Fedora Merge Review: nss http://cvs.fedora.redhat.com/viewcvs/devel/nss/ Initial Owner: kengert
My local build hangs in a loop during the ssl tests: Running tests for ssl TIMESTAMP ssl BEGIN: Fri Sep 19 08:41:25 CDT 2008 ssl.sh: SSL tests =============================== ssl.sh: CRL SSL Client Tests =============================== ssl.sh: TLS Request don't require client auth (client does not provide auth) ---- selfserv_9400 starting at Fri Sep 19 08:41:25 CDT 2008 selfserv_9400 -D -p 9400 -d ../server -n localhost.localdomain \ -w nss -r -i ../tests_pid.17210 & trying to connect to selfserv_9400 at Fri Sep 19 08:41:26 CDT 2008 tstclnt -p 9400 -h localhost.localdomain -q \ -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat tstclnt: Client timed out while waiting for connection to server: TCP connection reset by peer. retrying to connect to selfserv_9400 at Fri Sep 19 08:42:32 CDT 2008 tstclnt -p 9400 -h localhost.localdomain -q \ -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat tstclnt: Client timed out while waiting for connection to server: TCP connection reset by peer. ssl.sh: #282: Waiting for Server - FAILED kill -0 28287 >/dev/null 2>/dev/null selfserv_9400 with PID 28287 found at Fri Sep 19 08:43:33 CDT 2008 selfserv_9400 with PID 28287 started at Fri Sep 19 08:43:33 CDT 2008 tstclnt -p 9400 -h localhost.localdomain -f -d ../client \ -w nss -n none < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat tstclnt: unable to connect (poll): Connection refused by peer. ssl.sh: #283: TLS Request don't require client auth (client does not provide auth) (cert TestUser40 - revoked) produced a returncode of 1, expected is 0 - FAILED trying to kill selfserv_9400 with PID 28287 at Fri Sep 19 08:43:34 CDT 2008 kill -USR1 28287 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable 0 stateless resumes, 0 ticket parse failures selfserv: normal termination selfserv_9400 -b -p 9400 2>/dev/null; selfserv_9400 with PID 28287 killed at Fri Sep 19 08:43:34 CDT 2008 ssl.sh: TLS Request don't require client auth (client does not provide auth) ---- selfserv_9400 starting at Fri Sep 19 08:43:35 CDT 2008 selfserv_9400 -D -p 9400 -d ../server -n localhost.localdomain \ -w nss -r -i ../tests_pid.17210 & trying to connect to selfserv_9400 at Fri Sep 19 08:43:35 CDT 2008 tstclnt -p 9400 -h localhost.localdomain -q \ -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat
Now it works. rpmlint on SRPM: nss.src:131: W: rpm-buildroot-usage %build %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig $RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will break short circuiting. nss.src:138: W: rpm-buildroot-usage %build $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc $RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will break short circuiting. nss.src:148: W: rpm-buildroot-usage %build %{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} $RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will break short circuiting. nss.src:156: W: rpm-buildroot-usage %build > $RPM_BUILD_ROOT/%{_bindir}/nss-config $RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will break short circuiting. nss.src:158: W: rpm-buildroot-usage %build chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config $RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will break short circuiting. Fix if possible. nss.src: E: no-cleaning-of-buildroot %install You should clean $RPM_BUILD_ROOT in the %clean section and just after the beginning of %install section. Use "rm -Rf $RPM_BUILD_ROOT". Definitely fix. rpmlint on RPMS: nss.i386: W: no-documentation The package contains no documentation (README, doc, etc). You have to include documentation files. nss.i386: W: non-conffile-in-etc /etc/prelink.conf.d/nss-prelink.conf A non-executable file in your package is being installed in /etc, but is not a configuration file. All non-executable files in /etc should be configuration files. Mark the file as %config in the spec file. nss.i386: E: invalid-soname /lib/libnsspem.so libnsspem.so The soname of the library is neither of the form lib<libname>.so.<major> or lib<libname>-<major>.so. nss.i386: E: invalid-soname /lib/libnssckbi.so libnssckbi.so The soname of the library is neither of the form lib<libname>.so.<major> or lib<libname>-<major>.so. nss-debuginfo.i386: W: spurious-executable-perm /usr/src/debug/nss-3.12.2.0/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h ... and many others. FIX. nss-devel.i386: W: no-documentation The package contains no documentation (README, doc, etc). You have to include documentation files. Fix if possible. nss-devel.i386: W: dangling-relative-symlink /usr/lib/libsoftokn3.chk ../../lib/libsoftokn3.chk The relative symbolic link points nowhere. nss-devel.i386: W: dangling-relative-symlink /usr/lib/libfreebl3.chk ../../lib/libfreebl3.chk The relative symbolic link points nowhere. Fix if possible. nss-pkcs11-devel.i386: W: no-documentation The package contains no documentation (README, doc, etc). You have to include documentation files. nss-tools.i386: W: no-documentation The package contains no documentation (README, doc, etc). You have to include documentation files. Fix if possible. nss-tools.i386: E: explicit-lib-dependency zlib You must let rpm find the library dependencies by itself. Do not put unneeded explicit Requires: tags. Can't this be dropped? Source0 must include a URL: https://fedoraproject.org/wiki/Packaging/SourceURL %clean starts with %{__rm} -rf $RPM_BUILD_ROOT %install must also. Doing mock build to double-check BRs, but this is probably fine. Summary of full review: buildroot issues, documentation issues, explicit zlib dep, SourceURL issues. Otherwise OK.
Mock build was fine.
Ping?
Kai, can you please have a look at Jon's proposals?
Jon, you said your build initially failed, but then it worked. What local changes did you apply to make it work? Do you have a patch?
All I did in each case was attempt to build the latest rawhide koji srpm. This changed from 2008-09-19 to 2008-12-05. Something in that interval corrected whatever the problem was.
I see this is now emaldonado's package? Can you have a look at this so we can get it put to bed? Thanks!
(In reply to comment #10) > I see this is now emaldonado's package? Can you have a look at this so we can > get it put to bed? Thanks! Hi Jon, What is the propsal in question that you would like me to comment on? The nss build system has changed substantially since you last reprted problems. Since 3.12.4 and Fedora-12 we have split nss into three packages: nss-util, nss-softokn, and nss. I'm sure that an rpmlinit run againts the latest srps will show different results. Quite a few error message still show up and I will be happy to discuss them with you. Some are in my list of things to fix but I am waiting to an opportune time to tacke them. By opprtune I mean very early in the relase cycle so that I can work with maintainers of packages that depend on nss to ensure we don't break them or anyone else.
Well, F15 just came out, so F16 is very early now, pre-alpha. Is this early enough? If so, I'd say make the changes you intend to, and I'll re-review that. If that's not and you'd rather wait until after f17 is branched, I'll review what's in rawhide now.
(In reply to comment #12) To explain why I am cautious let's look at the latest warnings and error report for autoqa. Stored logs available at <http://test1250.test.redhat.com/results/30654-autotest/hp-xw9300.test.redhat.com/> nss-pkcs11-devel.i686: W: no-documentation nss-tools.x86_64: E: explicit-lib-dependency zlib nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/signtool ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/crlutil ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/signver ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/ocspclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/pp ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/derdump ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/pk12util ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/atob ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/ssltap ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/strsclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/btoa ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/symkeyutil ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/tstclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/certutil ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/vfyserv ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/modutil ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/selfserv ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/cmsutil ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/vfychain ['$ORIGIN/../lib64', '$ORIGIN/../lib'] nss-tools.x86_64: W: no-documentation nss-tools.x86_64: W: no-manual-page-for-binary ssltap nss-tools.x86_64: W: no-manual-page-for-binary certutil nss-tools.x86_64: W: no-manual-page-for-binary cmsutil nss-tools.x86_64: W: no-manual-page-for-binary modutil nss-tools.x86_64: W: no-manual-page-for-binary signver nss-tools.x86_64: W: no-manual-page-for-binary crlutil nss-tools.x86_64: W: no-manual-page-for-binary signtool nss-tools.x86_64: W: no-manual-page-for-binary pk12util nss-devel.i686: W: no-documentation nss-devel.i686: E: rpath-in-buildconfig /usr/bin/nss-config lines ['130'] nss-devel.i686: W: no-manual-page-for-binary nss-config nss-devel.x86_64: W: no-documentation nss-devel.x86_64: E: rpath-in-buildconfig /usr/bin/nss-config lines ['130'] nss-devel.x86_64: W: no-manual-page-for-binary nss-config nss-sysinit.x86_64: E: invalid-soname /usr/lib64/libnsssysinit.so libnsssysinit.so nss-sysinit.x86_64: W: no-documentation nss-sysinit.x86_64: W: no-manual-page-for-binary setup-nsssysinit.sh nss.i686: E: invalid-soname /usr/lib/libnsspem.so libnsspem.so nss.i686: E: invalid-soname /usr/lib/libnssckbi.so libnssckbi.so nss.i686: W: no-documentation nss-pkcs11-devel.x86_64: W: no-documentation nss.src: W: strange-permission setup-nsssysinit.sh 0755 nss.src:75: W: unversioned-explicit-provides nss-system-init nss.src:248: W: macro-in-comment %global nss.src:249: W: macro-in-comment %global nss.src: W: invalid-url Source12: nss-pem-20100412.tar.bz2 nss.src: W: invalid-url Source0: nss-3.12.6-stripped.tar.bz2 nss.x86_64: E: invalid-soname /usr/lib64/libnsspem.so libnsspem.so nss.x86_64: E: invalid-soname /usr/lib64/libnssckbi.so libnssckbi.so nss.x86_64: W: no-documentation nss-sysinit.i686: E: invalid-soname /usr/lib/libnsssysinit.so libnsssysinit.so nss-sysinit.i686: W: no-documentation nss-sysinit.i686: W: no-manual-page-for-binary setup-nsssysinit.sh nss-tools.i686: E: explicit-lib-dependency zlib nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/signtool ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/crlutil ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/signver ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/strsclnt ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/ocspclnt ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/vfyserv ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/pk12util ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/vfychain ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/derdump ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/ssltap ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/atob ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/selfserv ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/certutil ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/symkeyutil ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/pp ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/modutil ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/cmsutil ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/tstclnt ['$ORIGIN/../lib'] nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/btoa ['$ORIGIN/../lib'] nss-tools.i686: W: no-documentation nss-tools.i686: W: no-manual-page-for-binary ssltap nss-tools.i686: W: no-manual-page-for-binary certutil nss-tools.i686: W: no-manual-page-for-binary cmsutil nss-tools.i686: W: no-manual-page-for-binary modutil nss-tools.i686: W: no-manual-page-for-binary signver nss-tools.i686: W: no-manual-page-for-binary crlutil nss-tools.i686: W: no-manual-page-for-binary signtool nss-tools.i686: W: no-manual-page-for-binary pk12util 11 packages and 0 specfiles checked; 48 errors, 36 warnings. -------------------- Let's ignore for the moment the warning relating man pages which I am working on. The problematic ones are may like "binary-or-shlib-defines-rpath ... " The use of rpath is contrary to the fedora packaging guidelines, and those of other Linux distributions such as Debian as well, but fixing this in nss will break Mozilla products such as Firefox which currently depends on rpath. I have discussed this particular problem with folks responsible for Mozilla products and they and I would be willing to make such changes if done very early on the release cycle. The Mozilla-based products may not be the only ones affected. I would also have to notify developers in our mailing lists of this possible breakage and ask them to change their packages builds. Is it still early enough on F-16 to do it or shall we wait for early on Rawhide for F-17? Another consideration is that there are another major changes to NSS that I am working for this release and I want to make sure I have enough bandwidth to handle them all in a timely fashion.
The rpath issue honestly sounds like something that really needs to be done upstream first...
Well, work on it awhile, and let me know what you think.
(In reply to comment #14) > The rpath issue honestly sounds like something that really needs to be done > upstream first... I agree, it should be handled upstream both in NSS and the pertinent Mozilla products. Not to mention that we should warn both upstream and downstream developers and fedora is not the only Linux distribution affected and it's not a linux-only issue. (In reply to comment #15) At the moment I am tied up with other major changes to nss and nss-softoken. Jon, Would care to copy this bug as upstream bugs, both for nss and mozilla?
I can. Do we have an upstream contact, or should I simply go through their bugtracking systems?
(In reply to comment #17) It's best to go through the upstream bug tracking systems. You can assign the upstream nss bug to me. The Mozilla bug would probably be for the xulrunner component, Kai and Chris would know the best way to report that one.
NSS bug filed, let me know if you need changes made: https://bugzilla.mozilla.org/show_bug.cgi?id=667938 I CCd you, I can't reassign.
(In reply to comment #19) Thanks, it's assigned to me now.
The upstream NSS team togther with the Mozilla team has been extremely busy with the NSS 3.13 update and I have opted not to press this at this time. This will takes the approval of both NSS and Mozilla developers and issuing notififications in the development lists. I added some comments to the bug with links to Fedora and Debian guidelines to support your request. Will add some more before I bring if up with them. NSS has cannot do anything unless it gets the buy in from the Mozilla team. NSS makes some strong commitments for binary compatibility that a change like this one could break. Having an additional bug against the Mozilla applications would help move this forward as it will get more attention. The Mozilla applications interact with NSS via xulrunner which is part of the Personal Security Manager component, aka PSM. Could I bother you with logging a paralell bug with PSM and relate the two bugs? Thanks in advance.
I've dropped the ball on filing the upstream bug, has there been any change in situation?
(In reply to comment #23) > I've dropped the ball on filing the upstream bug, has there been any change > in situation? Yes, the upstream nss bug is now getting attention. See latest comments.
Awesome, thank you!
How's this looking?
Mass reassigning all merge reviews to their component. For more details, see this FESCO ticket: https://fedorahosted.org/fesco/ticket/1269 If you don't know what merge reviews are about, please see: https://fedoraproject.org/wiki/Merge_Reviews How to handle this bug is left to the discretion of the package maintainer.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
Looks like the upstream bug was completed, any updates?
This bug is confusing. If there's anything that's remaining to be done, could you please: - change the bug summary to something that summarizes what is being asked for - add a comment that summarizes the current state and what's remaining
Essentially all that remains is to disable rpath if possible. If it's not possible, i.e. if Firefox et. al. are using it, then we can close this.
Daiki, when there's some time, could you please check if rpath can be removed from the nspr/nss* packages, if present?
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.