GNU bug report logs -
#70022
[PATCH 0/2] Binary Installation: Add more distros.
Previous Next
To reply to this bug, email your comments to 70022 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Tue, 26 Mar 2024 23:47:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 26 Mar 2024 23:47:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi, this patchset documents the status of Guix packages in Trisquel and
Parabola that I also both use.
For Trisquel the guix package probably comes from some upstram
distribution.
For Parabola, the package comes from AUR, the Arch Linux User repository,
which is a community repository for Arch Linux where anyone can
contribute/maintain packages. I added that package in Parabola, and the
guix-installer packages was made from scratch by me.
As for the list of distributions that have Guix packages, we can find more at
https://repology.org/project/guix/versions but unfortunately I'm not familiar
enough with the other ones (like Nix/NixOS, Alpine, etc) yet to confidently
add instructions to install the guix package.
More distros having guix packages can be found at:
Denis 'GNUtoo' Carikli (2):
doc: Binary Installation: mention Trisquel package.
doc: Binary Installation: add Parabola packages.
doc/guix.texi | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
base-commit: c3f15443bc6d457758aad1326dcc6dcad9cf8d6e
--
2.41.0
Information forwarded
to
, guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Wed, 27 Mar 2024 00:18:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 70022 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Binary Installation): also mention Trisquel package.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Change-Id: Iae6f77de43de2c6f387b99a10dcae5b9d82aaee1
---
doc/guix.texi | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index ddd98a5fd4..61245025a0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -758,9 +758,10 @@ Binary Installation
./guix-install.sh
@end example
-If you're running Debian or a derivative such as Ubuntu, you can instead
-install the package (it might be a version older than @value{VERSION}
-but you can update it afterwards by running @samp{guix pull}):
+If you're running Debian or a derivative such as Ubuntu or Trisquel, you
+can instead install the package (it might be a version older than
+@value{VERSION} but you can update it afterwards by running @samp{guix
+pull}):
@example
sudo apt install guix
--
2.41.0
Information forwarded
to
, guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Wed, 27 Mar 2024 00:18:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 70022 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Binary Installation): add Parabola packages.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Change-Id: Id646152c54de0a958740314b09fdcf6af898e22e
---
doc/guix.texi | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 61245025a0..9c68352cb0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -773,6 +773,19 @@ Binary Installation
sudo zypper install guix
@end example
+And if you're running Parabola, after enabling the pcr (Parabola
+Community Repo) repository, you can install Guix with:
+@example
+sudo pacman -S guix
+@end example
+
+The script to install Guix is also packaged in Parabola (in the pcr
+repository). You can install and run it with:
+@example
+sudo pacman -S guix-installer
+sudo guix-install.sh
+@end example
+
When you're done, @pxref{Application Setup} for extra configuration you
might need, and @ref{Getting Started} for your first steps!
@end quotation
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Wed, 27 Mar 2024 16:11:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 70022 <at> debbugs.gnu.org (full text, mbox):
Hi Denis. This is in principle a great improvement, however note that
recently (4th March or so) a local privilege escalation vulnerability in
guix-daemon was discovered
<https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/>
and many distros have not fixed it yet, such as AUR and therefore your
Parabola pcr package or Debian’s long-term releases, which Debian’s guix
packager complained about
<https://security-tracker.debian.org/tracker/CVE-2024-27297>.
Perhaps we should think about how and where we can also instruct users
to upgrade their daemon in a timely manner. This will be different for
guix packages (that configure a vulnerable daemon systemd service) and
for guix-install (where it is enough to follow the guix pull news file,
if the admin actually uses guix pull themself and can see the news).
Otherwise LGTM.
Regards,
Florian
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Thu, 04 Apr 2024 22:45:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 70022 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
About the local privilege escalation, is there any hints on how to fix
it beside updating guix with 'guix pull'?
For instance were there distributions that somehow backported the
patch, in order not to have a security issue when you do 'apt install
guix' or pamcan -S guix for instance?
I'm asking because while I'm not the AUR maintainer of the 'guix'
package, I know PKGBUILDs well enough to be able to send a patch if I
find the time (and also update the Parabola package along the way).
Denis.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Fri, 05 Apr 2024 15:24:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 70022 <at> debbugs.gnu.org (full text, mbox):
Hello Denis,
Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org> writes:
> Hi,
>
> About the local privilege escalation, is there any hints on how to fix
> it beside updating guix with 'guix pull'?
Thinking more about it, I guess the Binary Installation documentation
should inform that one can install from distribution packages or from
guix-install.sh, depending on who should be responsible for security
updates.
> For instance were there distributions that somehow backported the
> patch, in order not to have a security issue when you do 'apt install
> guix' or pamcan -S guix for instance?
>
> I'm asking because while I'm not the AUR maintainer of the 'guix'
> package, I know PKGBUILDs well enough to be able to send a patch if I
> find the time (and also update the Parabola package along the way).
Thank you for your offer. Following hyperlinks from
<https://security-tracker.debian.org/tracker/CVE-2024-27297>, I find on
<https://udd.debian.org/patches.cgi?src=guix&version=1.4.0-6> security
patches that Vagrant cherry-picked from the Guix commits that address
the vulnerability. Similar to how Guix often takes patches from Debian,
you could take the patches from Guix too or indirectly from Debian.
Regards,
Florian
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Fri, 12 Apr 2024 12:02:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 70022 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Binary Installation): Prefix installation instructions
with a warning.
Change-Id: I088c7f00f4c3c8e32bdfd117ea934942930f7513
---
doc/guix.texi | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..341e463add 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -741,6 +741,13 @@ Binary Installation
may be older than @value{VERSION} but you can update it afterwards by
running @samp{guix pull}.
+In the past, occasionally, security vulnerabilities in
+@command{guix-daemon} have been discovered and fixes for them have not
+yet been provided in foreign distribution’s packages. We advise those
+who install Guix, both from the installation script or by distro
+packages, to also regularly read and follow security notices, as shown
+by @command{guix pull}.
+
For Debian or a derivative such as Ubuntu, call:
@example
base-commit: 4e7337536ba41e888a601c92fada8a4adca9d2c6
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Fri, 12 Apr 2024 12:02:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 70022 <at> debbugs.gnu.org (full text, mbox):
From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
* doc/guix.texi (Binary Installation): Also mention Trisquel package.
Change-Id: Iae6f77de43de2c6f387b99a10dcae5b9d82aaee1
Signed-off-by: Florian Pelz <pelzflorian <at> pelzflorian.de>
---
doc/guix.texi | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 341e463add..28b0917bb3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -126,6 +126,7 @@
Copyright @copyright{} 2023 Tomas Volf@*
Copyright @copyright{} 2024 Herman Rimm@*
Copyright @copyright{} 2024 Matthew Trzcinski@*
+Copyright @copyright{} 2024 Denis 'GNUtoo' Carikli@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -748,7 +749,7 @@ Binary Installation
packages, to also regularly read and follow security notices, as shown
by @command{guix pull}.
-For Debian or a derivative such as Ubuntu, call:
+For Debian or a derivative such as Ubuntu or Trisquel, call:
@example
sudo apt install guix
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Fri, 12 Apr 2024 12:02:03 GMT)
Full text and
rfc822 format available.
Message #29 received at 70022 <at> debbugs.gnu.org (full text, mbox):
From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
* doc/guix.texi (Binary Installation): Add Parabola packages.
Co-authored by: Florian Pelz <pelzflorian <at> pelzflorian.de>
Change-Id: Id646152c54de0a958740314b09fdcf6af898e22e
Signed-off-by: Florian Pelz <pelzflorian <at> pelzflorian.de>
---
doc/guix.texi | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 28b0917bb3..434940744d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -761,6 +761,12 @@ Binary Installation
sudo zypper install guix
@end example
+And if you're running Parabola, after enabling the pcr (Parabola
+Community Repo) repository, you can install Guix with:
+@example
+sudo pacman -S guix
+@end example
+
The Guix project also provides a shell script, @file{guix-install.sh},
which automates the binary installation process without use of a foreign
distro package
@@ -786,6 +792,13 @@ Binary Installation
# ./guix-install.sh
@end example
+The script to install Guix is also packaged in Parabola (in the pcr
+repository). You can install and run it with:
+@example
+sudo pacman -S guix-installer
+sudo guix-install.sh
+@end example
+
@quotation Note
By default, @file{guix-install.sh} will configure Guix to download
pre-built package binaries, called @dfn{substitutes}
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Sat, 13 Apr 2024 07:24:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 70022 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Binary Installation): Prefix installation instructions
with a warning.
Change-Id: I088c7f00f4c3c8e32bdfd117ea934942930f7513
---
doc/guix.texi | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5efbd00984..f6bbed1de3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -741,6 +741,13 @@ Binary Installation
may be older than @value{VERSION} but you can update it afterwards by
running @samp{guix pull}.
+In the past, lately, security vulnerabilities in @command{guix-daemon}
+have been discovered and fixes for them have not yet been provided in
+foreign distributions' packages. We advise those who install Guix,
+both from the installation script or by distro packages, to also
+regularly read and follow security notices, as shown by @command{guix
+pull}.
+
For Debian or a derivative such as Ubuntu, call:
@example
base-commit: 15a523ea213065c275e4852673cbb27c72c0ad87
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Sat, 13 Apr 2024 07:25:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 70022 <at> debbugs.gnu.org (full text, mbox):
From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
* doc/guix.texi (Binary Installation): Also mention Trisquel package.
Change-Id: Iae6f77de43de2c6f387b99a10dcae5b9d82aaee1
Signed-off-by: Florian Pelz <pelzflorian <at> pelzflorian.de>
---
doc/guix.texi | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index f6bbed1de3..dd62d77d36 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -126,6 +126,7 @@
Copyright @copyright{} 2023 Tomas Volf@*
Copyright @copyright{} 2024 Herman Rimm@*
Copyright @copyright{} 2024 Matthew Trzcinski@*
+Copyright @copyright{} 2024 Denis 'GNUtoo' Carikli@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -748,7 +749,7 @@ Binary Installation
regularly read and follow security notices, as shown by @command{guix
pull}.
-For Debian or a derivative such as Ubuntu, call:
+For Debian or a derivative such as Ubuntu or Trisquel, call:
@example
sudo apt install guix
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70022; Package
guix-patches.
(Sat, 13 Apr 2024 07:25:03 GMT)
Full text and
rfc822 format available.
Message #38 received at 70022 <at> debbugs.gnu.org (full text, mbox):
From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
* doc/guix.texi (Binary Installation): Add Parabola packages.
Co-authored by: Florian Pelz <pelzflorian <at> pelzflorian.de>
Change-Id: Id646152c54de0a958740314b09fdcf6af898e22e
Signed-off-by: Florian Pelz <pelzflorian <at> pelzflorian.de>
---
doc/guix.texi | 13 +++++++++++++
1 file changed, 13 insertions(+)
Changes since v2 in patch 1:
* Reworded 'occasionaly' to 'lately'.
* Fixed genitive ending 'distributions' packages'
No changes in originally Denis' patches 2 and 3.
diff --git a/doc/guix.texi b/doc/guix.texi
index dd62d77d36..0ca1d1ba90 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -761,6 +761,12 @@ Binary Installation
sudo zypper install guix
@end example
+And if you're running Parabola, after enabling the pcr (Parabola
+Community Repo) repository, you can install Guix with:
+@example
+sudo pacman -S guix
+@end example
+
The Guix project also provides a shell script, @file{guix-install.sh},
which automates the binary installation process without use of a foreign
distro package
@@ -786,6 +792,13 @@ Binary Installation
# ./guix-install.sh
@end example
+The script to install Guix is also packaged in Parabola (in the pcr
+repository). You can install and run it with:
+@example
+sudo pacman -S guix-installer
+sudo guix-install.sh
+@end example
+
@quotation Note
By default, @file{guix-install.sh} will configure Guix to download
pre-built package binaries, called @dfn{substitutes}
--
2.41.0
This bug report was last modified 21 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.