gnu: nss-rapid: Update to 3.115.

* gnu/packages/nss.scm (nss-rapid): Update to 3.115. * gnu/packages/patches/nss-3.115-disable-broken-tests.patch: Add. * gnu/packages/patches/nss-3.115-disable-pkix-ocsp-tests.patch: Add. * gnu/local.mk (dist_patch_DATA): Add NSS patches. Change-Id: Ia54c89bd8bf2059c1c8f03cde794c85be9b5c527
2026-01-25 03:55:08 -06:00 · 2025-08-26 19:03:15 -07:00 · 2025-08-26 19:03:15 -07:00 · aef04b28b7
commit aef04b28b7
parent ea7ce1318f
4 changed files with 67 additions and 56 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1939,6 +1939,9 @@ dist_patch_DATA =						\
  %D%/packages/patches/nss-getcwd-nonnull.patch			\
  %D%/packages/patches/nss-increase-test-timeout.patch		\
  %D%/packages/patches/nss-3.56-pkgconfig.patch			\
+  %D%/packages/patches/nss-disable-broken-tests.patch           \
+  %D%/packages/patches/nss-3.115-disable-broken-tests.patch     \
+  %D%/packages/patches/nss-3.115-disable-pkix-ocsp-tests.patch  \
  %D%/packages/patches/ntp-fix-dereferencing-the-wrong-variable.patch   \
  %D%/packages/patches/nvi-assume-preserve-path.patch		\
  %D%/packages/patches/nvi-dbpagesize-binpower.patch		\
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@ -291,63 +291,24 @@ This package tracks the Extended Support Release (ESR) channel.")
  (package
   (inherit nss)
   (name "nss-rapid")
-   (version "3.113")
-   (source (origin
-             (inherit (package-source nss))
-             (uri (let ((version-with-underscores
-                         (string-join (string-split version #\.) "_")))
-                    (string-append
-                     "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
-                     "releases/NSS_" version-with-underscores "_RTM/src/"
-                     "nss-" version ".tar.gz")))
-             (sha256
-              (base32
-               "03qwl3ps3xgc9pkc07qrsa4vd2r57mjwicv3gb483gfk2ashdvxc"))
-             (patches
-              (remove (cut string-suffix? "nss-disable-broken-tests.patch" <>)
-                      (origin-patches (package-source nss))))))
-   (arguments
-    (substitute-keyword-arguments (package-arguments nss)
-      ((#:phases phases)
-       #~(modify-phases #$phases
-           (add-after 'unpack 'neutralize-network-test
-             ;; Test tries to resolve `wrong.host.badssl.com' which fails due
-             ;; to no networking in the build environment.
-             ;; Behavior changed as of 3.110.
-             (lambda _
-               (substitute* "nss/tests/ssl/ssl.sh"
-                 ((" ssl_policy_pkix_ocsp" all)
-                  (string-append "#" all)))))
-           (replace 'check
-             (lambda* (#:key tests? #:allow-other-keys)
-               (if tests?
-                   (begin
-                     ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
-                     ;; testing.  The latter requires a working DNS or /etc/hosts.
-                     (setenv "DOMSUF" "localdomain")
-                     (setenv "USE_IP" "TRUE")
-                     (setenv "IP_ADDRESS" "127.0.0.1")
+   (version "3.115")
+   (source
+    (origin
+      (inherit (package-source nss))
+      (uri (let ((version-with-underscores
+                  (string-join (string-split version #\.) "_")))
+             (string-append
+              "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+              "releases/NSS_" version-with-underscores "_RTM/src/"
+              "nss-" version ".tar.gz")))
+      (sha256
+       (base32 "1av1g18dkx86zxvpr34j5mx976mgsk002khlb40k4ydx6gxlfamc"))
+      (patches
+       (search-patches "nss-3.56-pkgconfig.patch"
+                       "nss-getcwd-nonnull.patch"
+                       "nss-increase-test-timeout.patch"
+                       "nss-3.115-disable-pkix-ocsp-tests.patch"))))

-                     ;; This specific test is looking at performance "now
-                     ;; verify that we can quickly dump a database", and
-                     ;; we're not testing performance here (especially
-                     ;; since we're using faketime), so raise the
-                     ;; threshold
-                     (substitute* "nss/tests/dbtests/dbtests.sh"
-                       ((" -lt 5") " -lt 50"))
-
-                     ;; Since the test suite is very lengthy, run the test
-                     ;; suite once, not thrice as done by default, by
-                     ;; selecting only the 'standard' cycle.
-                     (setenv "NSS_CYCLES" "standard")
-
-                     ;; The "PayPalEE.cert" certificate expires every six months,
-                     ;; leading to test failures:
-                     ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
-                     ;; work around that, set the time to roughly the release date.
-                     (invoke #$(if (target-64bit?) "faketime" "datefudge")
-                            "2025-06-19" "./nss/tests/all.sh"))
-                   (format #t "test suite not run~%"))))))))
   (synopsis "Network Security Services (Rapid Release)")
   (description
    "Network Security Services (@dfn{NSS}) is a set of libraries designed to
--- a/gnu/packages/patches/nss-3.115-disable-broken-tests.patch
+++ b/gnu/packages/patches/nss-3.115-disable-broken-tests.patch
@ -0,0 +1,34 @@
+These tests are broken in 3.101.3.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=1964304
+
+--- nss-3.113.orig/nss/tests/tools/tools.sh	2025-08-25 16:49:02.402086648 -0700
+++ nss-3.113/nss/tests/tools/tools.sh	2025-08-25 16:49:23.677993887 -0700
+@@ -550,27 +550,6 @@
+   html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
+   check_tmpfile
+ 
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
+-  ret=$?
+-  html_msg $ret 19 "Fail to list private key with bad iterator"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
+-  ret=$?
+-  echo "Fail to list private key with bad salt val=$ret"
+-  html_msg $ret 19 "Fail to import private key with bad salt"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I "
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
+-  ret=$?
+-  echo "Fail to import private key with no length val=$ret"
+-  html_msg $ret 19 "Fail to import private key with no length"
+-  check_tmpfile
+-}
+-
+ ############################## tools_p12 ###############################
+ # local shell function to test basic functionality of pk12util
+ ########################################################################
--- a/gnu/packages/patches/nss-3.115-disable-pkix-ocsp-tests.patch
+++ b/gnu/packages/patches/nss-3.115-disable-pkix-ocsp-tests.patch
@ -0,0 +1,13 @@
+These tests require network.
+
+diff -x .svn -x .git -urN nss-3.113.orig/nss/tests/ssl/ssl.sh nss-3.113/nss/tests/ssl/ssl.sh
+--- nss-3.113.orig/nss/tests/ssl/ssl.sh	2025-08-25 16:49:02.398086665 -0700
+++ nss-3.113/nss/tests/ssl/ssl.sh	2025-08-26 15:46:11.718401605 -0700
+@@ -1600,7 +1600,6 @@
+             if using_sql ; then
+                 ssl_policy_listsuites
+                 ssl_policy_selfserv
+-                ssl_policy_pkix_ocsp
+                 ssl_policy
+             fi
+             ;;