bug#70926: closed (Having default nss-certs plus nss-certs in operating-system packages causes problems)

[GNU bug Tracking System]

Your message dated Wed, 15 May 2024 23:02:27 -0400
with message-id <87r0e2wjb0.fsf@gmail.com>
and subject line Re: bug#70926: Having default nss-certs plus nss-certs in 
operating-system packages causes problems
has caused the debbugs.gnu.org bug report #70926,
regarding Having default nss-certs plus nss-certs in operating-system packages 
causes problems
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
70926: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=70926
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: Having default nss-certs plus nss-certs in operating-system packages causes problems Date: Mon, 13 May 2024 22:38:29 +0100 User-agent: mu4e 1.12.2; emacs 29.3

I've seen this when updating systems, but it seems like something is
wrong with the handling of nss-certs.

I'm on a guix revision with nss-certs by default, and when I add
nss-certs to my system packages (to simulate not removing it when
upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
doesn't work).

My reading of the operating-system-packages code suggests that adding
nss-certs shouldn't have any effect, but this doesn't seem to be
working.

signature.asc
Description: PGP signature

--- End Message ---

> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#70926: Having default nss-certs plus nss-certs in operating-system packages causes problems
>
>
>
>
> Date: 
>
> Wed, 15 May 2024 23:02:27 -0400
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13)
>
>
>
>
> Hello,
>
> Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>
> > Am Montag, dem 13.05.2024 um 22:38 +0100 schrieb Christopher Baines:
> >> I've seen this when updating systems, but it seems like something is
> >> wrong with the handling of nss-certs.
> >> 
> >> I'm on a guix revision with nss-certs by default, and when I add
> >> nss-certs to my system packages (to simulate not removing it when
> >> upgrading), it breaks certificates (e.g. wget https://guix.gnu.org/
> >> doesn't work).
> > I can confirm this on three machines (two of my own, one from a
> > relative): Having nss-certs in the packages field unexpectedly breaks
> > all known certificates.
> >
> >> My reading of the operating-system-packages code suggests that adding
> >> nss-certs shouldn't have any effect, but this doesn't seem to be
> >> working.
> > It would be really nice to detect the mismatching versions if it's
> > based on that.  IIUC we graft nss-certs now, so that we can hot-swap
> > stuff like pythons certifi package.  Is this use case broken by any
> > chance?
>
> Apparently having multiple nss-certs of the same version is no problem
> (they get deduped later).  The original problem would thus only exist
> when there are multiple versions of nss-certs listed in packages, as
> could happen for installer-generated configs that use
> '(specification->package "nss-certs"), which would pick the latest
> version and clash with the one in %base-packages.
>
> My code could call delete even in the first case, which would clear
> *all* nss-certs because they were the same object.  That's now guarded
> against in 35ae95061e1b843e1df069693177519f22f9a16d ("system: Do not
> delete all nss-certs packages when they are the same object."), which
> I've just pushed.
>
> Closing.
>
> -- 
> Thanks,
> Maxim
>
>
> --- End Message ---