guix: fix suggested fake date for openssl-1.1.1l

[Sjors]

Using 2020-10-01 as the fake timestamp will cause many test failures with /gnu/store/bfirgq65ndhf63nn4q6vlkbha9zd931q-openssl-1.1.1l.drv. I didn't investigate why, but I guess because it's before the test certificates were created. They expired in June 2022. I tried a month before that, which worked.

Also fixes layout of instructions.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	maflcko, achow101

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

[Sjors]

cc @dongcarl

[laanwj]

Changing the system date is a terrible workaround in any case imo. Is there really no other way?

[Sjors]

@laanwj I believe newer versions of OpenSSL have more robust tests, but we don't want to bump our Guix Time Machine commit just for that.

[dongcarl]

If I remember correctly, I think that you can likely just patch OpenSSL here since it's not a package that is "core" to Guix like GnuTLS was?

[Sjors]

I wrote:

we don't want to bump our Guix Time Machine commit just for that.

Actually our Time Machine commit is much more recent than I thought. Will defer to @dongcarl.

[maflcko]

we don't want to bump our Guix Time Machine commit just for that.

Actually our Time Machine commit is much more recent than I thought.

I presume openssl is used in the bootstrap chain, to bootstrap older software, so it probably can never be removed in a time machine bump?

[maflcko]

If I remember correctly, I think that you can likely just patch OpenSSL here since it's not a package that is "core" to Guix like GnuTLS was?

Yes, this is workaround 3, added in fad444f.

"Workaround 3: Disable the tests in the Guix source code for this single derivation"

[Sjors]

Disable the tests in the Guix source code for this single derivation

We already have that recommendation, but I think it's better to offer an alternative. "Don't worry about tests not passing" is something I prefer to only do when I really understand how everything works, which I don't.

[luke-jr]

Is it possible to use a UTS namespace to spoof the clock just for the build?

[maflcko]

review ACK 8fee535

I didn't test, but suggesting a data should be harmless, even if it is wrong.

[maflcko]

While touching, it may be better to not use numbers. If someone can't figure out the order, they likely have other problems.

[maflcko]

Longer term it would be nicer (or at least something to explore) to patch the packages in the dependency tree to build with a fixed version of openssl, or without openssl, or not build those packages at all.

[fanquake]

Can someone confirm if this change is actually still relevant to master? Looking at #30231, after that point, we should only be building OpenSSL 3.x (rather than 3.x & 1.x), in which case, we should be able to remove any instructions about OpenSSL 1.x entirely (a patch could be opened against one of the release branches, where we might still be building 1.x, if relevant). I'm currently doing a no substitutes build to check.

[maflcko]

Ah nice, I forgot about 30231.

[fanquake]

Can someone confirm if this change is actually still relevant to master?

For all HOSTS except x86_64-w64-mingw32, we currently only build openSSL 3.x. For Windows, via NSIS, we currently depends on Python2 (nsis-x86_64 -> scons-python2 -> python2@2.7.18). This leads to an (indirect) dependency on OpenSSL 1.x and 3.x..

I think the next steps here are to fix NSIS, to use a more recent version of scons (and python3).
Note that Python 3 (since ~3.7) has a hard dependency on OpenSSL (for urllib).

[fanquake]

I think the next steps here are to fix NSIS, to use a more recent version of scons (and python3).

Landed a patch upstream to fix this https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d428237642e1e4ac8fda4597205ffec89926c0ec.

[Sjors]

Would be quite nice to get rid of openssl-1.1.1 entirely. If the upstream is merged and adopted here, I might nuke my Guix setup to try it.

[fanquake]

See #30609.

[Sjors]

I partially wiped guix on my (AMD) Ubuntu 24.04 system (sudo rm -rf /root/.cache/guix /var/guix /gnu/store).

$ which guix
/usr/local/bin/guix
$ guix --version
guix (GNU Guix) 1.4.0
$ sudo --login guix pull --commit=efc26826400762207cde9f23802cfe75a737963c

This fails at /gnu/store/bfirgq65ndhf63nn4q6vlkbha9zd931q-openssl-1.1.1l.drv.

After the #30609 bump to --commit=7bf1d7aeaffba15c4f680f93ae88fbef25427252 it still tries to build this OpenSSL version.

So even though Bitcoin Core doesn't need it anymore, Guix itself still does. Unless I did something wrong, which is entirely possible.

[maflcko]

So even though Bitcoin Core doesn't need it anymore, Guix itself still does

Would be nice to report this upstream, so that openssl-1.1.1l can be removed, but I guess the removal may not be trivial

[Sjors]

This has been open for a few years, but no recent activity: https://issues.guix.gnu.org/56137

[Sjors]

Once openssl-1 stuff is gone, we can drop the GnuTLS workaround instructions along with it.

It had a similar problem in 3.6.12, but has been updated to 3.7.2. That was included in the Guix 1.4.0 release in late 2022.

(or I could reword the GnuTLS workaround text to refer to openssl 1)

[maflcko]

I presume this will be fixed in guix 1.5, but someone claimed if it isn't already fixed, then it is a bug, see https://mail.gnu.org/archive/html/bug-guix/2023-09/msg00112.html

[Sjors]

Interesting, I haven't tried deleting .cache/guix/checkouts as suggested in that thread.

I'm going to wait for guix pull to finish, then take a look at guix graph --type=reverse-package openssl-1.1.1l (reverse-bag?)

[maflcko]

There is a good chance that a guix pull will build the current guix first, and then the pulled one, and the reply I linked to is just a wrong guess, but I am not a guix dev, and I don't know if that'd be a bug.

However, if the build isn't fixed with 1.5, then it should be a bug, last time I checked.

[Sjors]

That makes sense. I might test that by rebuilding /usr/local/bin/guix from source on a recent master commit, and then try guix pull again. Then we can drop the workaround instruction after 1.5 is released.

[Sjors]

@maflcko you theory might somewhat right.

When my /usr/local/bin/guix was at 0.4.0 the first thing it wanted to build was guile-3.0.7.

Now that I built the most recent master commit, it starts out building guile-3.0.9.

However under --list-generations I'm only seeing the version I pulled, not the one I built from source. I then did a guix pull on that commit, which ended up building a few more derivations.

So perhaps it's only building guile or some other code component? cc @theuni

---

Anyway, I think we should merge the instructions in this PR - and then get rid of this whole timestamp workaround section once 1.5.0 is out.

[achow101]

ACK 8fee535

Going to merge this while we figure out whether openssl 1.x is still required.