On Mon, Apr 27, 2020 at 5:54 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Sat, Apr 25, 2020 at 1:21 PM Justin Forbes <jmforbes@xxxxxxxxxxx> wrote: > > On Sat, Apr 25, 2020 at 10:21 AM Daiki Ueno <ueno@xxxxxxxxxxxxxxxxx> wrote: > > > > > > Hello Ondrej, > > > > > > Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > > > > > > > On Fri, Apr 24, 2020 at 11:12 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > >> On Fri, Apr 24, 2020 at 8:50 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > >> > On Wed, Apr 22, 2020 at 10:12 AM Daiki Ueno <ueno@xxxxxxxxxxxxxxxxx> wrote: > > > >> > > Hello, > > > >> > > > > > >> > > I am not sure if this deserves a Fedora Change proposal, so I'd like to > > > >> > > hear any opinions first before proceeding with the process. > > > >> > > > > > >> > > NSS (the crypto library used by Firefox) historically supports 2 > > > >> > > database formats: SQLite and DBM. The latter is considered legacy and > > > >> > > we switched the default database format to SQLite in F28[1]. Since then > > > >> > > I presume most of the applications have switched to the new format. > > > >> > > Therefore we are planning to phase out the support of DBM, targetting > > > >> > > F33+. > > > >> > > > > > >> > > Please let me know if there is any concern. > > > >> > > > > >> > It seems this broke the kernel build. I did some scratch build today > > > >> > to test some patches, but it failed with this: > > > >> > > > > >> > + /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir > > > >> > /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s > > > >> > pesign: Could not initialize nss. > > > >> > NSS says "The certificate/key database is in an old, unsupported > > > >> > format." errno says "No such file or directory" > > > >> > error: Bad exit status from /var/tmp/rpm-tmp.YKqoK0 (%build) > > > >> > RPM build errors: > > > >> > Bad exit status from /var/tmp/rpm-tmp.YKqoK0 (%build) > > > >> > Child return code was: 1 > > > >> > > > >> Probably related: https://github.com/rhboot/pesign/issues/34 > > > > > > > > I filed a bug against pesign here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1827902 > > > > > > Good catch, and thank you for filing the bug. For the meantime I > > > reverted the DBM disablement to unblock the kernel package build: > > > https://src.fedoraproject.org/rpms/nss/c/fc0174ead16bac476cce55fb2918fbfd9b448023?branch=master > > > > > > > Thanks for that, I know they were working on a fix for pesign on > > Friday, but I am not sure what their timeframe is. > > I hit this over the weekend, does anyone have a workaround? The NSS change has been reverted, so kernel builds should work now (worked for me this morning [CEST]). -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx