Skip to content

firefox{,bin}: 62.0.3 -> 63.0 & nss: 3.38-> 3.39 #48862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 25, 2018
Merged

firefox{,bin}: 62.0.3 -> 63.0 & nss: 3.38-> 3.39 #48862

merged 3 commits into from
Oct 25, 2018
+407 −404

Conversation

andir
Copy link
Member

@andir andir commented Oct 23, 2018

Motivation for this change

The firefox release is scheduled for today. Not sure when exactly.. the release tarballs have been uploaded >24h ago.

cc @taku0

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

andir added 3 commits October 23, 2018 10:15
@andir
nss: 3.38 -> 3.39

Verified

This commit was signed with the committer’s verified signature. The key has expired.
andir Andreas Rammhold
GPG key ID: E432E410B5E48C86
Expired
Verified
Learn about vigilant mode
8a9b6bc
@andir
firefox: 62.0.3 -> 63.0

Verified

This commit was signed with the committer’s verified signature. The key has expired.
andir Andreas Rammhold
GPG key ID: E432E410B5E48C86
Expired
Verified
Learn about vigilant mode
277da59
@andir
firefox-bin: 62.0.3 -> 63.0

Verified

This commit was signed with the committer’s verified signature. The key has expired.
andir Andreas Rammhold
GPG key ID: E432E410B5E48C86
Expired
Verified
Learn about vigilant mode
5137c04
@andir andir added the 9.needs: port to stable A PR needs a backport to the stable release. label Oct 23, 2018
@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: nss

Partial log (click to expand)

building '/nix/store/0782dybi3wk39b41j447mpc2cdfxh9ni-curl-7.61.1.drv'...
/nix/store/ic9jk332yd71lwvgdwsi8jh4jjmw5j63-cctools-binutils-darwin-wrapper/nix-support/setup-hook: fork: retry: Resource temporarily unavailable
/nix/store/ic9jk332yd71lwvgdwsi8jh4jjmw5j63-cctools-binutils-darwin-wrapper/nix-support/setup-hook: fork: retry: Resource temporarily unavailable
/nix/store/ic9jk332yd71lwvgdwsi8jh4jjmw5j63-cctools-binutils-darwin-wrapper/nix-support/setup-hook: fork: retry: Resource temporarily unavailable
/nix/store/ic9jk332yd71lwvgdwsi8jh4jjmw5j63-cctools-binutils-darwin-wrapper/nix-support/setup-hook: fork: retry: Resource temporarily unavailable
/nix/store/ic9jk332yd71lwvgdwsi8jh4jjmw5j63-cctools-binutils-darwin-wrapper/nix-support/setup-hook: fork: Resource temporarily unavailable
builder for '/nix/store/0782dybi3wk39b41j447mpc2cdfxh9ni-curl-7.61.1.drv' failed with exit code 254
cannot build derivation '/nix/store/9qmi90k5wsm68wsdp5d0agq6qwk9y42p-nss-3.39.tar.gz.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/z9jrmj2h6a0shh79c3ixjzc88jxammbl-nss-3.39.drv': 1 dependencies couldn't be built
error: build of '/nix/store/z9jrmj2h6a0shh79c3ixjzc88jxammbl-nss-3.39.drv' failed

@andir
Copy link
Member Author

andir commented Oct 23, 2018

I should probably rebase this on staging due to the rebuild amounts. I am heading to the airport soon so it will probably not happen before tomorrow :/

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: nss

Partial log (click to expand)

    3b 97 d4 53
moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
Generate a DSA key pair ...
Moving /nix/store/6kmwmhx59d6ka5n0rzn36czgm4v6qfxm-nss-3.39/bin to /nix/store/7gdsip5zpp8i200agv4246s7s0x7m2q8-nss-3.39-tools/bin
rmdir: failed to remove '/nix/store/6kmwmhx59d6ka5n0rzn36czgm4v6qfxm-nss-3.39': Directory not empty
Moving /nix/store/7gdsip5zpp8i200agv4246s7s0x7m2q8-nss-3.39-tools/bin/nss-config to /nix/store/iyiivh80rga215nzmwsmakz1riam5ddk-nss-3.39-dev/bin/nss-config
rmdir: failed to remove '/nix/store/7gdsip5zpp8i200agv4246s7s0x7m2q8-nss-3.39-tools/bin': Directory not empty
Moving /nix/store/6kmwmhx59d6ka5n0rzn36czgm4v6qfxm-nss-3.39/lib/libcrmf.a to /nix/store/iyiivh80rga215nzmwsmakz1riam5ddk-nss-3.39-dev/lib/libcrmf.a
rmdir: failed to remove '/nix/store/6kmwmhx59d6ka5n0rzn36czgm4v6qfxm-nss-3.39/lib': Directory not empty
/nix/store/6kmwmhx59d6ka5n0rzn36czgm4v6qfxm-nss-3.39

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: nss

Partial log (click to expand)

    23 a6 a8 db
moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
Generate a DSA key pair ...
Moving /nix/store/k8vvvaisfmh6m8gdpi2aclgbj4fjxjr7-nss-3.39/bin to /nix/store/b819wicyn21rykg8qjklh90ww4kjj12s-nss-3.39-tools/bin
rmdir: failed to remove '/nix/store/k8vvvaisfmh6m8gdpi2aclgbj4fjxjr7-nss-3.39': Directory not empty
Moving /nix/store/b819wicyn21rykg8qjklh90ww4kjj12s-nss-3.39-tools/bin/nss-config to /nix/store/97dcvq0b2dnvxhy857csw1fp4m533m8d-nss-3.39-dev/bin/nss-config
rmdir: failed to remove '/nix/store/b819wicyn21rykg8qjklh90ww4kjj12s-nss-3.39-tools/bin': Directory not empty
Moving /nix/store/k8vvvaisfmh6m8gdpi2aclgbj4fjxjr7-nss-3.39/lib/libcrmf.a to /nix/store/97dcvq0b2dnvxhy857csw1fp4m533m8d-nss-3.39-dev/lib/libcrmf.a
rmdir: failed to remove '/nix/store/k8vvvaisfmh6m8gdpi2aclgbj4fjxjr7-nss-3.39/lib': Directory not empty
/nix/store/k8vvvaisfmh6m8gdpi2aclgbj4fjxjr7-nss-3.39

@tokudan
Copy link
Contributor

tokudan commented Oct 24, 2018

This release contains various critical security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/

@Moredread
Copy link
Contributor

@tokudan I have send a message to the people listed at https://nixos.org/nixos/security.html

@andir
Copy link
Member Author

andir commented Oct 24, 2018

Given the severity of the issues merging it straight to master and the release branches should be fine.

I'll try to get this done within the next hours.

@andir andir mentioned this pull request Oct 24, 2018
Merged
9 tasks
@andir andir merged commit d17ab80 into NixOS:master Oct 25, 2018
@andir andir deleted the firefox branch October 25, 2018 08:06
@andir andir mentioned this pull request Oct 25, 2018
Merged
9 tasks
@corngood
Copy link
Contributor

Since this change, I've been unable to build firefoxPackages.firefox.override { drmSupport = true; }, because ld consistently fails linking libxul.so:

/nix/store/qanjz18apdwi0vl98sdrvyf4z4hv65df-gcc-wrapper-7.3.0/bin/g++ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++1z-compat -Wduplicated-cond -Wimplicit-fallthrough -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-security -Wformat-overflow=2 -fno-sized-deallocation -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -I/nix/store/vy07lp1grvsg4lvhmlgbw28fyxvakamm-icu4c-59.1-dev/include -g -freorder-blocks -O2 -fomit-frame-pointer  -fPIC -shared -Wl,-z,defs -Wl,--gc-sections -Wl,-h,libxul.so -o libxul.so /build/firefox-63.0.3/obj-x86_64-pc-linux-gnu/toolkit/library/libxul_so.list   -lpthread -Wl,-z,noexecstack -Wl,-z,text -Wl,-z,relro -Wl,-z,nocopyreloc -Wl,--build-id=sha1 /build/firefox-63.0.3/toolkit/library/StaticXULComponents.ld -Wl,-rpath-link,/build/firefox-63.0.3/obj-x86_64-pc-linux-gnu/dist/bin -Wl,-rpath-link,/nix/store/4pf7c8nw5i4s5dnl6ymakxpnbz4p4a8p-firefox-unwrapped-63.0.3/lib   ../../js/src/build/libjs_static.a x86_64-unknown-linux-gnu/release/libgkrust.a ../../security/sandbox/linux/libmozsandbox.so ../../config/external/lgpllibs/liblgpllibs.so ../../widget/gtk/mozgtk/stub/libmozgtk_stub.so -Wl,--version-script,symverscript  -ldl  -L/nix/store/jzbvj1l3kw5sypa9pmbsng10jc2i91nc-icu4c-59.1/lib -licui18n -licuuc -licudata -lrt -lm -lX11 -lX11-xcb -lxcb -lXcomposite -lXcursor -lXdamage -lXext -lXfixes -lXi -lXrender -L/nix/store/q6fb82838jbll27s2wzs6v6qvlk6s9yq-libffi-3.2.1/lib/../lib64 -lffi -L/nix/store/93w914f7mnhhsck2f5jwlbbxv9hgr86z-nspr-4.20/lib -lplds4 -lplc4 -lnspr4 -lpthread -ldl -lz -Wl,-rpath-link,/nix/store/yhvjkyyb0jx0vsb5pd16gr04j1rlvwbc-nss-3.39/lib64 -L/nix/store/yhvjkyyb0jx0vsb5pd16gr04j1rlvwbc-nss-3.39/lib64 -lssl3 -lsmime3 -lnss3 -lnssutil3 -L/nix/store/08x3hgx0izn4v0fsngchfmbqwlx4jqmw-sqlite-3.24.0/lib -lsqlite3 -L/nix/store/fmndsac5alw83lmm4lzrgfk7f07ri06w-freetype-2.9/lib -lfreetype -L/nix/store/f5aq9p3v96n0jdviaj6iska38z06vaqb-fontconfig-2.12.6-lib/lib -lfontconfig -ljpeg -lpng -L/nix/store/h42lfdmraqqh2l4a8n8fvcn8kbda338h-libevent-2.1.8/lib -levent -L/nix/store/h8yxiczjfij8qa7bvpsd4pyvv4qy8yfy-libvpx-1.7.0/lib -lvpx -L/nix/store/fgfrxvhz4qnzi7nl7fksn5j1sccl3sxv-pixman-0.34.0/lib -lpixman-1 -L/nix/store/720n32zm5w9nbq7zz6ibad4ab7sg3vn2-alsa-lib-1.1.7/lib -lasound -L/nix/store/9vfvinsf2blx98nqxhxgs4csna3v88jn-glib-2.56.0/lib -L/nix/store/da43a7cy7b4yxlh6da5fjdi95fh10agb-dbus-1.12.10-lib/lib -L/nix/store/6svjy9icxdalk074mgb0248r2c1wgs3k-dbus-glib-0.110/lib -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0 -L/nix/store/vgjgw273fl8yx6iljnagzgfzlf09rhxn-cairo-1.16.0/lib -L/nix/store/d7axxsgwsbh2isjgv813z7chnhp66v4p-pango-1.42.4/lib -L/nix/store/cp0w3abqg4f57xw04z0k53g3q3p57b3r-gdk-pixbuf-2.36.12/lib -L/nix/store/b3ca42n3vkaa85a9ivdl310izswcma4r-atk-2.28.1/lib -L/nix/store/66h9b9qanqjd848nh0cxhhn4daj5f19l-gtk+3-3.22.30/lib -lpangocairo-1.0 -lpango-1.0 -latk-1.0 -lcairo-gobject -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -L/nix/store/3442fhmx7lspdi2qd4kxyc3kzpzqldik-libstartup-notification-0.12/lib -lstartup-notification-1 -lxcb-shm -lpangoft2-1.0 -lXt -lgthread-2.0
collect2: error: ld returned 1 exit status

I'm unable to reproduce it in nix-shell, so I'm thinking it's hitting some sort of limit in nix-daemon. The only thing I can find is LimitNOFILE = 4096; in the nix-daemon unit config.

Has anyone else seen this?

@vcunat
Copy link
Member

vcunat commented Nov 25, 2018

LimitNOFILE: observed default for ulimit -n is 1024 (and 4096 for -Hn).

@corngood
Copy link
Contributor

@vcunat I also see 1024/4096 from prlimit in my nix-shell where it's able to link correctly.

I don't see anything in my kernel/system logs around when it dies.

@samueldr samueldr removed the 9.needs: port to stable A PR needs a backport to the stable release. label Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@andir @GrahamcOfBorg @tokudan @Moredread @corngood @vcunat @samueldr