Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
nss: Set NSS_USE_64=1 for 64-bit platforms
|
|
|
|
The config script does that automatically for a few architectures [1],
but on 64-bit platforms that are not listed (like riscv64) the
freebl build fails. Debian always adds the USE_64=1 flag when
compiling on 64-bit architectures (they use legacy make instead of gyp),
and we should do that as well to fix the general problem at the cost of
a mass rebuild.
[1] https://hg.mozilla.org/projects/nss/file/0ef2306a623f8fcd90f094281678f3ee9e7e4738/coreconf/config.gypi#l212
[2] https://salsa.debian.org/mozilla-team/nss/-/blob/c446c61808a3a30bb0c6c62cc6628ede3f7bc205/debian/rules#L66
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This commit adds an option to replace libnssckbi with the
p11-kit-trust[1] module. It makes all NSS application (like Firefox,
Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS)
and other PKCS#11 modules without ad-hoc configuration.
This approach was first implemented in Fedora[2] and other distributions
like Arch Linux, later.
[1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html
[2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates
|
|
|
|
|
|
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.59_release_notes
|
|
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
|
|
|
|
In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.
[#100765]: https://github.com/NixOS/nixpkgs/pull/100765
|
|
nss: fix build on ppc64[le]
|
|
Fixes a precedence issue from fe9f55907e2a42b675e161de3d5e6a740385c479
`lib.optionalString <cond> 'text' + 'text2'` will always have 'text2' as
part of the result.
|
|
NSS configure scripts use the abbreviated form ppc64/ppc64le:
https://github.com/nss-dev/nss/blob/NSS_3_57_RTM/coreconf/config.gypi#L209
Whereas nixpkgs uses the longer form:
`nix eval nixpkgs.pkgsCross.powernv.hostPlatform.parsed.cpu.name`
`powerpc64le`
|
|
According to
https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129
the FIPS mode is not enabled by default. Yet we generate the .chk files
that are only meant to be used for that mode. I have a sense that those
have been cargo-culted around.
Adding FIPS is still possible but you have to explictily build the lib
with `pkgs.nss.override { enableFIPS = true; }`
More info on what FIPS is:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
Other distros wrangling with the same issue:
https://bugzilla.opensuse.org/show_bug.cgi?id=1081723
|
|
This reverts commit c778945806b44d46ec16bc4302e7e7163e6bab97.
I believe this is exactly what brings the staging branch into
the right shape after the last merge from master (through staging-next);
otherwise part of staging changes would be lost
(due to being already reachable from master but reverted).
|
|
I'm sorry; I didn't notice it contained staging commits.
This reverts commit 17f5305b6c20df795c365368d2d868266519599e, reversing
changes made to a8a018ddc0a8b5c3d4fa94c94b672c37356bc075.
|
|
This hook runs at build time and depends on executing
install_name_tool from binutils.
|
|
Release notes seem "boring":
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
My understanding is that this version will be needed in Firefox 82 released
in one month from now: https://wiki.mozilla.org/NSS:Release_Versions
|
|
|
|
|
|
|
|
|
|
this was enabled by default with the old build system, but requires this flag with the new one
fixes ##93955
|
|
|
|
|
|
|
|
/cc nss PR #91746
|
|
|
|
|
|
|
|
Needed to compile firefox 77. Taken from PR #89438.
|
|
There are two ways to build a package for aarch32 on an aarch64 machine:
either by cross compiling as normal, or by adding armv6l/armv7l to
extraPlatforms and doing a non-cross compile.
Previously, NSS failed to build with both methods: when using
extraPlatforms, things failed because NSS includes an armv8-specific
file (presumably based on the result of uname); when cross compiling,
NSS's build system expects to receive an architecture name of arm (not
armv6l or whatever), so was failing to include some arch-specific code
and failed with a linker error.
This commit fixes those things by a) always passing the arch, even when
not cross-compiling, and b) special-casing aarch32 to always pass in an
arch of arm.
|