Nikos Mavrogiannopoulos nmav@redhat.com writes:
There is a run of it at (doesn't seem to compile):
https://gitlab.com/nmav/nettle/-/jobs/39216682
(if the intention was to be API compatible that breaks it, but if not, what would be your suggestion in handling that?)
Ouch. The problem is that after preprocessing,
&nettle_secp_192r1
is replaced by
&(*nettle_get_secp_192r1())
where nettle_get_secp_192r1 returns a struct ecc_curve *. And that fails since struct ecc_curve is only forward declared, instead of having &* collapse to a nop like it would for a completely declared struct.
Off the top of my head, I think we simply have to delete the
#define nettle_secp_192r1 (*nettle_get_secp_192r1())
defines, but document the nettle_get_secp_* functions. Currently, the size of this struct is unchanged, but the curve448 changes add a few fields, so we'd have to do an abi break and soname bump when releaseing that.
I suggest including the attached patches to the CI. The first makes sure that random errors due to installation of fedora packages don't get in the way by using the pre-build images used in gnutls.
To me, it sounds like it should be more robust to depend on fedora/redhat infrastructure rather than gnutls images. But I'm not familiar with yum so I'm not sure how to read the errors, e.g., from https://gitlab.com/gnutls/nettle/-/jobs/39211387:
$ yum install -y git make autoconf libtool automake gettext-devel glibc-devel gcc valgrind libasan-static libgcc.i686 glibc-devel.i686 [...] Running scriptlet: guile-5:2.0.14-1.fc26.x86_64 107/107BDB1539 Build signature doesn't match environment failed loading RPMDB
The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. ERROR: Job failed: exit code 1
Hmm, from previous messages, it also looks like yum is attempting to downgrade certain nss-related packages, is that right? No idea why it decides to do that.
The second it includes gnutls build in the CI to detect breakages early.
Sounds like an excellent idea, and in this case, it might be more reasonable to depend on gnutls images.
Regards, /Niels