Hi, Christopher Baines skribis: > I found this when trying to build guile3.0-gnutls: > > guix time-machine --commit=94585fffb23079fe71110e2bf99782eb4ccfa12b -- build --no-grafts --check guile3.0-gnutls > > > FAIL: status-request-revoked > ============================ > > trying NORMAL:-VERS-ALL:+VERS-TLS1.2 > received status request > received status request > cert_verify_callback:263: certificate verify status doesn't match: 100402 != 22FAIL status-request-revoked (exit status: 1) This was fixed upstream between 3.6.12 and 3.6.14 with this patch by Bernhard (it’s a small world!): --8<---------------cut here---------------start------------->8--- commit ed208fe55f31478732fd6cc394f9576b315a42cd Author: Bernhard M. Wiedemann Date: Sun Apr 5 15:09:57 2020 +0200 tests: Fix status-request-revoked after 2020-10-24 included certs expire 2020-10-24 so this test fails after that date. Fixes #967 This patch was done while working on reproducible builds for openSUSE. Signed-off-by: Bernhard M. Wiedemann --8<---------------cut here---------------end--------------->8--- The question for us becomes how to ensure long-term reproducibility in the presence of such bugs. In this case, I think the only solution would be to change the system clock when one rebuilds GnuTLS (or to use ‘--without-tests=gnutls’, but you end up with different derivations, which is not necessarily desirable). Thoughts? Ludo’.