Closed Bug 1202097 Opened 8 years ago Closed 3 years ago

Cut the build time added by build time PSM certificate generation


(Firefox Build System :: General, defect)

Not set


(Not tracked)



(Reporter: ehsan.akhgari, Unassigned)



I did a full build today:

 1:06.13 /Users/ehsan/moz/src/dom/base/UseCounters.conf: WARNING: no preprocessor directives found
 1:06.14 /Users/ehsan/moz/src/dom/base/UseCounters.conf: WARNING: no preprocessor directives found
 1:06.21 ca.pem
 1:06.22 ca-all-usages.pem
 1:06.22 embeddedNull.pem
 1:06.23 ca-missing-keyCertSign.pem
 1:06.27 embeddedNullCNAndSAN.pem
 1:06.28 ca.pem
 1:06.28 ee-EKU-CA-int-EKU-CA.pem
 1:06.51 ee-EKU-CA-int-EKU-CA_EP.pem
 1:06.51 ca-no-keyUsage-extension.pem
 1:06.51 embeddedNullSAN.pem
 1:06.51 ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
 1:06.62 embeddedNullSAN2.pem
 1:06.75 ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
 1:06.75 ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.pem
 1:06.76 ca-rsa.pem
 1:06.76 ca-secp384r1.pem
 1:41.29 int-EKU-OS_TS.pem
 1:41.30 int-EKU-SA.pem
 1:41.30 int-EKU-SA_TS.pem
 1:41.34 int-EKU-TS.pem
 1:47.68 Unified_cpp_memory_mozalloc0.o
 1:47.68 StackWalk.o
 1:47.68 dummy_replace_malloc.o
 1:47.68 TimeStamp.o

That is about 41 *seconds* per build on an 8 core recent MacBook Pro with an SSD.

I have read the goals for doing this in bug 1166976 and I completely agree and support the decision to generate these at build time.  That being said, the amount of time this takes is unacceptable.

Can we please add a --enable-psm-certificate-tests flag turned off by default that would skip building this directory?  We'd obviously turn that flag on by default if MOZ_AUTOMATION.

Flags: needinfo?(dkeeler)
I wouldn't be opposed to a build flag of this sort, although I'm wary of adding an option that disables tests by default (that is, I think the flag should be a default-off, opt-in "--disable-psm-certificate-tests").

That said, I think a better option would be to do what :mt mentioned in the similar bug 1199850 - have the test harness generate the files when needed instead of the build system (or maybe make it configurable, since we don't want to be doing slow things on the b2g emulators).
Flags: needinfo?(dkeeler)
Making the test harness generate these files is a good idea too, but something that is off by default isn't.  My ask here is to not do this work if the developer isn't going to run these tests.
Bug 1227248 stopped doing this for artifact builds.
Product: Core → Firefox Build System

We ended up generating the certificates once (per year...) and checking them in to the tree.

Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.