Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2721373002:
Uprev NSS requirement on Linux to 3.26 (Closed)
|
Created:
3 years, 9 months ago by Ryan Sleevi Modified:
3 years, 6 months ago CC:
chromium-reviews, grt+watch_chromium.org, pennymac+watch_chromium.org, Michael Moss, wfh+watch_chromium.org Target Ref:
refs/heads/master Project:
chromium Visibility:
Public. |
DescriptionUprev NSS requirement on Linux to 3.26
BUG=691261
Review-Url: https://codereview.chromium.org/2721373002
Cr-Commit-Position: refs/heads/master@{#478030}
Committed: https://chromium.googlesource.com/chromium/src/+/b52a2dfadb3158e39a3848d3631a2deffd4b2ac8
Patch Set 1 #Patch Set 2 : Update runtime checks #
Total comments: 1
Patch Set 3 : Weaken compile time check #Patch Set 4 : Update expected deps #Patch Set 5 : Update RPM deps #
Total comments: 2
Patch Set 6 : Rebased #Patch Set 7 : Rollback expected_deps #Patch Set 8 : Update compile-time check now that Wheezy is gone #Patch Set 9 : Update RPM dep #Patch Set 10 : More updates #Patch Set 11 : Use >= 3.26 #Patch Set 12 : Update deps #
Messages
Total messages: 82 (29 generated)
rsleevi@chromium.org changed reviewers: + phajdan.jr@chromium.org
The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
rsleevi@chromium.org changed reviewers: + davidben@chromium.org, thomasanderson@chromium.org - phajdan.jr@chromium.org
Switching to an MTV reviewer and adding a //crypto OWNER
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
https://codereview.chromium.org/2721373002/diff/20001/crypto/nss_util.cc File crypto/nss_util.cc (right): https://codereview.chromium.org/2721373002/diff/20001/crypto/nss_util.cc#newc... crypto/nss_util.cc:675: (NSS_VMAJOR == 3 && NSS_VMINOR >= 26) || This won't work when compiling against the Wheezy sysroot. You'll need to either 1. Change this to a runtime check 2. Wait until we switch to the Jessie sysroot Option 2 should become possible within a week, but it's up to you
Thanks for the heads up, please take another look. I switched this to Option 1 to see if we can get it in for M58, and will switch to Option 2 once we move off the sysroot :)
lgtm
The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run
LGTM
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
Chromium has been using the Jessie sysroot for a little while now, so I think this is safe to land. I'll restart the tryjobs for you
The CQ bit was checked by thomasanderson@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Oh also you need to update expected_deps_x64_jessie and expected_deps_ia32_jessie to reference the new version before landing
The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
rsleevi@chromium.org changed reviewers: + thestig@chromium.org
Thanks Tom. Please let me know if I properly understood your remarks. Also adding thestig@ for OWNERS :)
On 2017/05/19 22:15:50, Ryan Sleevi wrote: > Thanks Tom. > > Please let me know if I properly understood your remarks. Those updates are probably correct, but it's best to make sure before landing (otherwise this will break the Linux official builder). It's a bit of a process This requires an official build: is_chrome_branded = true is_debug = false is_official_build = true use_goma = true allow_posix_link_time_opt = true # you need this :( And then build the x64 deb package: $ GYP_DEFINES='buildtype=Official branding=Chrome' ninja -C out/Release -j1024 chrome/installer/linux:stable_deb If the above errors out at the end due to deps changes, the expected_deps files need to be updated. The ia32 deps file isn't officially maintained, so you can just copy the changes from the x64 file into it. > Also adding thestig@ for OWNERS :)
What about chrome/installer/linux/rpm/build.sh ? Ryan/Tom, did you verify supported Linux distros all have 3.26+?
On 2017/05/19 22:34:12, Lei Zhang wrote: > What about chrome/installer/linux/rpm/build.sh ? More surprises :D > Ryan/Tom, did you verify supported Linux distros all have 3.26+? https://bugs.chromium.org/p/chromium/issues/detail?id=691261#c4 Is there anything more I should evaluate? You seemed supportive in https://bugs.chromium.org/p/chromium/issues/detail?id=691261#c7 and Pawel did in https://bugs.chromium.org/p/chromium/issues/detail?id=691261#c8
On 2017/05/19 22:34:12, Lei Zhang wrote: > What about chrome/installer/linux/rpm/build.sh ? > > Ryan/Tom, did you verify supported Linux distros all have 3.26+? nss is a security package and is regularly backported on most distros: Trusty was released with 3.15.4, but has 3.28.4 in 'trusty-security' and 'trusty-updates' Jessie has 3.26.? Fedora 24 has 3.30.2 openSUSE Leap 42.1 has 3.28.4
On 2017/05/19 22:50:37, Tom Anderson wrote: > On 2017/05/19 22:34:12, Lei Zhang wrote: > > What about chrome/installer/linux/rpm/build.sh ? > > > > Ryan/Tom, did you verify supported Linux distros all have 3.26+? > > nss is a security package and is regularly backported on most distros: > > Trusty was released with 3.15.4, but has 3.28.4 in 'trusty-security' and > 'trusty-updates' > Jessie has 3.26.? > Fedora 24 has 3.30.2 > openSUSE Leap 42.1 has 3.28.4 Thanks. lgtm with the RPM side changes too.
On 2017/05/19 22:46:00, Ryan Sleevi wrote: > You seemed supportive in > https://bugs.chromium.org/p/chromium/issues/detail?id=691261#c7 and Pawel did in > https://bugs.chromium.org/p/chromium/issues/detail?id=691261#c8 Sure, but only discussed the .deb side and didn't look at the .rpm side. Plus it's been a while and I forgot already.
Assuming https://support.google.com/chrome/a/answer/7100626?hl=en is still correct and the requirements are: 64-bit Ubuntu 14.04+, Debian 8+, openSUSE 13.3+, or Fedora Linux 24+ Ubuntu 14.04: http://packages.ubuntu.com/search?keywords=libnss3 - 3.28.4 Debian 8: https://packages.debian.org/jessie/libnss3 - 3.26 openSUSE 13.3: I can't find references to it - 13.2 was followed by Leap 42.1 (perhaps a rebrand? noted on https://en.opensuse.org/Lifetime ), but Leap 42.1 shipped with 3.20-1 ( http://download.opensuse.org/distribution/leap/42.1/repo/oss/suse/x86_64/ ) and was updated to at least 3.28.4 ( http://download.opensuse.org/update/leap/42.1/oss/x86_64/ ) Fedora Linux 24: https://apps.fedoraproject.org/packages/nss (3.30.2 across the board, since it has important security fixes) Does that help?
On 2017/05/19 22:57:36, Ryan Sleevi wrote: > openSUSE 13.3: I can't find references to it - 13.2 was followed by Leap 42.1 > (perhaps a rebrand? noted on https://en.opensuse.org/Lifetime ), but Leap 42.1 > shipped with 3.20-1 ( Ya, I noticed too. Not sure what happened there. Looks like we all checked and we all agree this is ok.
On 2017/05/19 23:01:45, Lei Zhang wrote: > On 2017/05/19 22:57:36, Ryan Sleevi wrote: > > openSUSE 13.3: I can't find references to it - 13.2 was followed by Leap 42.1 > > (perhaps a rebrand? noted on https://en.opensuse.org/Lifetime ), but Leap 42.1 > > shipped with 3.20-1 ( > > Ya, I noticed too. Not sure what happened there. > > Looks like we all checked and we all agree this is ok. Yeah, that was my bad. It was supposed to be "openSUSE Leap 42.1". However, as of May 17th 2017, that version is EOL too, and the new requirement is "openSUSE Leap 42.2".
thestig: Can you advise on how best to test? Also, one more question https://codereview.chromium.org/2721373002/diff/80001/chrome/installer/linux/... File chrome/installer/linux/rpm/build.sh (right): https://codereview.chromium.org/2721373002/diff/80001/chrome/installer/linux/... chrome/installer/linux/rpm/build.sh:156: libnss3.so(NSS_3.28.4)${PKG_ARCH}, \ thestig: Did I properly understand your remarks here? How can I best test this? From talking with Tom, the RPM applies to Fedora and openSuse. openSUSE has OOTB had 3.20-1, security updates had 3.28.4, Fedora has 3.30.2 If we're allowed to bump up the requirements to Leap 42.2, then http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/ suggests it started at 3.25 and http://download.opensuse.org/update/leap/42.2/oss/src/ suggests it goes up to 3.28.4
https://codereview.chromium.org/2721373002/diff/80001/chrome/installer/linux/... File chrome/installer/linux/rpm/build.sh (right): https://codereview.chromium.org/2721373002/diff/80001/chrome/installer/linux/... chrome/installer/linux/rpm/build.sh:156: libnss3.so(NSS_3.28.4)${PKG_ARCH}, \ On 2017/05/19 23:09:00, Ryan Sleevi wrote: > thestig: Did I properly understand your remarks here? How can I best test this? Tom already had suggestions on how to make sure it passes buildbots. I expect this to work on user's machines and I don't expect you to install all these Linux distros and test them yourself. If Tom happens to have these distros set up somewhere already, maybe he can help test? > From talking with Tom, the RPM applies to Fedora and openSuse. openSUSE has OOTB > had 3.20-1, security updates had 3.28.4, Fedora has 3.30.2 > > If we're allowed to bump up the requirements to Leap 42.2, then > http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/ suggests it > started at 3.25 and http://download.opensuse.org/update/leap/42.2/oss/src/ > suggests it goes up to 3.28.4 I've been going off the latest security updates for any distro, and not the OOTB software versions. If a user complains, the answer is to stop using insecure software.
So I've tried to do this, following official build instructions, but I'm
guessing I may have botched the sysroots or something?
[1/8] ACTION
//chrome/installer/linux:beta_deb(//build/toolchain/linux:clang_x64)
FAILED: google-chrome-beta_60.0.3105.0-1_amd64.deb
python ../../chrome/installer/linux/flock_make_package.py linux_package.lock
installer/debian/build.sh -o . -b . -a x64 -c beta -d google_chrome -s
/usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot
dpkg-shlibdeps: warning: binaries to analyze should already be installed in
their package's directory
---
/usr/local/google/home/sleevi/development/chromium/src/out/Release/installer/debian/expected_deps_x64_jessie
2017-05-19 18:13:40.321267277 -0400
+++ actual 2017-05-25 11:40:52.838150677 -0400
@@ -12,8 +12,8 @@
libgdk-pixbuf2.0-0 (>= 2.22.0)
libglib2.0-0 (>= 2.28.0)
libgtk-3-0 (>= 3.3.16)
-libnspr4 (>= 2:4.12)
-libnss3 (>= 2:3.26)
+libnspr4 (>= 2:4.9-2~)
+libnss3 (>= 2:3.13.4-2~)
libpango-1.0-0 (>= 1.14.0)
libpangocairo-1.0-0 (>= 1.14.0)
libstdc++6 (>= 4.8.1)
ERROR: Shared library dependencies changed!
If this is intentional, please update:
chrome/installer/linux/debian/expected_deps_ia32_jessie
chrome/installer/linux/debian/expected_deps_x64_jessie
If I look in
src/build/linux/debian_jessie_amd64-sysroot/usr/lib/x86_64-linux-gnu/nss , I see
it has a libnss from October 3 2016
What's the process here? Am I holding it wrong?
On 2017/05/25 15:44:32, Ryan Sleevi wrote: > So I've tried to do this, following official build instructions, but I'm > guessing I may have botched the sysroots or something? > > [1/8] ACTION > //chrome/installer/linux:beta_deb(//build/toolchain/linux:clang_x64) > FAILED: google-chrome-beta_60.0.3105.0-1_amd64.deb > python ../../chrome/installer/linux/flock_make_package.py linux_package.lock > installer/debian/build.sh -o . -b . -a x64 -c beta -d google_chrome -s > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot > dpkg-shlibdeps: warning: binaries to analyze should already be installed in > their package's directory > --- > /usr/local/google/home/sleevi/development/chromium/src/out/Release/installer/debian/expected_deps_x64_jessie > 2017-05-19 18:13:40.321267277 -0400 > +++ actual 2017-05-25 11:40:52.838150677 -0400 > @@ -12,8 +12,8 @@ > libgdk-pixbuf2.0-0 (>= 2.22.0) > libglib2.0-0 (>= 2.28.0) > libgtk-3-0 (>= 3.3.16) > -libnspr4 (>= 2:4.12) > -libnss3 (>= 2:3.26) > +libnspr4 (>= 2:4.9-2~) > +libnss3 (>= 2:3.13.4-2~) > libpango-1.0-0 (>= 1.14.0) > libpangocairo-1.0-0 (>= 1.14.0) > libstdc++6 (>= 4.8.1) > > ERROR: Shared library dependencies changed! > If this is intentional, please update: > chrome/installer/linux/debian/expected_deps_ia32_jessie > chrome/installer/linux/debian/expected_deps_x64_jessie > > > If I look in > src/build/linux/debian_jessie_amd64-sysroot/usr/lib/x86_64-linux-gnu/nss , I see > it has a libnss from October 3 2016 > > What's the process here? Am I holding it wrong? Ah, I think the original DEPS were actually correct since you didn't add any symbols that are only in 3.26. This is what the build.sh manual dependency is needed for. If you skip the DEPS check (set IGNORE_DEPS_CHANGES=1) to force package building, and run 'dpkg -I out/Release/<filename>.deb', what are the actual dependencies? Also, if you build the rpm package too, I can test it on some openSUSE and Fedora VMs.
On 2017/05/25 18:29:08, Tom Anderson wrote: > Ah, I think the original DEPS were actually correct since you didn't add any > symbols that are only in 3.26. This is what the build.sh manual dependency is > needed for. If you skip the DEPS check (set IGNORE_DEPS_CHANGES=1) to force > package building, and run 'dpkg -I out/Release/<filename>.deb', what are the > actual dependencies? > > Also, if you build the rpm package too, I can test it on some openSUSE and > Fedora VMs. The RPM also fails building because of these build deps. Are the sysroots what we end up using for the memory bots? If so, then changing it to just a runtime check is going to have those bots failing again. My hope was that it's possible to update the sysroots with the security-updates package from the appropriate distro, but perhaps that's unfeasible? It seems better for packagers and consumers if updating 'fails fast' (because of the unmet dependency) rather than left as a runtime dependency (e.g. "Chrome won't launch anymore") Perhaps I've misunderstood how this works though? I thought the scenario I described - updating the explicit dependencies - is what thestig@ meant in https://codereview.chromium.org/2721373002/#msg35
On 2017/05/26 11:43:10, Ryan Sleevi wrote: > On 2017/05/25 18:29:08, Tom Anderson wrote: > > Ah, I think the original DEPS were actually correct since you didn't add any > > symbols that are only in 3.26. This is what the build.sh manual dependency is > > needed for. If you skip the DEPS check (set IGNORE_DEPS_CHANGES=1) to force > > package building, and run 'dpkg -I out/Release/<filename>.deb', what are the > > actual dependencies? > > > > Also, if you build the rpm package too, I can test it on some openSUSE and > > Fedora VMs. > > The RPM also fails building because of these build deps. > > Are the sysroots what we end up using for the memory bots? We link against the libraries in the sysroots when building, but dynamically link against the system libraries at runtime. > If so, then changing > it to just a runtime check is going to have those bots failing again. My hope > was that it's possible to update the sysroots with the security-updates package > from the appropriate distro, but perhaps that's unfeasible? That's very possible :) I'll try to have a CL out for that today. We already pull in jessie-updates, and I think it would make sense to pull in jessie-security as well. I'm not sure if this would actually change expected_deps_x64_jessie though. The way the versions in that file are calculated is by looking at the symbols required in the resulting Chrome binary from libnss.so. Each symbol has the version it was introduced in, and the resulting dependency version is the max of all of the used symbols. That's why we have the manual dependency added by build.sh. If we have a dependency on "libnss3 (>= 2:3.13.4-2~)" and "libnss3 (>= 2:3.26)", then it is effectively just a dependency on "libnss3 (>= 2:3.26)". Can you run 'dpkg -I out/Release/<filename>.deb' to find out what the real dependencies are? > It seems better for > packagers and consumers if updating 'fails fast' (because of the unmet > dependency) rather than left as a runtime dependency (e.g. "Chrome won't launch > anymore") > > Perhaps I've misunderstood how this works though? I thought the scenario I > described - updating the explicit dependencies - is what thestig@ meant in > https://codereview.chromium.org/2721373002/#msg35
On 2017/05/26 17:09:21, Tom Anderson wrote: > I'm not sure if this would actually change expected_deps_x64_jessie though. The > way the versions in that file are calculated is by looking at the symbols > required in the resulting Chrome binary from libnss.so. Each symbol has the > version it was introduced in, and the resulting dependency version is the max of > all of the used symbols. That's why we have the manual dependency added by > build.sh. If we have a dependency on "libnss3 (>= 2:3.13.4-2~)" and "libnss3 > (>= 2:3.26)", then it is effectively just a dependency on "libnss3 (>= 2:3.26)". > Can you run 'dpkg -I out/Release/<filename>.deb' to find out what the real > dependencies are? I tried, it's not correct. :\
On 2017/05/26 19:14:03, Lei Zhang wrote: > I tried, it's not correct. :\ Comparing what we pass in via $DEPENDS in do_package() in chrome/installer/linux/debian/build.sh vs what dpkg -I actually reports, it looks like dpkg only took the libnss3 (>= 2:3.13.4-2~) entry. Let me see if it's an ordering thing. Maybe we just need to pass in our manual dependency first.
On 2017/05/26 19:21:32, Lei Zhang wrote: > On 2017/05/26 19:14:03, Lei Zhang wrote: > > I tried, it's not correct. :\ > > Comparing what we pass in via $DEPENDS in do_package() in > chrome/installer/linux/debian/build.sh vs what dpkg -I actually reports, it > looks like dpkg only took the libnss3 (>= 2:3.13.4-2~) entry. Let me see if it's > an ordering thing. Maybe we just need to pass in our manual dependency first. Putting $ADDITION_DEPS in front of $DPKG_SHLIB_DEPS didn't help. I think we need to remove the libnss entry from $DPKG_SHLIB_DEPS.
On 2017/05/26 19:29:03, Lei Zhang wrote: > Putting $ADDITION_DEPS in front of $DPKG_SHLIB_DEPS didn't help. I think we need > to remove the libnss entry from $DPKG_SHLIB_DEPS. I uploaded https://codereview.chromium.org/2903253005 to do that, as a prereq for this CL.
On 2017/05/26 21:13:48, Lei Zhang wrote: > On 2017/05/26 19:29:03, Lei Zhang wrote: > > Putting $ADDITION_DEPS in front of $DPKG_SHLIB_DEPS didn't help. I think we > need > > to remove the libnss entry from $DPKG_SHLIB_DEPS. > > I uploaded https://codereview.chromium.org/2903253005 to do that, as a prereq > for this CL. So I rebased this CL on ToT today (which this CL is landed as did https://codereview.chromium.org/2911763002) and I'm still having failures. I did run gclient sync as appropriate, and my triggers did include: ________ running '/usr/bin/python src/build/linux/sysroot_scripts/install-sysroot.py --running-as-hook' in '/usr/local/google/home/sleevi/development/chromium' Jessie amd64 sysroot image already up to date: /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot Jessie i386 sysroot image already up to date: /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_i386-sysroot [324/327] ACTION //chrome/installer/linux:unstable_deb(//build/toolchain/linux:clang_x64) FAILED: google-chrome-unstable_61.0.3116.0-1_amd64.deb python ../../chrome/installer/linux/flock_make_package.py linux_package.lock installer/debian/build.sh -o . -b . -a x64 -c unstable -d google_chrome -s /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot dpkg-shlibdeps: warning: binaries to analyze should already be installed in their package's directory --- /usr/local/google/home/sleevi/development/chromium/src/out/Release/installer/debian/expected_deps_x64_jessie 2017-05-30 10:39:58.676873773 -0400 +++ actual 2017-05-30 12:50:04.540770526 -0400 @@ -12,8 +12,8 @@ libgdk-pixbuf2.0-0 (>= 2.22.0) libglib2.0-0 (>= 2.28.0) libgtk-3-0 (>= 3.3.16) -libnspr4 (>= 2:4.12) -libnss3 (>= 2:3.26) +libnspr4 (>= 2:4.9-2~) +libnss3 (>= 2:3.13.4-2~) libpango-1.0-0 (>= 1.14.0) libpangocairo-1.0-0 (>= 1.14.0) libstdc++6 (>= 4.8.1) ERROR: Shared library dependencies changed! If this is intentional, please update: chrome/installer/linux/debian/expected_deps_ia32_jessie chrome/installer/linux/debian/expected_deps_x64_jessie
On 2017/05/30 16:52:37, Ryan Sleevi wrote: > On 2017/05/26 21:13:48, Lei Zhang wrote: > > On 2017/05/26 19:29:03, Lei Zhang wrote: > > > Putting $ADDITION_DEPS in front of $DPKG_SHLIB_DEPS didn't help. I think we > > need > > > to remove the libnss entry from $DPKG_SHLIB_DEPS. > > > > I uploaded https://codereview.chromium.org/2903253005 to do that, as a prereq > > for this CL. > > So I rebased this CL on ToT today (which this CL is landed as did > https://codereview.chromium.org/2911763002) and I'm still having failures. > > I did run gclient sync as appropriate, and my triggers did include: > ________ running '/usr/bin/python > src/build/linux/sysroot_scripts/install-sysroot.py --running-as-hook' in > '/usr/local/google/home/sleevi/development/chromium' > Jessie amd64 sysroot image already up to date: > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot > Jessie i386 sysroot image already up to date: > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_i386-sysroot > > [324/327] ACTION > //chrome/installer/linux:unstable_deb(//build/toolchain/linux:clang_x64) > FAILED: google-chrome-unstable_61.0.3116.0-1_amd64.deb > python ../../chrome/installer/linux/flock_make_package.py linux_package.lock > installer/debian/build.sh -o . -b . -a x64 -c unstable -d google_chrome -s > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot > dpkg-shlibdeps: warning: binaries to analyze should already be installed in > their package's directory > --- > /usr/local/google/home/sleevi/development/chromium/src/out/Release/installer/debian/expected_deps_x64_jessie > 2017-05-30 10:39:58.676873773 -0400 > +++ actual 2017-05-30 12:50:04.540770526 -0400 > @@ -12,8 +12,8 @@ > libgdk-pixbuf2.0-0 (>= 2.22.0) > libglib2.0-0 (>= 2.28.0) > libgtk-3-0 (>= 3.3.16) > -libnspr4 (>= 2:4.12) > -libnss3 (>= 2:3.26) > +libnspr4 (>= 2:4.9-2~) > +libnss3 (>= 2:3.13.4-2~) > libpango-1.0-0 (>= 1.14.0) > libpangocairo-1.0-0 (>= 1.14.0) > libstdc++6 (>= 4.8.1) > > ERROR: Shared library dependencies changed! > If this is intentional, please update: > chrome/installer/linux/debian/expected_deps_ia32_jessie > chrome/installer/linux/debian/expected_deps_x64_jessie Your checkout should include this https://codereview.chromium.org/2903253005/ which fixes the manual libnss3 dependency. Revert the expected_deps changes and make sure dpkg -I shows the updated dependency.
On 2017/05/30 18:22:46, Tom Anderson wrote: > On 2017/05/30 16:52:37, Ryan Sleevi wrote: > > On 2017/05/26 21:13:48, Lei Zhang wrote: > > > On 2017/05/26 19:29:03, Lei Zhang wrote: > > > > Putting $ADDITION_DEPS in front of $DPKG_SHLIB_DEPS didn't help. I think > we > > > need > > > > to remove the libnss entry from $DPKG_SHLIB_DEPS. > > > > > > I uploaded https://codereview.chromium.org/2903253005 to do that, as a > prereq > > > for this CL. > > > > So I rebased this CL on ToT today (which this CL is landed as did > > https://codereview.chromium.org/2911763002) and I'm still having failures. > > > > I did run gclient sync as appropriate, and my triggers did include: > > ________ running '/usr/bin/python > > src/build/linux/sysroot_scripts/install-sysroot.py --running-as-hook' in > > '/usr/local/google/home/sleevi/development/chromium' > > Jessie amd64 sysroot image already up to date: > > > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot > > Jessie i386 sysroot image already up to date: > > > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_i386-sysroot > > > > [324/327] ACTION > > //chrome/installer/linux:unstable_deb(//build/toolchain/linux:clang_x64) > > FAILED: google-chrome-unstable_61.0.3116.0-1_amd64.deb > > python ../../chrome/installer/linux/flock_make_package.py linux_package.lock > > installer/debian/build.sh -o . -b . -a x64 -c unstable -d google_chrome -s > > > /usr/local/google/home/sleevi/development/chromium/src/build/linux/debian_jessie_amd64-sysroot > > dpkg-shlibdeps: warning: binaries to analyze should already be installed in > > their package's directory > > --- > > > /usr/local/google/home/sleevi/development/chromium/src/out/Release/installer/debian/expected_deps_x64_jessie > > 2017-05-30 10:39:58.676873773 -0400 > > +++ actual 2017-05-30 12:50:04.540770526 -0400 > > @@ -12,8 +12,8 @@ > > libgdk-pixbuf2.0-0 (>= 2.22.0) > > libglib2.0-0 (>= 2.28.0) > > libgtk-3-0 (>= 3.3.16) > > -libnspr4 (>= 2:4.12) > > -libnss3 (>= 2:3.26) > > +libnspr4 (>= 2:4.9-2~) > > +libnss3 (>= 2:3.13.4-2~) > > libpango-1.0-0 (>= 1.14.0) > > libpangocairo-1.0-0 (>= 1.14.0) > > libstdc++6 (>= 4.8.1) > > > > ERROR: Shared library dependencies changed! > > If this is intentional, please update: > > chrome/installer/linux/debian/expected_deps_ia32_jessie > > chrome/installer/linux/debian/expected_deps_x64_jessie > > Your checkout should include this https://codereview.chromium.org/2903253005/ > which fixes the manual libnss3 dependency. > > Revert the expected_deps changes and make sure dpkg -I shows the updated > dependency. I've uploaded the rebased version. I'm not sure why the expected_deps change, but I'll give it a go.
The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
On 2017/05/30 18:24:54, Ryan Sleevi wrote: > I've uploaded the rebased version. I'm not sure why the expected_deps change, > but I'll give it a go. OK, dpkg -I looks good (even though the NSS & NSPR versions don't match, I presume that will get sorted out at run-time by the fact that 3.26 requires a newer NSPR?) Can you take a look at things and make sure they look good? rpm -qp [rpm] --requires shows "libnss3.so(NSS_3.28.4)(64bit)" dpkg -I shows "libnss3 (>= 3.26)" in Depends
On 2017/05/30 19:29:15, Ryan Sleevi wrote: > On 2017/05/30 18:24:54, Ryan Sleevi wrote: > > I've uploaded the rebased version. I'm not sure why the expected_deps change, > > but I'll give it a go. > > OK, dpkg -I looks good (even though the NSS & NSPR versions don't match, I > presume that will get sorted out at run-time by the fact that 3.26 requires a > newer NSPR?) > > Can you take a look at things and make sure they look good? > > rpm -qp [rpm] --requires shows "libnss3.so(NSS_3.28.4)(64bit)" > That looks good, as long as it installs. I can test installing the deb and rpm packages if you upload them to drive. > dpkg -I shows "libnss3 (>= 3.26)" in Depends
On 2017/05/30 19:33:08, Tom Anderson wrote: > That looks good, as long as it installs. I can test installing the deb and rpm > packages if you upload them to drive. Shared. Thanks!
On 2017/05/30 19:44:28, Ryan Sleevi wrote: > On 2017/05/30 19:33:08, Tom Anderson wrote: > > That looks good, as long as it installs. I can test installing the deb and > rpm > > packages if you upload them to drive. > > Shared. Thanks! When I try installing the rpm on Fedora 25, I get Error: nothing provides libnss3.so(NSS_3.28.4)(64bit) needed by google-chrome-trunk-61.0.3116.0-1.x86_64
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm6...)
On 2017/05/30 19:46:12, Tom Anderson wrote: > On 2017/05/30 19:44:28, Ryan Sleevi wrote: > > On 2017/05/30 19:33:08, Tom Anderson wrote: > > > That looks good, as long as it installs. I can test installing the deb and > > rpm > > > packages if you upload them to drive. > > > > Shared. Thanks! > > When I try installing the rpm on Fedora 25, I get > Error: nothing provides libnss3.so(NSS_3.28.4)(64bit) needed by > google-chrome-trunk-61.0.3116.0-1.x86_64 Looks like fedora has 3.28.3
On 2017/05/30 19:49:20, Tom Anderson wrote: > Looks like fedora has 3.28.3 I guess I don't understand RPM symbols :) https://apps.fedoraproject.org/packages/nss/updates/ For F24 shows: 3.27.0, 3.28.3, 3.29.3, 3.30.2 For F25 shows: 3.27.0, 3.28.3, 3.29.3, 3.30.2 http://download.opensuse.org/update/leap/42.1/oss/x86_64/ for mozilla-nss shows... well, a complex set of packages :) In particular, I'm not sure how to parse the package name "3.28.3-38" But it sounds like aligning on 3.28.3 is correct for the two RPM packages - does that sound right?
On 2017/05/30 19:57:22, Ryan Sleevi wrote: > On 2017/05/30 19:49:20, Tom Anderson wrote: > > Looks like fedora has 3.28.3 > > I guess I don't understand RPM symbols :) > > https://apps.fedoraproject.org/packages/nss/updates/ > For F24 shows: 3.27.0, 3.28.3, 3.29.3, 3.30.2 > For F25 shows: 3.27.0, 3.28.3, 3.29.3, 3.30.2 > > http://download.opensuse.org/update/leap/42.1/oss/x86_64/ for mozilla-nss > shows... well, a complex set of packages :) > > In particular, I'm not sure how to parse the package name "3.28.3-38" > > But it sounds like aligning on 3.28.3 is correct for the two RPM packages - does > that sound right? I hope so. I can test installing it on the VMs I have (Fedora 25, openSUSE Leap 42.1)
On 2017/05/30 19:57:22, Ryan Sleevi wrote: > On 2017/05/30 19:49:20, Tom Anderson wrote: > > Looks like fedora has 3.28.3 > > I guess I don't understand RPM symbols :) http://rpm.pbone.net/index.php3/stat/4/idpl/36856858/dir/fedora_25/com/nss-3.... might be helpful. See the provides section.
The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Thanks both of you! I've uploaded a new patch set and have a build kicked off (both trybot and locally). I'll try to share RPMs once I get home, if Tom's still open to testing, but I've hopefully got it all this time.
On 2017/05/30 21:16:10, Ryan Sleevi wrote: > Thanks both of you! I've uploaded a new patch set and have a build kicked off > (both trybot and locally). I'll try to share RPMs once I get home please do :) > if Tom's > still open to testing, but I've hopefully got it all this time.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2017/05/30 23:39:49, Tom Anderson wrote: > On 2017/05/30 21:16:10, Ryan Sleevi wrote: > > Thanks both of you! I've uploaded a new patch set and have a build kicked off > > (both trybot and locally). I'll try to share RPMs once I get home > > please do :) Sorry, didn't have CRD setup like I thought. A new RPM has been uploaded in drive with 3.28 as the dep
On 2017/05/31 13:12:03, Ryan Sleevi wrote: > On 2017/05/30 23:39:49, Tom Anderson wrote: > > On 2017/05/30 21:16:10, Ryan Sleevi wrote: > > > Thanks both of you! I've uploaded a new patch set and have a build kicked > off > > > (both trybot and locally). I'll try to share RPMs once I get home > > > > please do :) > > Sorry, didn't have CRD setup like I thought. A new RPM has been uploaded in > drive with 3.28 as the dep I'm still getting a missing dependency, this time on libnss3.so(NSS_3.28) Indeed that is not provided by the nss package: http://rpm.pbone.net/index.php3/stat/4/idpl/36856858/dir/fedora_25/com/nss-3.... (There is libssl at 3.28, however) It looks like it only goes up to 3.22. My openSUSE also shows it only goes up to 3.22.
On 2017/06/05 19:19:48, Tom Anderson wrote: > On 2017/05/31 13:12:03, Ryan Sleevi wrote: > > On 2017/05/30 23:39:49, Tom Anderson wrote: > > > On 2017/05/30 21:16:10, Ryan Sleevi wrote: > > > > Thanks both of you! I've uploaded a new patch set and have a build kicked > > off > > > > (both trybot and locally). I'll try to share RPMs once I get home > > > > > > please do :) > > > > Sorry, didn't have CRD setup like I thought. A new RPM has been uploaded in > > drive with 3.28 as the dep > > I'm still getting a missing dependency, this time on libnss3.so(NSS_3.28) > > Indeed that is not provided by the nss package: > http://rpm.pbone.net/index.php3/stat/4/idpl/36856858/dir/fedora_25/com/nss-3.... > (There is libssl at 3.28, however) > > It looks like it only goes up to 3.22. My openSUSE also shows it only goes up > to 3.22. Ah, I think I know how to fix this. Have a look at the firefox dependencies. http://rpm.pbone.net/index.php3/stat/4/idpl/36928813/dir/fedora_25/com/firefo... They have nss >= 3.30.2 We could probably do nss >= 3.26
On 2017/06/05 19:26:01, Tom Anderson wrote: > On 2017/06/05 19:19:48, Tom Anderson wrote: > > On 2017/05/31 13:12:03, Ryan Sleevi wrote: > > > On 2017/05/30 23:39:49, Tom Anderson wrote: > > > > On 2017/05/30 21:16:10, Ryan Sleevi wrote: > > > > > Thanks both of you! I've uploaded a new patch set and have a build > kicked > > > off > > > > > (both trybot and locally). I'll try to share RPMs once I get home > > > > > > > > please do :) > > > > > > Sorry, didn't have CRD setup like I thought. A new RPM has been uploaded in > > > drive with 3.28 as the dep > > > > I'm still getting a missing dependency, this time on libnss3.so(NSS_3.28) > > > > Indeed that is not provided by the nss package: > > > http://rpm.pbone.net/index.php3/stat/4/idpl/36856858/dir/fedora_25/com/nss-3.... > > (There is libssl at 3.28, however) > > > > It looks like it only goes up to 3.22. My openSUSE also shows it only goes up > > to 3.22. > > Ah, I think I know how to fix this. > > Have a look at the firefox dependencies. > http://rpm.pbone.net/index.php3/stat/4/idpl/36928813/dir/fedora_25/com/firefo... > > They have nss >= 3.30.2 > > We could probably do nss >= 3.26 Nvm, openSUSE doesn't have any packages that provide 'nss'; they have 'mozilla-nss' It could be possible to do 'nss >= 3.26 | mozilla-nss >= 3.26'?
The CQ bit was checked by rsleevi@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from thomasanderson@chromium.org, davidben@chromium.org, thestig@chromium.org Link to the patchset: https://codereview.chromium.org/2721373002/#ps220001 (title: "Update deps")
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2017/06/06 16:48:52, commit-bot: I haz the power wrote: > Try jobs failed on following builders: > linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, > http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...) Anyone know who I should poke to update the GPU bots? :)
On 2017/06/06 17:34:13, Ryan Sleevi wrote: > On 2017/06/06 16:48:52, commit-bot: I haz the power wrote: > > Try jobs failed on following builders: > > linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, > > > http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...) > > Anyone know who I should poke to update the GPU bots? :) I'd file a bug and assign it to johnw@
The CQ bit was checked by rsleevi@chromium.org
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 220001, "attempt_start_ts": 1496940932352670,
"parent_rev": "ec062808c503a34ce0c76ff4332a2287062ba936", "commit_rev":
"b52a2dfadb3158e39a3848d3631a2deffd4b2ac8"}
Message was sent while issue was closed.
Description was changed from ========== Uprev NSS requirement on Linux to 3.26 BUG=691261 ========== to ========== Uprev NSS requirement on Linux to 3.26 BUG=691261 Review-Url: https://codereview.chromium.org/2721373002 Cr-Commit-Position: refs/heads/master@{#478030} Committed: https://chromium.googlesource.com/chromium/src/+/b52a2dfadb3158e39a3848d3631a... ==========
Message was sent while issue was closed.
Committed patchset #12 (id:220001) as https://chromium.googlesource.com/chromium/src/+/b52a2dfadb3158e39a3848d3631a...
Message was sent while issue was closed.
On 2017/06/08 18:28:30, commit-bot: I haz the power wrote: > Committed patchset #12 (id:220001) as > https://chromium.googlesource.com/chromium/src/+/b52a2dfadb3158e39a3848d3631a... Ryan, out of curiosity, can I ask how you tested the installer portion of this patchset?
Message was sent while issue was closed.
On 2017/06/08 22:24:59, michaelpg wrote: > On 2017/06/08 18:28:30, commit-bot: I haz the power wrote: > > Committed patchset #12 (id:220001) as > > > https://chromium.googlesource.com/chromium/src/+/b52a2dfadb3158e39a3848d3631a... > > Ryan, out of curiosity, can I ask how you tested the installer portion of this > patchset? See comments 49 onwards |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
