Created attachment 1168757 [details]
[PATCH] decouple nss-pem from the nss package

Patch applied 
http://pkgs.fedoraproject.org/cgit/rpms/nss.git/commit/?id=1911d47990696d460b247084f703cb43a786f058

Rawhide build running:
http://koji.fedoraproject.org/koji/taskinfo?taskID=14606001

Did everything work fine? Then we should proceed to cleanup the (now) unnecessary files.

(In reply to Kai Engert (:kaie) from comment #3)
> Did everything work fine?

I am not aware of any issues so far.

> Then we should proceed to cleanup the (now) unnecessary files.

Yes, please remove them.  We can always get them from the git repository in case they appear to be needed later on.

Are you open to make the transition also in the released versions of Fedora?

I guess that nss is going to be rebased there anyway.  The only issue is that we need to cooperate more on the update:

1) Modify the Conflicts tag in nss-pem.spec to match the first version-release of nss that does not bundle nss-pem.

2) Submit the update for nss and nss-pem together in one batch (to preserve atomicity of the update).

(In reply to Kamil Dudka from comment #4)
> Are you open to make the transition also in the released versions of Fedora?

I'm open, but it would be nice to do it in smaller steps.

We could do Fedora 25 immediately,
and also do it for Fedora 24 together with a rebase to NSS 3.25.

Maybe we should wait until the Fedora 24 update has been shipped as stable, prior to updating anything that's older?

Your patch changes this line:
  %setup -q -T -D -n %{name}-%{version} -a 12

and removes the "-a 12".

However, I think this line must be removed completely. After removing of nss-pem*.tar we only have one source archive left.

Elio:

(a) please "git rm nss-pem-unitialized-vars.path"

(b) please remove the following obsolete line 
    from the %prep section of nss.spec:
       %setup -q -T -D -n %{name}-%{version}

(In reply to Kai Engert (:kaie) from comment #7)
> Elio:
> 
> (a) please "git rm nss-pem-unitialized-vars.path"
> 
> (b) please remove the following obsolete line 
>     from the %prep section of nss.spec:
>        %setup -q -T -D -n %{name}-%{version}

This request was for the "master branch", the only branch where we already have applied this decoupling.

Kamil, I see that Elio has already started rebasing the various Fedora branches to NSS 3.25

I suggest that we wait until Elio is done with the rebase task, to avoid risk for confusion and mistakes.

(In reply to Kai Engert (:kaie) from comment #5)
> We could do Fedora 25 immediately,

Fedora 25 is already done ;-)

> and also do it for Fedora 24 together with a rebase to NSS 3.25.
> 
> Maybe we should wait until the Fedora 24 update has been shipped as stable,
> prior to updating anything that's older?

Sounds good.  I have reopened this bug to track the progress.  Just let me know once you are ready to include it and I will prepare a build of nss-pem for the update.

(In reply to Kai Engert (:kaie) from comment #6)
> Your patch changes this line:
>   %setup -q -T -D -n %{name}-%{version} -a 12
> 
> and removes the "-a 12".
> 
> However, I think this line must be removed completely.

True.  The whole line can be removed (though it is harmless).

(In reply to Kai Engert (:kaie) from comment #7)
> Elio:
> 
> (a) please "git rm nss-pem-unitialized-vars.path"
> 
> (b) please remove the following obsolete line 
>     from the %prep section of nss.spec:
>        %setup -q -T -D -n %{name}-%{version}

Yes, they be gone in the next build, and also remove this obsolete comment
# link pem against buildroot's freebl, essential when mixing and matching

Kamil, it has been suggested to limit this change to Fedora 24 and newer, in order to avoid the workload of maintaining older branches.

Is this acceptable to you?

As discussed off Bugzilla, Elio is fine with pushing this change also to f23.  It will ease fixing nss-pem bugs in the future, especially for nss maintainers.

Hello Kamil, the F24 and F23 updates are ready, so it seems we're ready to proceed.

Would you like to prepare the F24 update, first?

Kamil, are you still willing to make the patch for the nss.rpm package?
(Or does comment 14 mean that you want Elio to do that work?)

Sure.  I will prepare the nss-pem builds and the related nss commits shortly.

Created attachment 1182056 [details]
dist-git commit for f24

Please use 'git am'.

Created attachment 1182057 [details]
dist-git commits for f23

Please use 'git am'.

I have prepared builds of f24/f23 nss-pem with the correct Conflicts tag:

http://koji.fedoraproject.org/koji/buildinfo?buildID=784114
http://koji.fedoraproject.org/koji/buildinfo?buildID=784115

Please make sure that nss and nss-pem go out in a single update batch in Bodhi.

Please include the Fedora review bug for nss-pem bug (bug #1346806) into the updates, so that it is closed automatically by Bodhi when it becomes stable.

Kamil, thanks for the patches. I propose we do Fedora 24 first, and see how it goes, and only after it's stable proceed with Fedora 23. This will give us testing with stable users, and this timing will avoid trouble with users upgrading from f23 to f24.

Can we request in bodhi that a single update is used for both nss and nss-pem packages? (To ensure that the timing for both will be identical.)

What about packages that use the pem library as of today, and get it automatically, because we always install nss.rpm?

How do we ensure that users upgrading to the nss-without-pem will also get the nss-pem package automatically?

For example, does curl have a dependency on the pem library, that will cause the system to fetch the new nss-pem package automatically?

We should ensure and test that works, prior to going to updates-testing.

Added Hubert to CC, please see my concerns from comment 21, in case you have any comments on that. Thanks!

(In reply to Kai Engert (:kaie) from comment #21)
> Kamil, thanks for the patches. I propose we do Fedora 24 first, and see how
> it goes, and only after it's stable proceed with Fedora 23. This will give
> us testing with stable users, and this timing will avoid trouble with users
> upgrading from f23 to f24.

The updates are prepared such that there is clean f23 -> f24 update path.  You only need to make sure that the f24 update is pushed sooner than the f23 one.  However, you need to do that anyway because of the nss rebase.

If you want to postpone resolution of this bug in f23, I am fine with that.  Just let me know when you are ready.  I will rebase the f23 commits as needed.

> Can we request in bodhi that a single update is used for both nss and
> nss-pem packages? (To ensure that the timing for both will be identical.)

Sure.  That is what comment #19 intended to say :-)  It should be as easy as adding both builds to a single update submission.  If any special privilege is needed for it, I can ask a fellow proven packager to help with the submission.

> What about packages that use the pem library as of today, and get it
> automatically, because we always install nss.rpm?
> 
> How do we ensure that users upgrading to the nss-without-pem will also get
> the nss-pem package automatically?

That is exactly what the 'Requires: nss-pem' is for.  See the comment above the line in nss.spec.  It is already proven to work in Fedora rawhide.

> For example, does curl have a dependency on the pem library,

Not yet.  But there is a long term plan to require nss-pem explicitly by rpm packages that use it.  The above mentioned comment should explain it already.

> that will cause the system to fetch the new nss-pem package automatically?

Just the update of nss will do the job.  No change to curl is required atm.

> We should ensure and test that works, prior to going to updates-testing.

I would not submit the patches without testing them first ;-)

(In reply to Kamil Dudka from comment #23)
> > What about packages that use the pem library as of today, and get it
> > automatically, because we always install nss.rpm?
> > 
> > How do we ensure that users upgrading to the nss-without-pem will also get
> > the nss-pem package automatically?
> 
> That is exactly what the 'Requires: nss-pem' is for.  See the comment above
> the line in nss.spec.  It is already proven to work in Fedora rawhide.

Thank you, that's the detail that I missed.

So NSS always requires nss-pem, and therefore it's ensured that it's always installed. Good.

Kamil, thank you for the patches.

I've built NSS with your patch for Fedora 24, the build is here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=14957982

I've tried to submit an update, but it was rejected, because I don't have commit access to nss-pem.

Can you submit the update?

I have used the following information:

builds:
- nss-pem-1.0.2-2.fc24 
- nss-3.25.0-1.2.fc24 

bugs:
- 1347336
- 1346806

update notes:
This updates moves library libnsspem.so, which was previously shipped as part of the nss package, to a new package nss-pem.

type: newpackage
close bugs on stable

I wonder if we should ask for a bit more testing than usual.
Should we rely on auto-request stable, or should we confirm stable manually?

If auto-stable, maybe require stable karma of 5 ?

Please review the above and submit the update yourself, or alternatively, if you want me to submit the update, you could give me the necessary nss-pem commit access (up to you, but I probably won't work on nss-pem).

Thanks

Assigning the bug to Kamil, because he's doing all the hard work.
I'm just helping with trivial tasks.

nss-pem-1.0.2-2.fc24 nss-3.25.0-1.2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5ac25856f0

nss-3.25.0-1.2.fc24, nss-pem-1.0.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5ac25856f0

nss-3.25.0-1.2.fc24, nss-pem-1.0.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

The f24 update seems to be stable.  Please let me know when you are ready to submit the update for f23.

nss-3.25.0-1.2.fc23 nss-pem-1.0.2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-87e128568d

nss-3.25.0-1.2.fc23, nss-pem-1.0.2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-87e128568d

nss-3.25.0-1.2.fc23, nss-pem-1.0.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.