From 8f2be9ac36081fd1e9b2395e1662a5189bf917fb Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sat, 31 Oct 2020 21:17:26 +0100 Subject: [PATCH] nss: make reproducible (#102156) According to https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129 the FIPS mode is not enabled by default. Yet we generate the .chk files that are only meant to be used for that mode. I have a sense that those have been cargo-culted around. Adding FIPS is still possible but you have to explictily build the lib with `pkgs.nss.override { enableFIPS = true; }` More info on what FIPS is: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 Other distros wrangling with the same issue: https://bugzilla.opensuse.org/show_bug.cgi?id=1081723 --- pkgs/development/libraries/nss/default.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix index 395617aa7bce2..0c51fda53822f 100644 --- a/pkgs/development/libraries/nss/default.nix +++ b/pkgs/development/libraries/nss/default.nix @@ -1,4 +1,8 @@ -{ stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja }: +{ stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja +, # allow FIPS mode. Note that this makes the output non-reproducible. + # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 + enableFIPS ? false +}: let nssPEM = fetchurl { @@ -83,6 +87,7 @@ in stdenv.mkDerivation rec { -Dhost_arch=${host} \ -Duse_system_zlib=1 \ --enable-libpkix \ + ${stdenv.lib.optionalString enableFIPS "--enable-fips"} \ ${stdenv.lib.optionalString stdenv.isDarwin "--clang"} \ ${stdenv.lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"} @@ -128,7 +133,8 @@ in stdenv.mkDerivation rec { postFixup = let isCross = stdenv.hostPlatform != stdenv.buildPlatform; nss = if isCross then buildPackages.nss.tools else "$out"; - in '' + in + (stdenv.lib.optionalString enableFIPS '' for libname in freebl3 nssdbm3 softokn3 do '' + (if stdenv.isDarwin @@ -141,7 +147,8 @@ in stdenv.mkDerivation rec { '') + '' ${nss}/bin/shlibsign -v -i "$libfile" done - + '') + + '' moveToOutput bin "$tools" moveToOutput bin/nss-config "$dev" moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example