Tests would fail once certificates had expired, along these lines:
chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1
vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-build-nss-3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
Using 'faketime' allows us to get deterministic results.
* gnu/packages/gnuzilla.scm (nss)[arguments]: In 'check' phase, run
'all.sh' under 'faketime'.
[native-inputs]: Add LIBFAKETIME.
* gnu/packages/gnuzilla.scm (icecat): Update to 60.3.0-gnu1.
[source]: Switch back to the normal source URI. Remove patches that
are no longer applicable.
* gnu/packages/patches/icecat-CVE-2018-12383.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
Includes fixes for CVE-2018-12389, CVE-2018-12390, CVE-2018-12391,
CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, and
CVE-2018-12397.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected changesets from the
upstream mozilla-esr60 repository. Relabel some previously existing patches
to reflect CVE assignments.
Includes fixes for CVE-2018-12386 and CVE-2018-12387.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from the
upstream mozilla-esr60 repository.
Works around <https://bugs.gnu.org/32833>.
* gnu/packages/gnuzilla.scm (icecat)[source]: In snippet, don't remove NSS.
[inputs]: Remove 'nspr' and 'nss'.
[arguments]: Remove --with-system-{nspr,nss} from configure flags.
* gnu/packages/patches/icecat-use-system-media-libs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Add
another hunk to enable removal of libevent.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch. In the snippet, add
libevent, libogg, libvorbis, and libtremor to the list of bundled libraries to
remove. Add a comment regarding theora. Remove comments regarding unbundling
cairo, which is no longer supported.
[inputs]: Add libevent, libogg, and libvorbis.
[arguments]: Add --with-system-{libevent,ogg,vorbis} to configure flags.
Add custom bootstrap phase. Add comments.
Includes fixes for CVE-2018-12383 and CVE-2018-12385.
* gnu/packages/patches/icecat-CVE-2018-12383.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Adapt to apply
cleanly to IceCat 60.
* gnu/packages/gnuzilla.scm (mozilla-patch): Update to fetch from
mozilla-esr60.
(icecat): Add selected changesets from upstream mozilla-esr60.
* gnu/packages/gnuzilla.scm (icecat): Update to 60.2.0-gnu1.
[source]: Download pre-release from alpha.gnu.org. Remove obsolete patches.
Comment out the code to delete the bundled copies of libevent, cairo,
harfbuzz, and graphite2.
[inputs]: Use the latest ffmpeg. Comment out libevent, cairo, harfbuzz, and
graphite2.
[native-inputs]: Add rust and cargo.
[arguments]: Remove --enable-gio and --disable-gnomeui. Add --disable-stylo.
Comment out --with-system-{libevent,harfbuzz,graphite2}, --enable-system-cairo.
Import %cargo-build-system-modules. Add 'patch-cargo-checksums' phase.
* gnu/packages/patches/icecat-CVE-2018-5157-and-CVE-2018-5158.patch,
gnu/packages/patches/icecat-bug-1413868-pt1.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/gnuzilla.scm (mozjs-52): New variable.
(cherry picked from commit f67db495aa6e29692e368a13130a40541d5d8273)
Signed-off-by: Marius Bakke <mbakke@fastmail.com>
Includes fixes for CVE-2018-12363, CVE-2018-12364, CVE-2018-12366, the
remaining 1 out of 2 changesets for CVE-2018-5156, and the remaining 7 out
of 17 changesets for CVE-2018-5188.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from
the upstream mozilla-esr52 repository.
* gnu/packages/patches/icecat-bug-1413868-pt1.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Document that we include fixes for CVE-2018-6126, CVE-2018-12359,
CVE-2018-12360, CVE-2018-12362, CVE-2018-12365, 1 out of 2 changesets for
CVE-2018-5156, and 10 out of 17 changesets for CVE-2018-5188.
* gnu/packages/gnuzilla.scm (icecat)[source]: Relabel patches to reflect CVE
assignments.
Document the fact that we include fixes for CVE-2018-5154, CVE-2018-5155,
CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178,
and 9/10 changesets for CVE-2018-5150.
* gnu/packages/gnuzilla.scm (icecat)[source]: Relabel patches to reflect CVE
assignments.
* gnu/packages/patches/icecat-bug-1452075.patch: Rename to...
* gnu/packages/patches/icecat-CVE-2018-5157-and-CVE-2018-5158.patch: ...this.
* gnu/local.mk (dist_patch_DATA): Rename it.
Fixes <https://bugs.gnu.org/31356>.
Reported by Clément Lassieur <clement@lassieur.org>.
* gnu/packages/gnuzilla.scm (icecat)[inputs]: Change from FFMPEG to FFMPEG-3.4.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes
from the upstream mozilla-esr52 repository.
* gnu/packages/patches/icecat-bug-1452075.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[arguments]: To configure-flags, add
"--with-distribution-id=org.gnu", "--disable-tests", "--disable-updater",
"--disable-crashreporter", "--disable-maintenance-service", and
"--disable-eme". Rename the
'arrange-to-link-libxul-with-libraries-it-might-dlopen' phase to
'link-libxul-with-libraries'.
* gnu/packages/gnuzilla.scm (icecat)[arguments]: Return #t from the
'install-icons' and 'wrap-program' phases. Use 'invoke' in the custom
configure phase.
Includes fixes for CVE-2018-5146 and CVE-2018-5147.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from
the upstream mozilla-esr52 repository.