Bug 250415 - security/ca_root_nss poudriere build failure since symlinks were added (3.58)
Summary: security/ca_root_nss poudriere build failure since symlinks were added (3.58)
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL: https://reviews.freebsd.org/D23617
Keywords: regression
Depends on:
Blocks: 222262
  Show dependency treegraph
 
Reported: 2020-10-17 09:34 UTC by Matthias Andree
Modified: 2020-10-22 09:52 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Andree freebsd_committer 2020-10-17 09:34:32 UTC
[00:01:30] ===>   Deinstalling ca_root_nss-3.58
[00:01:30] Updating database digests format: .... done
[00:01:30] Checking integrity... done (0 conflicting)
[00:01:30] Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):
[00:01:30] 
[00:01:30] Installed packages to be REMOVED:
[00:01:30] 	ca_root_nss: 3.58
[00:01:30] 
[00:01:30] Number of packages to be removed: 1
[00:01:30] [114amd64-svn] [1/1] Deinstalling ca_root_nss-3.58...
[00:01:30] [114amd64-svn] [1/1] Deleting files for ca_root_nss-3.58: ....... done
[00:01:30] You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
[00:01:30] You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
[00:01:30] ===========================================================================
[00:01:30] =>> Checking for extra files and directories
[00:01:30] =>> Error: Files or directories left over:
[00:01:30] @dir etc/ssl
[00:01:30] @dir openssl
[00:01:30] etc/ssl/cert.pem
[00:01:30] openssl/cert.pem
[00:01:30] build of security/ca_root_nss | ca_root_nss-3.58 ended at Sat Oct 17 11:31:48 CEST 2020
[00:01:30] build time: 00:00:11
[00:01:30] !!! build failure encountered !!!
[00:01:30] Error: Build failed in phase: leftovers
[00:01:30] Cleaning up
[00:01:30] Unmounting file systems
Comment 1 Sunpoet Po-Chuan Hsieh freebsd_committer 2020-10-17 11:04:25 UTC
(In reply to Matthias Andree from comment #0)

I got the same error, but it seems to be an @sample issue.
The failure goes away if I roll back Keywords/sample.ucl from ports r551166 (latest, lua version) to ports r535225.
Comment 2 Jan Beich freebsd_committer 2020-10-17 11:50:55 UTC
"make stage-qa" is only run by "poudriere bulk -t" or "poudriere testport". Regular  package builds are not affected. It seems stage-qa has regressed after ports r542936. Can you confirm?

Sorry, I don't maintain this port and not interested in fixing regressions introduced by others.
Comment 3 Jan Beich freebsd_committer 2020-10-17 11:55:27 UTC
Oops, "make stage-qa" only covers orphaned/missing files under PREFIX but not leftover files elsewhere. The check is only implemented in poudriere because it builds in a clean environment.
Comment 4 Jochen Neumeister freebsd_committer 2020-10-17 11:58:57 UTC
(In reply to Jan Beich from comment #2)

Then please ask for approval from now on when you update the port. I do not see any PR or other requests from you for security/ca_root_nss
Comment 5 Jan Beich freebsd_committer 2020-10-17 12:04:48 UTC
(In reply to Jochen Neumeister from comment #4)
See review D2640 discussion. I've updated both nss and ca_root_nss to avoid desync when OpenSSL consumers still trust some CAs but Firefox and Chromium no longer do. Happy to not bother anymore. Besides, newer FreeBSD versions have certctl(1), so the port can probably be removed in future.
Comment 6 Matthias Andree freebsd_committer 2020-10-17 12:10:59 UTC
so for me it's not clear what exactly changed because I simply haven't debugged it, the finding however is that with testport or bulk -t mail/fetchmailconf no longer builds because ca_root_nss does not.

And GNOME as repeat offender aside, bulk -t normally works, and it should so that we don't mess up portmaster/portupgrade users, or users who build ports manually in live systems without poudriere or tinderbox.
Comment 7 Jan Beich freebsd_committer 2020-10-17 12:34:48 UTC
(In reply to Matthias Andree from comment #6)
> mail/fetchmailconf no longer builds because ca_root_nss does not.

Try adding -k (on command line) or PORTTESTING_FATAL=no to /usr/local/etc/poudriere.conf

(In reply to Matthias Andree from comment #6)
> bulk -t normally works

-t only tests explicitly specified ports (in a file or on command line). Did you try adding -r as well?
Comment 8 Matthias Andree freebsd_committer 2020-10-17 13:00:05 UTC
I have used the Git tree to bisect this, it can be traced back to 
commit r550860. Cc'ing manu@. Have reopened https://reviews.freebsd.org/D23617

https://svnweb.freebsd.org/ports?view=revision&revision=550860

55c8cc1d7a5265ae807deabd0791707300253951 is the first bad commit
commit 55c8cc1d7a5265ae807deabd0791707300253951
Author: manu <manu@FreeBSD.org>
Date:   Thu Oct 1 18:32:29 2020 +0000

    Lua version of the @sample
    
    The bonus of this version being: sandboxed
    Natively rootdir compliant.
    
    Reviewed by:    portmgr (bapt@, mat@)
    Differential Revision:  https://reviews.freebsd.org/D23617

 Keywords/sample.ucl | 64 +++++++++++++++++++++--------------------------------
 1 file changed, 25 insertions(+), 39 deletions(-)
'bisect run' erfolgreich ausgeführt
Comment 9 Matthias Andree freebsd_committer 2020-10-17 13:12:48 UTC
For completeness on today's read-only Git copy:

$ git bisect log
git bisect start
# bad: [6b949c9bddcb138d330be7e3cb124dba1e799443] Update to 2.0.0
git bisect bad 6b949c9bddcb138d330be7e3cb124dba1e799443
# bad: [c5618c177edc5d65344d814680560f0c25fc5051] lang/intel-compute-runtime: update to 20.39.17972
git bisect bad c5618c177edc5d65344d814680560f0c25fc5051
# good: [dfdcf3e744fc72995630051d57462d139e079bea] - Update to 0.24.2
git bisect good dfdcf3e744fc72995630051d57462d139e079bea
# good: [8054da80d8c12dfe7fc8d3066ddc764506a14901] Update to 1.10.0
git bisect good 8054da80d8c12dfe7fc8d3066ddc764506a14901
# good: [632e49b81988f6854b45602cbc7f11e4e0c39f76] Add new samba412 port, version 4.12.7
git bisect good 632e49b81988f6854b45602cbc7f11e4e0c39f76
# good: [8a48cc8c9f38e63a8b9ac0d93df0c4200cb136a4] Add a forgotten patch which disable flatpak
git bisect good 8a48cc8c9f38e63a8b9ac0d93df0c4200cb136a4
# bad: [e97d566d80195c9922ffddf9ca12716b4bb4986d] Update to 1.33.0
git bisect bad e97d566d80195c9922ffddf9ca12716b4bb4986d
# good: [fbc3e3ff29971eb9c15bfbe33fa5fd20e23b73ed] devel/jetbrains-clion: Update to 2020.2.3
git bisect good fbc3e3ff29971eb9c15bfbe33fa5fd20e23b73ed
# bad: [8f1daa504d3023e6c88b02469f19b2b7b03b4ce7] Typo
git bisect bad 8f1daa504d3023e6c88b02469f19b2b7b03b4ce7
# good: [675bac448b0c7337945ce4d472cce28d3973a1c1] Update to 4.0.41
git bisect good 675bac448b0c7337945ce4d472cce28d3973a1c1
# bad: [6c6dec7f2ab18803fac3aa1c8e437d5fbc2a097b] Fix build with -fno-common
git bisect bad 6c6dec7f2ab18803fac3aa1c8e437d5fbc2a097b
# good: [49e3cce49a2ba19f7e53091accc2a2f780792a67] Fix build with -fno-common
git bisect good 49e3cce49a2ba19f7e53091accc2a2f780792a67
# bad: [8f22daba211a88657fd4067cbb4075ba19196d4b] - Update to version 3.4.4.0 - C++ standard was bumped to 14 - GC no longer needed patching
git bisect bad 8f22daba211a88657fd4067cbb4075ba19196d4b
# bad: [4b4e77e0e7ed38e37764926a6f55e27c167f27a2] Fix build with -fno-common
git bisect bad 4b4e77e0e7ed38e37764926a6f55e27c167f27a2
# bad: [55c8cc1d7a5265ae807deabd0791707300253951] Lua version of the @sample
git bisect bad 55c8cc1d7a5265ae807deabd0791707300253951
# first bad commit: [55c8cc1d7a5265ae807deabd0791707300253951] Lua version of the @sample