This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 226204 - Merge Review: nss
Merge Review: nss
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
23
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jon Ciesla
Fedora Package Reviews List
:
Depends On:
Blocks: F9MergeReviewTarget
  Show dependency treegraph
 
Reported: 2007-01-31 15:17 EST by Nobody's working on this, feel free to take it
Modified: 2015-07-15 11:24 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nobody's working on this, feel free to take it 2007-01-31 15:17:18 EST
Fedora Merge Review: nss

http://cvs.fedora.redhat.com/viewcvs/devel/nss/
Initial Owner: kengert@redhat.com
Comment 1 Jon Ciesla 2008-09-19 09:44:45 EDT
My local build hangs in a loop during the ssl tests:

Running tests for ssl
TIMESTAMP ssl BEGIN: Fri Sep 19 08:41:25 CDT 2008
ssl.sh: SSL tests ===============================
ssl.sh: CRL SSL Client Tests   ===============================
ssl.sh: TLS Request don't require client auth (client does not provide auth) ----
selfserv_9400 starting at Fri Sep 19 08:41:25 CDT 2008
selfserv_9400 -D -p 9400 -d ../server -n localhost.localdomain  \
          -w nss -r -i ../tests_pid.17210  &
trying to connect to selfserv_9400 at Fri Sep 19 08:41:26 CDT 2008
tstclnt -p 9400 -h localhost.localdomain  -q \
        -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat
tstclnt: Client timed out while waiting for connection to server: TCP connection reset by peer.
retrying to connect to selfserv_9400 at Fri Sep 19 08:42:32 CDT 2008
tstclnt -p 9400 -h localhost.localdomain  -q \
        -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat
tstclnt: Client timed out while waiting for connection to server: TCP connection reset by peer.
ssl.sh: #282: Waiting for Server - FAILED
kill -0 28287 >/dev/null 2>/dev/null
selfserv_9400 with PID 28287 found at Fri Sep 19 08:43:33 CDT 2008
selfserv_9400 with PID 28287 started at Fri Sep 19 08:43:33 CDT 2008
tstclnt -p 9400 -h localhost.localdomain -f -d ../client \
        -w nss -n none  < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat
tstclnt: unable to connect (poll): Connection refused by peer.
ssl.sh: #283: TLS Request don't require client auth (client does not provide auth) (cert TestUser40 - revoked) produced a returncode of 1, expected is 0 - FAILED
trying to kill selfserv_9400 with PID 28287 at Fri Sep 19 08:43:34 CDT 2008
kill -USR1 28287
selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable
          0 stateless resumes, 0 ticket parse failures
selfserv: normal termination
selfserv_9400 -b -p 9400 2>/dev/null;
selfserv_9400 with PID 28287 killed at Fri Sep 19 08:43:34 CDT 2008
ssl.sh: TLS Request don't require client auth (client does not provide auth) ----
selfserv_9400 starting at Fri Sep 19 08:43:35 CDT 2008
selfserv_9400 -D -p 9400 -d ../server -n localhost.localdomain  \
          -w nss -r -i ../tests_pid.17210  &
trying to connect to selfserv_9400 at Fri Sep 19 08:43:35 CDT 2008
tstclnt -p 9400 -h localhost.localdomain  -q \
        -d ../client < /home/limb/rpmbuild/BUILD/nss-3.12.1.1/mozilla/security/nss/tests/ssl/sslreq.dat
Comment 2 Jon Ciesla 2008-12-05 08:42:40 EST
Now it works.

rpmlint on SRPM:
nss.src:131: W: rpm-buildroot-usage %build %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
$RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will
break short circuiting.

nss.src:138: W: rpm-buildroot-usage %build $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
$RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will
break short circuiting.

nss.src:148: W: rpm-buildroot-usage %build %{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
$RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will
break short circuiting.

nss.src:156: W: rpm-buildroot-usage %build > $RPM_BUILD_ROOT/%{_bindir}/nss-config
$RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will
break short circuiting.

nss.src:158: W: rpm-buildroot-usage %build chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
$RPM_BUILD_ROOT should not be touched during %build or %prep stage, as it will
break short circuiting.

Fix if possible.

nss.src: E: no-cleaning-of-buildroot %install
You should clean $RPM_BUILD_ROOT in the %clean section and just after the
beginning of %install section. Use "rm -Rf $RPM_BUILD_ROOT".

Definitely fix.

rpmlint on RPMS:
nss.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

nss.i386: W: non-conffile-in-etc /etc/prelink.conf.d/nss-prelink.conf
A non-executable file in your package is being installed in /etc, but is not a
configuration file. All non-executable files in /etc should be configuration
files. Mark the file as %config in the spec file.

nss.i386: E: invalid-soname /lib/libnsspem.so libnsspem.so
The soname of the library is neither of the form lib<libname>.so.<major> or
lib<libname>-<major>.so.

nss.i386: E: invalid-soname /lib/libnssckbi.so libnssckbi.so
The soname of the library is neither of the form lib<libname>.so.<major> or
lib<libname>-<major>.so.

nss-debuginfo.i386: W: spurious-executable-perm /usr/src/debug/nss-3.12.2.0/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h

... and many others.  FIX.

nss-devel.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

Fix if possible.

nss-devel.i386: W: dangling-relative-symlink /usr/lib/libsoftokn3.chk ../../lib/libsoftokn3.chk
The relative symbolic link points nowhere.

nss-devel.i386: W: dangling-relative-symlink /usr/lib/libfreebl3.chk ../../lib/libfreebl3.chk
The relative symbolic link points nowhere.

Fix if possible.

nss-pkcs11-devel.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

nss-tools.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

Fix if possible.

nss-tools.i386: E: explicit-lib-dependency zlib
You must let rpm find the library dependencies by itself. Do not put unneeded
explicit Requires: tags.

Can't this be dropped?


Source0 must include a URL:
https://fedoraproject.org/wiki/Packaging/SourceURL

%clean starts with 
%{__rm} -rf $RPM_BUILD_ROOT

%install must also.


Doing mock build to double-check BRs, but this is probably fine.

Summary of full review: buildroot issues, documentation issues, explicit zlib dep, SourceURL issues.  Otherwise OK.
Comment 3 Jon Ciesla 2008-12-05 10:30:07 EST
Mock build was fine.
Comment 4 Jon Ciesla 2009-03-31 11:23:56 EDT
Ping?
Comment 5 Michal Nowak 2009-04-08 12:17:05 EDT
Kai, can you please have a look at Jon's proposals?
Comment 6 Kai Engert (:kaie) 2009-05-07 16:21:03 EDT
Jon, you said your build initially failed, but then it worked.
What local changes did you apply to make it work?
Do you have a patch?
Comment 7 Jon Ciesla 2009-05-08 09:06:01 EDT
All I did in each case was attempt to build the latest rawhide koji srpm.  This changed from 2008-09-19 to 2008-12-05.  Something in that interval corrected whatever the problem was.
Comment 8 Jon Ciesla 2010-04-29 16:13:14 EDT
Ping?
Comment 9 Jon Ciesla 2011-03-31 12:41:07 EDT
Ping?
Comment 10 Jon Ciesla 2011-06-17 11:03:07 EDT
I see this is now emaldonado's package?  Can you have a look at this so we can get it put to bed?  Thanks!
Comment 11 Elio Maldonado Batiz 2011-06-17 14:52:51 EDT
(In reply to comment #10)
> I see this is now emaldonado's package?  Can you have a look at this so we can
> get it put to bed?  Thanks!

Hi Jon, What is the propsal in question that you would like me to comment on?
The nss build system has changed substantially since you last reprted problems. Since 3.12.4 and Fedora-12 we have split nss into three packages: nss-util, nss-softokn, and nss. I'm sure that an rpmlinit run againts the latest srps will show different results. Quite a few error message still show up and I will be happy to discuss them with you. 

Some are in my list of things to fix but I am waiting to an opportune time to tacke them. By opprtune I mean very early in the relase cycle so that I can work with maintainers of packages that depend on nss to ensure we don't break them or anyone else.
Comment 12 Jon Ciesla 2011-06-20 11:49:23 EDT
Well, F15 just came out, so F16 is very early now, pre-alpha.  Is this early enough?  If so, I'd say make the changes you intend to, and I'll re-review that.  If that's not and you'd rather wait until after f17 is branched, I'll review what's in rawhide now.
Comment 13 Elio Maldonado Batiz 2011-06-20 12:38:14 EDT
(In reply to comment #12)
To explain why I am cautious let's look at the latest warnings and error report for autoqa.

Stored logs available at <http://test1250.test.redhat.com/results/30654-autotest/hp-xw9300.test.redhat.com/>

nss-pkcs11-devel.i686: W: no-documentation
nss-tools.x86_64: E: explicit-lib-dependency zlib

nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/signtool ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/crlutil ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/signver ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/ocspclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/pp ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/derdump ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/pk12util ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/atob ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/ssltap ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/strsclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/btoa ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/symkeyutil ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/tstclnt ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/certutil ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/vfyserv ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/modutil ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/selfserv ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/cmsutil ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/nss/unsupported-tools/vfychain ['$ORIGIN/../lib64', '$ORIGIN/../lib']
nss-tools.x86_64: W: no-documentation
nss-tools.x86_64: W: no-manual-page-for-binary ssltap
nss-tools.x86_64: W: no-manual-page-for-binary certutil
nss-tools.x86_64: W: no-manual-page-for-binary cmsutil
nss-tools.x86_64: W: no-manual-page-for-binary modutil
nss-tools.x86_64: W: no-manual-page-for-binary signver
nss-tools.x86_64: W: no-manual-page-for-binary crlutil
nss-tools.x86_64: W: no-manual-page-for-binary signtool
nss-tools.x86_64: W: no-manual-page-for-binary pk12util
nss-devel.i686: W: no-documentation
nss-devel.i686: E: rpath-in-buildconfig /usr/bin/nss-config lines ['130']
nss-devel.i686: W: no-manual-page-for-binary nss-config
nss-devel.x86_64: W: no-documentation
nss-devel.x86_64: E: rpath-in-buildconfig /usr/bin/nss-config lines ['130']
nss-devel.x86_64: W: no-manual-page-for-binary nss-config
nss-sysinit.x86_64: E: invalid-soname /usr/lib64/libnsssysinit.so libnsssysinit.so
nss-sysinit.x86_64: W: no-documentation
nss-sysinit.x86_64: W: no-manual-page-for-binary setup-nsssysinit.sh
nss.i686: E: invalid-soname /usr/lib/libnsspem.so libnsspem.so
nss.i686: E: invalid-soname /usr/lib/libnssckbi.so libnssckbi.so
nss.i686: W: no-documentation
nss-pkcs11-devel.x86_64: W: no-documentation
nss.src: W: strange-permission setup-nsssysinit.sh 0755
nss.src:75: W: unversioned-explicit-provides nss-system-init
nss.src:248: W: macro-in-comment %global
nss.src:249: W: macro-in-comment %global
nss.src: W: invalid-url Source12: nss-pem-20100412.tar.bz2
nss.src: W: invalid-url Source0: nss-3.12.6-stripped.tar.bz2
nss.x86_64: E: invalid-soname /usr/lib64/libnsspem.so libnsspem.so
nss.x86_64: E: invalid-soname /usr/lib64/libnssckbi.so libnssckbi.so
nss.x86_64: W: no-documentation
nss-sysinit.i686: E: invalid-soname /usr/lib/libnsssysinit.so libnsssysinit.so
nss-sysinit.i686: W: no-documentation
nss-sysinit.i686: W: no-manual-page-for-binary setup-nsssysinit.sh
nss-tools.i686: E: explicit-lib-dependency zlib
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/signtool ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/crlutil ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/signver ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/strsclnt ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/ocspclnt ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/vfyserv ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/pk12util ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/vfychain ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/derdump ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/ssltap ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/atob ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/selfserv ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/certutil ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/symkeyutil ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/pp ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/modutil ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/bin/cmsutil ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/tstclnt ['$ORIGIN/../lib']
nss-tools.i686: E: binary-or-shlib-defines-rpath /usr/lib/nss/unsupported-tools/btoa ['$ORIGIN/../lib']
nss-tools.i686: W: no-documentation
nss-tools.i686: W: no-manual-page-for-binary ssltap
nss-tools.i686: W: no-manual-page-for-binary certutil
nss-tools.i686: W: no-manual-page-for-binary cmsutil
nss-tools.i686: W: no-manual-page-for-binary modutil
nss-tools.i686: W: no-manual-page-for-binary signver
nss-tools.i686: W: no-manual-page-for-binary crlutil
nss-tools.i686: W: no-manual-page-for-binary signtool
nss-tools.i686: W: no-manual-page-for-binary pk12util
11 packages and 0 specfiles checked; 48 errors, 36 warnings.
--------------------
Let's ignore for the moment the warning relating man pages which I am working on. The problematic ones are may like "binary-or-shlib-defines-rpath ... "
The use of rpath is contrary to the fedora packaging guidelines, and those of other Linux distributions such as Debian as well, but fixing this in nss will break Mozilla products such as Firefox which currently depends on rpath. I have discussed this particular problem with folks responsible for Mozilla products and they and I would be willing to make such changes if done very early on the release cycle. The Mozilla-based products may not be the only ones affected. I would also have to notify developers in our mailing lists of this possible breakage and ask them to change their packages builds. Is it still early enough on F-16 to do it or shall we wait for early on Rawhide for F-17? Another consideration is that there are another major changes to NSS that I am working for this release and I want to make sure I have enough bandwidth to handle them all in a timely fashion.
Comment 14 Christopher Aillon 2011-06-20 15:34:44 EDT
The rpath issue honestly sounds like something that really needs to be done upstream first...
Comment 15 Jon Ciesla 2011-06-22 15:32:41 EDT
Well, work on it awhile, and let me know what you think.
Comment 16 Elio Maldonado Batiz 2011-06-22 16:37:00 EDT
(In reply to comment #14)
> The rpath issue honestly sounds like something that really needs to be done
> upstream first...

I agree, it should be handled upstream both in NSS and the pertinent Mozilla products. Not to mention that we should warn both upstream and downstream developers and fedora is not the only Linux distribution affected and it's not a linux-only issue.

(In reply to comment #15)
At the moment I am tied up with other major changes to nss and nss-softoken.
Jon, Would care to copy this bug as upstream bugs, both for nss and mozilla?
Comment 17 Jon Ciesla 2011-06-28 09:12:31 EDT
I can.  Do we have an upstream contact, or should I simply go through their bugtracking systems?
Comment 18 Elio Maldonado Batiz 2011-06-28 11:26:51 EDT
(In reply to comment #17)
It's best to go through the upstream bug tracking systems. You can assign the upstream nss bug to me. The Mozilla bug would probably be for the xulrunner component, Kai and Chris would know the best way to report that one.
Comment 19 Jon Ciesla 2011-06-28 13:13:37 EDT
NSS bug filed, let me know if you need changes made:

https://bugzilla.mozilla.org/show_bug.cgi?id=667938

I CCd you, I can't reassign.
Comment 20 Elio Maldonado Batiz 2011-06-28 13:31:54 EDT
(In reply to comment #19) Thanks, it's assigned to me now.
Comment 21 Jon Ciesla 2011-10-18 11:58:51 EDT
Ping?
Comment 22 Elio Maldonado Batiz 2011-10-18 12:44:42 EDT
The upstream NSS team togther with the Mozilla team has been extremely busy with the NSS 3.13 update and I have opted not to press this at this time. This will takes the approval of both NSS and Mozilla developers and issuing notififications in the development lists. I added some comments to the bug with links to Fedora and Debian guidelines to support your request.  Will add some more before I bring if up with them. NSS has cannot do anything unless it gets the buy in from the Mozilla team. NSS makes some strong commitments for binary compatibility that a change like this one could break.

Having an additional bug against the Mozilla applications would help move this forward as it will get more attention. The Mozilla applications interact with NSS via xulrunner which is part of the Personal Security Manager component, aka PSM. Could I bother you with logging a paralell bug with PSM and relate the two bugs?  Thanks in advance.
Comment 23 Jon Ciesla 2012-04-26 09:38:30 EDT
I've dropped the ball on filing the upstream bug, has there been any change in situation?
Comment 24 Elio Maldonado Batiz 2012-06-01 18:34:21 EDT
(In reply to comment #23)
> I've dropped the ball on filing the upstream bug, has there been any change
> in situation?

Yes, the upstream nss bug is now getting attention. See latest comments.
Comment 25 Jon Ciesla 2012-06-04 09:30:50 EDT
Awesome, thank you!
Comment 26 Jon Ciesla 2013-02-07 14:37:23 EST
How's this looking?
Comment 27 Cole Robinson 2015-02-11 15:38:21 EST
Mass reassigning all merge reviews to their component. For more details, see this FESCO ticket:

  https://fedorahosted.org/fesco/ticket/1269

If you don't know what merge reviews are about, please see:

  https://fedoraproject.org/wiki/Merge_Reviews

How to handle this bug is left to the discretion of the package maintainer.
Comment 28 Jan Kurik 2015-07-15 11:24:36 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Note You need to log in before you can comment on or make changes to this bug.