[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Guix release broken without substitutes on ungrafted openssl
From: |
Leo Famulari |
Subject: |
Re: Guix release broken without substitutes on ungrafted openssl |
Date: |
Wed, 15 Feb 2023 13:33:34 -0500 |
On Wed, Feb 15, 2023 at 12:15:21PM -0500, Greg Hogan wrote:
> Installing guix from source fails on the build of openssl@1.1.1l. I
> see the same error on my working system (log attached) when executing
> the command below. The issue looks to be caused by OpenSSL's expired
> test certs fixed in 1.1.1p [0]. Guix currently grafts openssl 1.1.1s
> but it seems grafts are not part of the bootstrap process (substitutes
> disabled).
>
> If this is the correct diagnosis then we should be ungrafting before
> future releases any bootstrap dependencies relating to build failures
> (not necessarily for security updates).
>
> My personal fix was to adapt my installation script to iteratively set
> back then reset the clock, as openssl only builds in the past but
> diffutils-boot0 then fails due to newly created files being older than
> distributed files.
Thanks for the notes.
I do believe this has been discussed previously, to be found in the
archives!
In general, SSL/TLS implementations keep making this... unfortunate
mistake in their test suites.
It only really affects distros like Guix or Nix, so it's our problem to
fix.
I'd guess it's happened 4 times in the last several years.
It's one of several reasons that rebuilding old Guix releases actually
approaches being a Hard Problem.