Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
dev-libs/nss-pem?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 805

PostPosted: Sun Sep 06, 2020 4:38 pm    Post subject: dev-libs/nss-pem? Reply with quote

I have an ebuild from an overlay that tries to sync with github and fails. With GIT_CURL_VERBOSE=1, I get:
Code:

* Couldn't find host github.com in the .netrc file; using defaults
*   Trying 140.82.121.4:443...
* Connected to github.com (140.82.121.4) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* Closing connection 0

The solution is to install dev-libs/nss-pem. There are two issues here: which ebuild fails to include the required dependcy? I'm guessing curl; version 7.72.0 is installed. The other is, both ebuilds for nss-pem are masked.

My portage tree is about two days old, so this could have been fixed in the meantime, will check later.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15809

PostPosted: Sun Sep 06, 2020 6:35 pm    Post subject: Reply with quote

Generally, ebuilds should not be accessing the Internet, except during the fetch phase, which Portage should handle on its own. The problem you showed may apply only when using CURL_SSL=nss, which is not the default. I don't see a mask on either version of nss-pem, although both versions are keyworded as unstable.

What ebuild and overlay is this, and what is the ebuild doing running curl?
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 805

PostPosted: Sun Sep 06, 2020 10:11 pm    Post subject: Reply with quote

palemoon from the palemoon overlay. The ebuild uses the git-r3 eclass and git runs during emerge. It is my understanding that git uses curl internally for https access. My version of curl is built with default USE flags, that's without nss.

Wrt nss-pem, I call this "masked by keyword" :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15809

PostPosted: Sun Sep 06, 2020 10:43 pm    Post subject: Reply with quote

That sounds very reasonable. What is the output of emerge --verbose --info dev-vcs/git net-misc/curl?
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 805

PostPosted: Mon Sep 07, 2020 8:28 pm    Post subject: Reply with quote

https://dpaste.com/98SA7MDQ7
Back to top
View user's profile Send private message
Ionen
Veteran
Veteran


Joined: 06 Dec 2018
Posts: 1091

PostPosted: Tue Sep 08, 2020 3:05 am    Post subject: Reply with quote

I did a few quick tests regarding this given another user had the issue on IRC

Works without nss-pem installed (still gives a nss-pem warning):
Code:
CURL_SSL=nss USE="nss -openssl" emerge -1 curl

Broken if nss-pem isn't installed but works if it is (happens regardless of USE=nss):
Code:
CURL_SSL=nss USE=openssl emerge -1 curl

So solution I believe will work would be to pick one of the following:
- don't set CURL_SSL, don't set curl USEs, let defaults do their thing (recommended unless really need to use nss backend)
- add USE="nss -openssl" to curl (won't be able to fallback to openssl but seems to work without nss-pem)
- as already know, temporarily install nss-pem manually, maybe it'll become a normal stabilized dependency later
- temporarily downgrade to =curl-7.71.1 and wait for gentoo to fix it (but <7.72 have known vulnerabilities so that's not a very good choice).

Edit: 7.72.0(stable) and 7.71.1-r1(non-stable) ebuilds use a new method to set backends and was still semi-experimental, but 7.72 got stabilized anyway due to above mentioned security concerns.
Back to top
View user's profile Send private message
jarro_2783
n00b
n00b


Joined: 08 Jun 2008
Posts: 29

PostPosted: Wed Sep 16, 2020 11:22 pm    Post subject: Reply with quote

I have this from an autounmask, so it seems like gnome wants curl with nss.

Code:

# required by net-libs/liboauth-1.0.3-r1::gentoo[nss,curl]
# required by media-libs/grilo-0.3.12::gentoo[gtk]
# required by media-video/totem-3.34.1::gentoo
# required by gnome-base/gnome-core-apps-3.34.4::gentoo
# required by gnome-base/gnome-3.34.4::gentoo
# required by gnome (argument)
>=net-misc/curl-7.71.1 curl_ssl_nss -curl_ssl_openssl


It also seems like all versions of nss-pem are keyword masked, and curl doesn't bring it in, so there seems to be a problem there.

This is also not limited to curl fetching packages, but just using curl at all:
Code:

curl https://github.com -v
*   Trying 13.236.229.21:443...
* Connected to github.com (13.236.229.21) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15809

PostPosted: Thu Sep 17, 2020 12:47 am    Post subject: Reply with quote

jarro_2783 wrote:
I have this from an autounmask, so it seems like gnome wants curl with nss.
Code:

# required by net-libs/liboauth-1.0.3-r1::gentoo[nss,curl]
Yes, but only if you configure liboauth to want nss. According to the ebuild dependency data, if you unset USE=nss on liboauth, then you will not need to USE=nss for curl.
Back to top
View user's profile Send private message
Ionen
Veteran
Veteran


Joined: 06 Dec 2018
Posts: 1091

PostPosted: Thu Sep 17, 2020 5:34 am    Post subject: Reply with quote

The dependency looks wrong for current curl ebuild too, believe it should be asking for USE=nss on curl, not changing the default implementation through curl_ssl_nss (at this point CURL_SSL is more like a personal setting, it doesn't control what is made available for deps to use).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum