Hacking NSS: Difference between revisions
Jump to navigation
Jump to search
(fill in the rpm section) |
(updates) |
||
| Line 17: | Line 17: | ||
==== ... using <tt>fedpkg local</tt> and the build machine ==== | ==== ... using <tt>fedpkg local</tt> and the build machine ==== | ||
on the build machine: | |||
$ ./kvm sh build | $ ./kvm sh build | ||
pick somewhere to build (here I'm using /pool aka KVM_POOLDIR, but /testing and /root should all work), then get fedpkg and use that to download: | |||
# cd /pool | |||
# dnf install -y fedpkg | # dnf install -y fedpkg | ||
# fedpkg clone --anonymous nss | # fedpkg clone --anonymous nss | ||
# cd nss | # cd nss | ||
In theory, all that's left is install the dependencies and kick off the build. Unfortunately, not so easy: | In theory, all that's left is install the dependencies and kick off the build. Unfortunately, not so easy: | ||
# disable tests (so --without tests isn't needed) | |||
# fix %[expr] which seems to be new | |||
# tone down optimization | |||
# screw around with compiler flags | |||
# ignore xmlto's exit code | |||
here's a diff: | |||
diff --git a/nss.spec b/nss.spec | |||
index e373644..230f794 100644 | |||
--- a/nss.spec | |||
+++ b/nss.spec | |||
@@ -9,3 +9,3 @@ | |||
# release number between nss and nspr are different. | |||
-%global nspr_release %[%baserelease+2] | |||
+%global nspr_release 3 | |||
# only need to update this as we added new | |||
@@ -19,3 +19,3 @@ | |||
-%bcond_without tests | |||
+%bcond_with tests | |||
%bcond_with dbm | |||
@@ -347,3 +347,3 @@ done | |||
for m in nspr-config.xml; do | |||
- xmlto man ${m} | |||
+ xmlto man ${m} || true | |||
done | |||
@@ -370,7 +370,7 @@ export NSS_FORCE_FIPS=1 | |||
# Enable compiler optimizations and disable debugging code | |||
-export BUILD_OPT=1 | |||
+export BUILD_OPT=0 | |||
-# Uncomment to disable optimizations | |||
-#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` | |||
-#export RPM_OPT_FLAGS | |||
+# Tone down optimization to make debugging more meaningful | |||
+RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O1/g'` | |||
+export RPM_OPT_FLAGS | |||
@@ -386,3 +386,3 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized" | |||
# Similarly, but for gcc-11 | |||
-export XCFLAGS="$XCFLAGS -Wno-array-parameter" | |||
+# export XCFLAGS="$XCFLAGS -Wno-array-parameter" | |||
@@ -528,3 +528,3 @@ done | |||
for m in %{configFiles} %{dbfiles}; do | |||
- xmlto man ${m}.xml | |||
+ xmlto man ${m}.xml || true | |||
done | |||
@@ -552,3 +552,3 @@ export FREEBL_NO_DEPEND=1 | |||
-export BUILD_OPT=1 | |||
+export BUILD_OPT=0 | |||
export NSS_DISABLE_PPC_GHASH=1 | |||
continuing, pull in the dependencies (something better?): | continuing, pull in the dependencies and build (something better?): | ||
# dnf builddep nss | # dnf builddep nss | ||
# fedpkg local --without tests: | # fedpkg local --without tests: | ||
or | (or <tt>fedpkg prep --without tests; fedpkg compile --short-circuit --without tests</tt>). | ||
==== ... using <tt>fedpkg mock</tt> and the Fedora host ==== | ==== ... using <tt>fedpkg mock</tt> and the Fedora host ==== | ||
| Line 48: | Line 89: | ||
fedpkg mockbuild | fedpkg mockbuild | ||
=== | === Making the Custom NSS RPs Stick === | ||
=== Distribute Custom NSS RPMs === | === Distribute Custom NSS RPMs === | ||
For legal reasons, tar up both the .rpm and .srpm files into a single archive and make that available - it forces whoever is using the RPMs to also download the sources. | For legal reasons, tar up both the .rpm and .srpm files into a single archive and make that available - it forces whoever is using the RPMs to also download the sources. | ||
Revision as of 22:48, 26 October 2021
Using NSS from Pluto
use lsw_nss_error*() to report errors
It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).
Debugging NSS
Linking libreswan against a custom NSS build
Building and Installing a Custom NSS RPMs
Below are notes on building the latest Fedora RPM on the build machine.
Build Custom NSS RPM
... using fedpkg local and the build machine
on the build machine:
$ ./kvm sh build
pick somewhere to build (here I'm using /pool aka KVM_POOLDIR, but /testing and /root should all work), then get fedpkg and use that to download:
# cd /pool # dnf install -y fedpkg # fedpkg clone --anonymous nss # cd nss
In theory, all that's left is install the dependencies and kick off the build. Unfortunately, not so easy:
- disable tests (so --without tests isn't needed)
- fix %[expr] which seems to be new
- tone down optimization
- screw around with compiler flags
- ignore xmlto's exit code
here's a diff:
diff --git a/nss.spec b/nss.spec
index e373644..230f794 100644
--- a/nss.spec
+++ b/nss.spec
@@ -9,3 +9,3 @@
# release number between nss and nspr are different.
-%global nspr_release %[%baserelease+2]
+%global nspr_release 3
# only need to update this as we added new
@@ -19,3 +19,3 @@
-%bcond_without tests
+%bcond_with tests
%bcond_with dbm
@@ -347,3 +347,3 @@ done
for m in nspr-config.xml; do
- xmlto man ${m}
+ xmlto man ${m} || true
done
@@ -370,7 +370,7 @@ export NSS_FORCE_FIPS=1
# Enable compiler optimizations and disable debugging code
-export BUILD_OPT=1
+export BUILD_OPT=0
-# Uncomment to disable optimizations
-#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
-#export RPM_OPT_FLAGS
+# Tone down optimization to make debugging more meaningful
+RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O1/g'`
+export RPM_OPT_FLAGS
@@ -386,3 +386,3 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
# Similarly, but for gcc-11
-export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+# export XCFLAGS="$XCFLAGS -Wno-array-parameter"
@@ -528,3 +528,3 @@ done
for m in %{configFiles} %{dbfiles}; do
- xmlto man ${m}.xml
+ xmlto man ${m}.xml || true
done
@@ -552,3 +552,3 @@ export FREEBL_NO_DEPEND=1
-export BUILD_OPT=1
+export BUILD_OPT=0
export NSS_DISABLE_PPC_GHASH=1
continuing, pull in the dependencies and build (something better?):
# dnf builddep nss # fedpkg local --without tests:
(or fedpkg prep --without tests; fedpkg compile --short-circuit --without tests).
... using fedpkg mock and the Fedora host
Hmm, something goes here!
fedpkg mock-config fedpkg mockbuild
Making the Custom NSS RPs Stick
Distribute Custom NSS RPMs
For legal reasons, tar up both the .rpm and .srpm files into a single archive and make that available - it forces whoever is using the RPMs to also download the sources.