Merge pull request #164511 from helsinki-systems/refactor/nss-latest-esr

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

@@ -1813,6 +1813,16 @@
           (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>).
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>nss</literal> package was split into
+          <literal>nss_esr</literal> and <literal>nss_latest</literal>,
+          with <literal>nss</literal> being an alias for
+          <literal>nss_esr</literal>. This was done to ease maintenance
+          of <literal>nss</literal> and dependent high-profile packages
+          like <literal>firefox</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>spark3</literal> package has been updated from

nixos/doc/manual/release-notes/rl-2205.section.md

@@ -625,6 +625,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The `R` package now builds again on `aarch64-darwin` ([#158992](https://github.com/NixOS/nixpkgs/pull/158992)).
 
+- The `nss` package was split into `nss_esr` and `nss_latest`, with `nss` being an alias for `nss_esr`. This was done to ease maintenance of `nss` and dependent high-profile packages like `firefox`.
+
 - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)):
 
   - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.

pkgs/applications/networking/browsers/firefox/common.nix

@@ -61,7 +61,8 @@
 , libwebp
 , nasm
 , nspr
-, nss
+, nss_esr
+, nss_latest
 , pango
 , xorg
 , zip
@@ -356,7 +357,6 @@ buildStdenv.mkDerivation ({
     libwebp
     nasm
     nspr
-    nss
     pango
     perl
     xorg.libX11
@@ -373,6 +373,7 @@ buildStdenv.mkDerivation ({
     zip
     zlib
   ]
+  ++ [ (if (lib.versionAtLeast version "92") then nss_latest else nss_esr) ]
   ++ lib.optional  alsaSupport alsa-lib
   ++ lib.optional  pulseaudioSupport libpulseaudio # only headers are needed
   ++ lib.optional  gssSupport libkrb5

pkgs/applications/networking/mailreaders/thunderbird-bin/default.nix

@@ -38,7 +38,7 @@
 , adwaita-icon-theme
 , libGLU, libGL
 , nspr
-, nss
+, nss_latest
 , pango
 , pipewire
 , pciutils
@@ -132,7 +132,7 @@ stdenv.mkDerivation {
       libnotify
       libGLU libGL
       nspr
-      nss
+      nss_latest
       pango
       pipewire
       pciutils

pkgs/data/misc/cacert/default.nix

@@ -20,7 +20,7 @@ let
   blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
   extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
 
-  srcVersion = "3.74";
+  srcVersion = "3.77";
   version = if nssOverride != null then nssOverride.version else srcVersion;
   meta = with lib; {
     homepage = "https://curl.haxx.se/docs/caextract.html";
@@ -35,7 +35,7 @@ let
 
     src = if nssOverride != null then nssOverride.src else fetchurl {
       url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
-      sha256 = "0mnhdkm4galhpvfz4rv0918jwmjlwkvcvb1f5va8f3zlz48qi4l8";
+      sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2";
     };
 
     dontBuild = true;

pkgs/data/misc/cacert/update.sh

@@ -13,14 +13,11 @@
 # As of this writing there are a few magnitudes more packages depending on
 # cacert than on nss.
 #
-# If the current nixpkgs revision contains the attribute `nss_latest` that will
-# be used instead of `nss`. This is done to help the stable branch maintenance
-# where (usually) after branch-off during the first Firefox upgrade that
-# requries a new NSS version that attribute is introduced.
-# By having this change in the unstable branch we can safely carry it from
-# release to release without requiring more backport churn on those doing the
-# stable maintenance.
-
+# We use `nss_latest` instead of `nss_esr`, because that is the newer version
+# and we want up-to-date certificates.
+# `nss_esr` is used for the ecosystem at large through the `nss` attribute,
+# because it is updated less frequently and maintained for longer, whereas `nss_latest`
+# is used for software that actually needs a new nss, e.g. Firefox.
 
 set -ex
 
@@ -28,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.."
 
 
 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out")
 
 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@@ -37,6 +34,6 @@ CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc")
 PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
 
 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
-    NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
+    NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .)
     update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
 fi

pkgs/development/libraries/nss/85_security_load_3.77+.patch

@@ -0,0 +1,76 @@
+diff --git nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c
+index ad8f3b84e..74676d039 100644
+--- nss/cmd/shlibsign/shlibsign.c
++++ nss/cmd/shlibsign/shlibsign.c
+@@ -875,6 +875,8 @@ main(int argc, char **argv)
+         goto cleanup;
+     }
+     lib = PR_LoadLibrary(libname);
++    if (!lib)
++        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
+     assert(lib != NULL);
+     if (!lib) {
+         PR_fprintf(PR_STDERR, "loading softokn3 failed");
+diff --git nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c
+index 119c8c512..720d39ccc 100644
+--- nss/lib/pk11wrap/pk11load.c
++++ nss/lib/pk11wrap/pk11load.c
+@@ -486,6 +486,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ #else
+         library = PR_LoadLibrary(mod->dllName);
+ #endif // defined(_WIN32)
++#ifndef NSS_STATIC_SOFTOKEN
++        if ((library == NULL) &&
++            !rindex(mod->dllName, PR_GetDirectorySeparator())) {
++            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
++                (PRFuncPtr) &softoken_LoadDSO,
++                mod->dllName);
++        }
++#endif
++
+         mod->library = (void *)library;
+ 
+         if (library == NULL) {
+diff --git nss/lib/util/secload.c nss/lib/util/secload.c
+index 12efd2f75..8b74478f6 100644
+--- nss/lib/util/secload.c
++++ nss/lib/util/secload.c
+@@ -70,9 +70,14 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ 
+     /* Remove the trailing filename from referencePath and add the new one */
+     c = strrchr(referencePath, PR_GetDirectorySeparator());
++    if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
++               * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
++        referencePath = NIX_NSS_LIBDIR;
++        c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
++    }
+     if (c) {
+         size_t referencePathSize = 1 + c - referencePath;
+-        fullName = (char*)PORT_Alloc(strlen(name) + referencePathSize + 1);
++        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
+         if (fullName) {
+             memcpy(fullName, referencePath, referencePathSize);
+             strcpy(fullName + referencePathSize, name);
+@@ -82,6 +87,11 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ #endif
+             libSpec.type = PR_LibSpec_Pathname;
+             libSpec.value.pathname = fullName;
++            if ((referencePathSize >= 4) &&
++                (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
++                memcpy(fullName + referencePathSize -4, "lib", 3);
++            }
++            strcpy(fullName + referencePathSize, name);
+             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
+ #ifdef PR_LD_ALT_SEARCH_PATH
+                                                        /* allow library's dependencies to be found in the same directory
+@@ -89,6 +99,10 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+                                                        | PR_LD_ALT_SEARCH_PATH
+ #endif
+                                           );
++            if (! dlh) {
++                strcpy(fullName + referencePathSize, name);
++                dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
++            }
+             PORT_Free(fullName);
+         }
+     }

pkgs/development/libraries/nss/esr.nix

@@ -0,0 +1,4 @@
+import ./generic.nix {
+  version = "3.68.3";
+  sha256 = "sha256-5NDZsLVhfLM0gSZC7YAfjlH1mVyN2FwN78jMra/Lwzc=";
+}

pkgs/development/libraries/nss/generic.nix

@@ -1,3 +1,4 @@
+{ version, sha256 }:
 { lib
 , stdenv
 , fetchurl
@@ -22,14 +23,7 @@ let
     sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
   };
 
-  # NOTE: Whenever you updated this version check if the `cacert` package also
-  #       needs an update. You can run the regular updater script for cacerts.
-  #       It will rebuild itself using the version of this package (NSS) and if
-  #       an update is required do the required changes to the expression.
-  #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
-  version = "3.76";
   underscoreVersion = lib.replaceStrings [ "." ] [ "_" ] version;
-
 in
 stdenv.mkDerivation rec {
   pname = "nss";
@@ -37,7 +31,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
-    sha256 = "0c0nmajcvnm8gqz2v6wrlq04yzy3y7hcs806wjnx4r6kml8073hv";
+    inherit sha256;
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -68,9 +62,13 @@ stdenv.mkDerivation rec {
 
   patches = [
     # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
-    ./85_security_load.patch
     ./ckpem.patch
     ./fix-cross-compilation.patch
+    (if (lib.versionOlder version "3.77") then
+      ./85_security_load.patch
+    else
+      ./85_security_load_3.77+.patch
+    )
   ];
 
   patchFlags = [ "-p0" ];
@@ -192,7 +190,7 @@ stdenv.mkDerivation rec {
     homepage = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS";
     description = "A set of libraries for development of security-enabled client and server applications";
     changelog = "https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_${underscoreVersion}.rst";
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ hexa ajs124 ];
     license = licenses.mpl20;
     platforms = platforms.all;
   };

pkgs/development/libraries/nss/latest.nix

@@ -0,0 +1,10 @@
+# NOTE: Whenever you updated this version check if the `cacert` package also
+#       needs an update. You can run the regular updater script for cacerts.
+#       It will rebuild itself using the version of this package (NSS) and if
+#       an update is required do the required changes to the expression.
+#       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
+
+import ./generic.nix {
+  version = "3.77";
+  sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2";
+}

pkgs/top-level/all-packages.nix

@@ -19439,7 +19439,9 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) CoreServices;
   };
 
-  nss = lowPrio (callPackage ../development/libraries/nss { });
+  nss_latest = callPackage ../development/libraries/nss/latest.nix { };
+  nss_esr = callPackage ../development/libraries/nss/esr.nix { };
+  nss = nss_esr;
   nssTools = nss.tools;
 
   nss_wrapper = callPackage ../development/libraries/nss_wrapper { };