Bug 527867

Summary: nss-softokn.x86_64 satisfies nss.i686 requires
Product: [Fedora] Fedora Reporter: Jens Petersen <petersen>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: emaldona, kdudka, kengert, rrelyea, wtc
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-05 21:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
changes to ensure nss-softokn and nss-util have the same %{_isa} as nss (#527867)
none
softoken client application repo
none
repo file so you can install nss with the fix from my repo
none
Proposed spec file changes none

Description Jens Petersen 2009-10-08 01:31:13 UTC
Description of problem:
I fear this may be an rpm weakness, but I see that
nss-softokn.x86_64 satisfies nss.i686 "Requires: nss-softokn"
which breaks https when running 32bit chromium builds
on F12.

I think it would be good if nss.i686 pulled in nss-softokn.i686.

Version-Release number of selected component (if applicable):
nss-3.12.4-14.fc12
nss-softokn-3.12.4-10

How reproducible:
every time
Is it possible to hav
Steps to Reproduce:
1. yum install google-chrome-unstable.i386
2. run and goto https page
3. yum install nss-softokn.i686
4. repeat 2

Actual results:
1. pulls in nss.i686
2. fails giving NSS error (see http://code.google.com/p/chromium/issues/detail?id=23797)
4. works

Expected results:
1. should have installed nss-softokn.i686

Additional info:
This may be because of the debian sonames linked into
google-chrome-unstable but it didn't happen before
nss-softokn exists, eg F11 is fine.

Comment 1 Elio Maldonado Batiz 2009-10-09 15:05:34 UTC
The nss package requires nss-softokn and it seems that both nss-softokn.x64-64 and nss-softokn.i686 fullfull the implicit provides nss-softokn. A possible solution would be to change the line
Requires:         nss-softokn >= %{nss_softokn_version} to
Requires:         nss-softokn%{_isa} >= %{nss_softokn_version}

Please try the scratch build with such changes at
http://koji.fedoraproject.org/koji/taskinfo?taskID=1738172

If it works I would still like to have Bob or Kai review such changes.

Comment 2 Elio Maldonado Batiz 2009-10-09 15:07:48 UTC
Created attachment 364259 [details]
changes to ensure nss-softokn and nss-util have the same %{_isa} as nss (#527867)

Comment 3 Wan-Teh Chang 2009-10-09 16:09:46 UTC
> Requires:         nspr >= %{nspr_version}

Does this also need the %{_isa} treatment?

Could you check the spec files for the other nss-related
changes, such as nss-softokn, nss-softokn-freebl,
nss-util, and nss-tools?  Thanks.

Comment 4 Elio Maldonado Batiz 2009-10-11 17:35:28 UTC
(In reply to comment #3) 
nspr does not need the %{_isa} treatment, nor does %{nss_util} or any other package or subpackage. This attempt doesn't work. I installed google-crome-unstable on an x86_64 F-12 system and it pulled the i686 versions of nspr, nss, nss-util, and nss-softokn-freebl but it didn't pulled nss-softokn. To my surprise it pulls in the i686 nss-softokn-freebl which now is a subpackage of nss-softokn but not the latter. I still don't have an explanation for this. 

Once there is an x86_64 build of google-chrome it won't be a problem. Even so it would be nice to understand why a package's 32-bit version isn't pulled in while one of its subpackages is. I'm out ths week so I won't be able to pursue this for a while.

Comment 5 Jens Petersen 2009-10-12 08:51:52 UTC
I am guessing there is no explicit library dependency
and that is why rpm thinks x86_64 is good enough?
Otherwise sounds like an extra rpm bug...

How about making nss.i686 require nss-softokn(x86-32) like
spot's chromium does for nss-mdns as a workaround?

Comment 6 Wan-Teh Chang 2009-10-12 18:43:56 UTC
An x86_64 build of google-chrome will merely hide this
bug.  The bug still exists that a 32-bit NSS-based
application may not pull in the i686 version of
nss-softokn on an x86_64 Fedora 12 system

Comment 7 Elio Maldonado Batiz 2009-10-21 15:36:24 UTC
Yes, this will not be a problem once chrome has an x86_64 version but will continue to be a problem for 32-bit-only NSS clients.  The problem is related to dynamic linking. NSS, actually nss-softoken in F12, has three libraries which are signed. These are freebl3.so, softokn3.so, and nssdbm3.so. We black list them in /etc/prelink.d/nss-softokn.conf so prelink will not touch them. We also rely on dynamic linking annd document that client code rely on dynamic linking. In our the makefiles there is no -lsoftokn3 nor -lfreebl3 nor -lnssdm3 option so. That way client code can still be processed by prelink without any errors caused by the fact that libraries that they depend on aren't prelinked. The fact that thre aren't visible traces of the dependency I believe is what's causing yum/rpm not to bring in nss-softokn. 

The fact that when google-chrome 32-bit was installed and nss i686 but was pulled in and consequently nss-softoken-freebl was also pulled in whereas nss-softokn wans't caused me surprise as I had mentioned. It so happens that glibc still links statically with nss-softokn-freebl and that explains why nss-softokn-freebl that's show the problem.

I think my earlier attempt at a solution: having in the nss.spec
Requires:  nss-softokn%{_isa} >= %{nss_softokn_version}
will be a good work-around. It didn't work before because it was a scratch buld and yum couldn't find it anywher to bring down. I just have to place it in a repository for it to work and will work on this next. Can't make an F12 normal build yet as we are in Beta stage but will post one in my own repository.

Comment 8 Elio Maldonado Batiz 2009-10-21 15:58:35 UTC
As google-chrome-unstable isn't currently available I have tried using the fedora one descrived here
http://rajaseelan.com/2009/07/04/how-to-install-google-chrome-in-fedora-10-or-fedora-11/. This one seems to ne synchronized nightly with google's.
I am running on an x86_64 based system get the 32-bit version I installe using 'yum install chromium.i686'. Here's what I see
<clipped>
Installing:
 chromium            i686  4.0.220.0-0.1.20090930svn27599.fc12  chromium  7.8 M
Installing for dependencies:
<clipped>
 nspr                i686  4.8-2.fc12                           rawhide   105 k
 nss                 i686  3.12.4-14.fc12                       rawhide   715 k
 nss-mdns            i686  0.10-8.fc12                          rawhide    22 k
 nss-softokn         i686  3.12.4-10.fc12                       rawhide   159 k
 nss-softokn-freebl  i686  3.12.4-10.fc12                       rawhide   104 k
 nss-util            i686  3.12.4-8.fc12                        rawhide    42 k
               rawhide    69 k
<clipped>

It's pulling in nss-softokn now. I haven't made my planned nss changes yet. 
Have there been any changes in google-chrome to work around this problem?

Comment 9 Elio Maldonado Batiz 2009-10-22 00:53:22 UTC
Created attachment 365633 [details]
softoken client application repo

This is for testing the bug and the proposed fix. Copy this to /etc/yum.repos.d. It will allow you to install softokeninfo, an application that calls softokn directly. It's just shlibsign renamed. Only the i686 part of client.repo is enabled so we can see the problem. Execute 
'sudo yum install softokeninfo'.

Examine the results and answer N at the prompt. Near the bottom you should see something like this (I removed white space so it fits here)
..... 
Installing:
 softokeninfo           i686         1-1             client       11 k
Installing for dependencies:
 glibc                  i686         2.10.90-25      rawhide      4.5 M
 nspr                   i686         4.8-2.fc12      rawhide      105 k
 nss                    i686         3.12.4-14.fc12  rawhide      715 k
 nss-softokn-freebl     i686         3.12.4-10.fc12  rawhide      104 k
 nss-util               i686         3.12.4-8.fc12   rawhide      42 k
...
nss-softokn i686 is not listed, that's the problem. The next attachment will show the fix.

Comment 10 Elio Maldonado Batiz 2009-10-22 01:06:42 UTC
Created attachment 365635 [details]
repo file so you can install nss with the fix from my repo

Copy this file to /etc/yum.repos.d. This makes the nss build available from the testing yum repository. Execute
sudo yum install softokeninfo as before. This time the output should look like this (lines omitted and spaces deleted for clarity)
.....
Installing:
 softokeninfo            i686      1-1                   client          11 k
Installing for dependencies:
 glibc                   i686      2.10.90-25            rawhide         4.5 M
 ncurses-libs            i686      5.7-3.20090207.fc12   rawhide         235 k
 nspr                    i686      4.8-2.fc12            rawhide         105 k
 nss                     i686      3.12.4-14.1.fc12      nss             714 k
 nss-softokn             i686      3.12.4-10.fc12        rawhide         159 k
 nss-softokn-freebl      i686      3.12.4-10.fc12        rawhide         104 k
 nss-util                i686      3.12.4-8.fc12         rawhide          42 k
 readline                i686      6.0-3.fc12            rawhide         169 k
...
nss-softokn i686 is now pulled in as desired.

Comment 11 Elio Maldonado Batiz 2009-10-22 01:24:32 UTC
Created attachment 365636 [details]
Proposed spec file changes

Comment 12 Elio Maldonado Batiz 2009-10-22 14:48:23 UTC
Comment on attachment 365636 [details]
Proposed spec file changes

Requesting Kai's review on this change.

Comment 13 Kai Engert (:kaie) (inactive account) 2009-10-26 18:01:09 UTC
Comment on attachment 365636 [details]
Proposed spec file changes

>-Release:          14%{?dist}
>+Release:          14.1%{?dist}

I think 14.1{?dist} may be smaller than 14
I think you must either use 15{?dist} or 14{?dist}.1


>-Requires:         nss-softokn >= %{nss_softokn_version}
>+Requires:         nss-softokn%{_isa} >= %{nss_softokn_version}

Sounds absolutely reasonably to me, after reading http://www.rpm.org/wiki/PackagerDocs/ArchDependencies


> 
> %changelog
>+* Tue Oct 20 2009 Elio Maldonado<emaldona> - 3.12.4-14.1

Don't forget this when you fix it :-)

Comment 14 Bug Zapper 2009-11-16 13:23:42 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 15 Fedora Update System 2010-01-07 06:35:25 UTC
nss-3.12.5-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/nss-3.12.5-2.fc12