical;  # added 2017-01-19
   nologin = shadow; # added 2018-04-25
+  nss_3_44 = throw "removed while dropping firefox-esr-68"; # added 2020-09-10
   nxproxy = nx-libs; # added 2019-02-15
   nylas-mail-bin = throw "deprecated in 2019-09-11: abandoned by upstream";
   opencascade_oce = opencascade; # added 2018-04-25
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 81c15de2d15..5fe70a31c68 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14472,7 +14472,6 @@ in
   };
 
   nss = lowPrio (callPackage ../development/libraries/nss { });
-  nss_3_44 = lowPrio (callPackage ../development/libraries/nss/3.44.nix { });
   nssTools = nss.tools;
 
   nss_wrapper = callPackage ../development/libraries/nss_wrapper { };
-- 
2.28.0

@ajs124 ajs124 marked this pull request as draft September 10, 2020 19:04
@ajs124
Copy link
Member Author

ajs124 commented Sep 10, 2020

Also, this is the only use of nss_3_44 in nixpkgs.

I thought I checked this… turns out, Thunderbird is using this as of a62d988.
@taku0 does Thunderbird 68.x not compile with more modern NSS, either?

@vcunat
Copy link
Member

vcunat commented Sep 10, 2020

Right, I forgot even though posting about both Thunderbird and this NSS version :-/ IIRC it did fail with newer NSS, meaning we can't drop it just yet.

@flokli
Copy link
Contributor

flokli commented Sep 11, 2020

Ooof, well in that case we'd need to drop the nss_3_44 commit from that PR again.

@ajs124 ajs124 marked this pull request as ready for review September 11, 2020 11:19
@vcunat
Copy link
Member

vcunat commented Sep 11, 2020
edited

/cc @NixOS/nixos-release-managers for the 20.09 implications. (Say, in case they only want FF to be marked as insecure in 20.09.) With Thunderbird there seems to be not much choice ATM.

@worldofpeace
Copy link
Contributor

/cc @NixOS/nixos-release-managers for the 20.09 implications. (Say, in case they only want FF to be marked as insecure in 20.09.) With Thunderbird there seems to be not much choice ATM.

Thx, I approve of this PR and marked it as blocker.

@vcunat vcunat merged commit 544c8db into NixOS:master Sep 13, 2020
20.09 Blockers automation moved this from To Do to Done Sep 13, 2020
vcunat added a commit that referenced this pull request Sep 13, 2020
@vcunat
Merge #97612: firefox-esr-68: drop
21398f8 
(cherry picked from commit 544c8db)
@ajs124 ajs124 deleted the drop/firefox-esr-68 branch September 13, 2020 13:27
@worldofpeace worldofpeace added this to In progress in 20.09 Blockers via automation Oct 5, 2020
@worldofpeace worldofpeace removed this from Done in 20.09 Blockers Oct 5, 2020
@worldofpeace worldofpeace moved this from In progress to Done in 20.09 Blockers Oct 5, 2020
@avdv avdv mentioned this pull request May 26, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andir andir Awaiting requested review from andir

@vcunat vcunat Awaiting requested review from vcunat

@flokli flokli Awaiting requested review from flokli

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
8.has: clean-up 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
No open projects
20.09 Blockers
  
Done
Milestone
20.09
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ajs124 @andir @vcunat @flokli @worldofpeace