Package: guix;
Reported by: Mark H Weaver <mhw <at> netris.org>
Date: Sun, 14 Mar 2021 21:39:02 UTC
Severity: normal
Tags: security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47144 in the body.
You can then email your comments to 47144 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sun, 14 Mar 2021 21:39:02 GMT) Full text and rfc822 format available.Mark H Weaver <mhw <at> netris.org>
:bug-guix <at> gnu.org
.
(Sun, 14 Mar 2021 21:39:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Mark H Weaver <mhw <at> netris.org> To: bug-guix <at> gnu.org Cc: Léo Le Bouter <lle-bout <at> zaclys.net> Subject: security patching of 'patch' package Date: Sun, 14 Mar 2021 17:37:25 -0400
[Message part 1 (text/plain, inline)]
I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten. Mark -------------------- Start of forwarded message -------------------- Subject: security patching of 'patch' package From: Léo Le Bouter <lle-bout <at> zaclys.net> To: guix-devel <at> gnu.org Date: Wed, 10 Mar 2021 04:14:35 +0100
[Message part 2 (text/plain, inline)]
Hello! I could find that the 'patch' package was vulnerable to numerous CVEs that other distros like Debian have patched. Here's the list reported by 'guix lint -c cve patch': patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- 2018-6952 Can I use latest commit from master to build 'patch' then graft original package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you, Léo
[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
-------------------- End of forwarded message --------------------
Ludovic Courtès <ludo <at> gnu.org>
to control <at> debbugs.gnu.org
.
(Mon, 15 Mar 2021 13:44:01 GMT) Full text and rfc822 format available.bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Mon, 15 Mar 2021 18:27:02 GMT) Full text and rfc822 format available.Message #10 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Léo Le Bouter <lle-bout <at> zaclys.net> To: 47144 <at> debbugs.gnu.org Cc: Léo Le Bouter <lle-bout <at> zaclys.net> Subject: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. Date: Mon, 15 Mar 2021 19:26:04 +0100
I tried something, using patch git repo's master instead of release tarballs, I am not sure the git repo contains all the fixes, we could alternatively just pull patches from Debian. This attempt does not work yet however, it fails on some gnulib source file not being found for some reason: gcc: error: parse-datetime.c: No such file or directory gcc: fatal error: no input files compilation terminated. This file seems to be generated by YACC from earlier log. Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes]. gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) -- 2.30.2
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Mon, 15 Mar 2021 18:27:03 GMT) Full text and rfc822 format available.Message #13 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Léo Le Bouter <lle-bout <at> zaclys.net> To: 47144 <at> debbugs.gnu.org Cc: Léo Le Bouter <lle-bout <at> zaclys.net> Subject: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. Date: Mon, 15 Mar 2021 19:26:05 +0100
* gnu/packages/base.scm (patch/fixed): New variable. (patch)[replacement]: Graft. --- gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 9aa69cfe77..a71b47ac4f 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -46,12 +46,14 @@ #:use-module (gnu packages compression) #:use-module (gnu packages perl) #:use-module (gnu packages linux) + #:use-module (gnu packages autotools) #:use-module (gnu packages pcre) #:use-module (gnu packages texinfo) #:use-module (gnu packages hurd) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) #:use-module (gnu packages gettext) + #:use-module (gnu packages version-control) #:use-module (guix i18n) #:use-module (guix utils) #:use-module (guix packages) @@ -228,6 +230,7 @@ standard utility.") (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch")))) + (replacement patch/fixed) (build-system gnu-build-system) (arguments ;; Work around a cross-compilation bug whereby libpatch.a would provide @@ -246,6 +249,42 @@ differences.") (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38")) + (package/inherit patch + (name "patch") + (version "2.7.6") + ;; (version (string-append "2.7.6-" (string-take commit 7))) + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit) + (recursive? #t))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + `(modify-phases ,phases + (replace 'bootstrap + (lambda* (#:key inputs #:allow-other-keys) + (substitute* (list "gnulib/gnulib-tool" + "gnulib/build-aux/git-version-gen") + (("/bin/sh") (which "sh"))) + (invoke "bash" "bootstrap" "--no-git" + "--gnulib-srcdir=gnulib") + #t)))))) + (native-inputs + `(("autoconf" ,autoconf) + ("automake" ,automake) + ("git" ,git-minimal) + ,@(package-native-inputs patch)))))) + (define-public diffutils (package (name "diffutils") -- 2.30.2
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 18 Mar 2021 22:00:02 GMT) Full text and rfc822 format available.Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> Cc: Léo Le Bouter <lle-bout <at> zaclys.net>, 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. Date: Thu, 18 Mar 2021 22:58:56 +0100
Hi, Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> skribis: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch)[replacement]: Graft. It’s (almost) useless to provide a graft of ‘patch’ because patch is usually a build-time only dependency. (Maybe we can tell it’s not vulnerable to the issues at hand because in that context it’s always given controlled input: the package patches.) What could be useful is to provide a second version of patch so that people running ‘guix install patch’ or similar get the newer version. HTH, Ludo’.
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 18 Mar 2021 22:00:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>
to control <at> debbugs.gnu.org
.
(Wed, 24 Mar 2021 04:07:02 GMT) Full text and rfc822 format available.bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 14 Apr 2021 21:55:02 GMT) Full text and rfc822 format available.Message #24 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name> To: Mark H Weaver <mhw <at> netris.org> Cc: 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: security patching of 'patch' package Date: Wed, 14 Apr 2021 17:54:28 -0400
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote: > patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, > CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- > 2018-6952 I tried building a "fixed" package of patch, cherry-picking bug fix patches from patch.git. Unfortunately, the patches largely don't apply to the most recent release of patch. Since there is no release fixing these bugs, and no clear advice about which patches to apply, I'm going to stop working on this for now.
Leo Famulari <leo <at> famulari.name>
to control <at> debbugs.gnu.org
.
(Wed, 14 Apr 2021 21:56:02 GMT) Full text and rfc822 format available.bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 23 Mar 2022 03:04:01 GMT) Full text and rfc822 format available.Message #29 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: lle-bout <at> zaclys.net, 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: security patching of 'patch' package Date: Tue, 22 Mar 2022 23:03:47 -0400
Hi, Ludovic Courtès <ludo <at> gnu.org> writes: > Hi, > > Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> skribis: > >> * gnu/packages/base.scm (patch/fixed): New variable. >> (patch)[replacement]: Graft. > > It’s (almost) useless to provide a graft of ‘patch’ because patch is > usually a build-time only dependency. (Maybe we can tell it’s not > vulnerable to the issues at hand because in that context it’s always > given controlled input: the package patches.) > > What could be useful is to provide a second version of patch so that > people running ‘guix install patch’ or similar get the newer version. The latest release of patch is the one we have, v2.7.6, made 4 years ago. Thanks, Maxim
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Fri, 31 May 2024 03:04:02 GMT) Full text and rfc822 format available.Message #32 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH 1/3] gnu: ucd: Update to 15.1.0. Date: Thu, 30 May 2024 22:59:19 -0400
* gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: eb4dc1b9ae3779419b047e2f4c7b5879353956a6 -- 2.41.0
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Fri, 31 May 2024 03:04:02 GMT) Full text and rfc822 format available.Message #35 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. Date: Thu, 30 May 2024 22:59:20 -0400
Also fix the gnulib-tool command, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0f1ab6669a..5759b508cf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1391,6 +1391,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim <at> flashner.co.il> ;;; Copyright © 2021 qblade <qblade <at> protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli <at> incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.41.0
ludo <at> gnu.org, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Fri, 31 May 2024 03:04:03 GMT) Full text and rfc822 format available.Message #38 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Thu, 30 May 2024 22:59:21 -0400
* gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw <at> netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- gnu/packages/base.scm | 44 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..8dcbf4b087 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout <at> zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex <at> twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias <at> protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev <at> jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,45 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + (version (git-version "2.7.6" revision commit)) + (source (origin + (inherit (package-source patch)) + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'update-bootstrap-script + (lambda* (#:key native-inputs inputs #:allow-other-keys) + (copy-file (search-input-file + (or native-inputs inputs) + "src/gnulib/build-aux/bootstrap") + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed gnulib))))) + (define-public diffutils (package (name "diffutils") -- 2.41.0
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Fri, 31 May 2024 16:38:02 GMT) Full text and rfc822 format available.Message #41 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Simon Tournier <zimon.toutoune <at> gmail.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Fri, 31 May 2024 18:13:00 +0200
Hi Maxim, On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> wrote: > + (source (origin > + (inherit (package-source patch)) > + (method git-fetch) > + (uri (git-reference > + (url "https://git.savannah.gnu.org/git/patch.git") > + (commit commit))) > + (file-name (git-file-name name version)) > + (sha256 > + (base32 > + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) If I read correctly, (package-source patch) reads: --8<---------------cut here---------------start------------->8--- (source (origin (method url-fetch) (uri (string-append "mirror://gnu/patch/patch-" version ".tar.xz")) (sha256 (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch")))) --8<---------------cut here---------------end--------------->8--- Therefore the only thing that is copied is the ’patches’ field. Right? I think it would easy the readability to avoid ’inherit’ and plainly write ’patches’. Cheers, simon
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 01:51:02 GMT) Full text and rfc822 format available.Message #44 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Simon Tournier <zimon.toutoune <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Fri, 31 May 2024 21:49:31 -0400
Hi Simon, Simon Tournier <zimon.toutoune <at> gmail.com> writes: > Hi Maxim, > > On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> wrote: > >> + (source (origin >> + (inherit (package-source patch)) >> + (method git-fetch) >> + (uri (git-reference >> + (url "https://git.savannah.gnu.org/git/patch.git") >> + (commit commit))) >> + (file-name (git-file-name name version)) >> + (sha256 >> + (base32 >> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) > > If I read correctly, (package-source patch) reads: > > (source (origin > (method url-fetch) > (uri (string-append "mirror://gnu/patch/patch-" > version ".tar.xz")) > (sha256 > (base32 > "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) > (patches (search-patches "patch-hurd-path-max.patch")))) > > Therefore the only thing that is copied is the ’patches’ field. Right? > > I think it would easy the readability to avoid ’inherit’ and plainly > write ’patches’. I preferred inheritance to avoid having to manually sync things in the long run... (hopefully the graft gets ungrafted before 'patch' amasses new phatces, but we never know...) -- Thanks, Maxim
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 11:36:02 GMT) Full text and rfc822 format available.Message #47 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Leo Famulari <leo <at> famulari.name> Subject: Re: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Sat, 01 Jun 2024 07:34:29 -0400
Hi, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch) [replacement]: Graft with the above. > > Fixes: https://issues.guix.gnu.org/47144 > Reported-by: Mark H Weaver <mhw <at> netris.org> > Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 [...] > (define-public patch > (package > + (replacement patch/fixed) > (name "patch") > (version "2.7.6") > (source (origin > @@ -291,6 +294,45 @@ (define-public patch > (license gpl3+) > (home-page "https://savannah.gnu.org/projects/patch/"))) > > +(define patch/fixed > + ;; The latest release is from 2018, and lacks multiple security related > + ;; patches. Since Fedora carries 23 patches, simply use the latest commit > + ;; until a proper release is made. > + (let ((revision "0") > + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) > + (package > + (inherit patch) > + (name "patch") > + (version (git-version "2.7.6" revision commit)) I just realized that since this is for grafting purposes, I shouldn't touch the version field (they need to match in length...). Will send a v2. -- Thanks, Maxim
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 12:59:02 GMT) Full text and rfc822 format available.Message #50 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0. Date: Sat, 1 Jun 2024 08:56:47 -0400
* gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.41.0
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 12:59:02 GMT) Full text and rfc822 format available.Message #53 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. Date: Sat, 1 Jun 2024 08:56:48 -0400
Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim <at> flashner.co.il> ;;; Copyright © 2021 qblade <qblade <at> protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli <at> incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.41.0
ludo <at> gnu.org, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 12:59:03 GMT) Full text and rfc822 format available.Message #56 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Sat, 1 Jun 2024 08:56:49 -0400
* gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw <at> netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..45dbf77817 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout <at> zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex <at> twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias <at> protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev <at> jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,53 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + ;; TODO: Uncomment when ungrafting. + ;;(version (git-version "2.7.6" revision commit)) + (source (origin + (inherit (package-source patch)) + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + ;; TODO: Uncomment when ungrafting and using the above + ;; 'git-version'-computed version. + ;;(file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle with. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed))))) + (define-public diffutils (package (name "diffutils") -- 2.41.0
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 14:34:01 GMT) Full text and rfc822 format available.Message #59 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org Subject: Re: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Sat, 01 Jun 2024 16:32:55 +0200
Hi Maxim, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: > (define-public patch > (package > + (replacement patch/fixed) Unless I’m mistaken, this will have practically no effect because Patch is a build-time-only dependency. My recommendation would be to not add a ‘replacement’ field at all. Instead, you could add a new ‘patch/latest’ public variable pointing to that commit that you picked. That way, users running ‘guix install patch’ or similar will get the latest version of Patch. On the next ‘core-packages-team’ cycle, we’d update Patch to refer to that commit. WDYT? Ludo’.
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Sat, 01 Jun 2024 15:05:01 GMT) Full text and rfc822 format available.Message #62 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: Mark H Weaver <mhw <at> netris.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org Subject: Re: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Sat, 01 Jun 2024 11:02:49 -0400
Hi Ludovic, Ludovic Courtès <ludo <at> gnu.org> writes: > Hi Maxim, > > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: > >> (define-public patch >> (package >> + (replacement patch/fixed) > > Unless I’m mistaken, this will have practically no effect because Patch > is a build-time-only dependency. > > My recommendation would be to not add a ‘replacement’ field at all. > Instead, you could add a new ‘patch/latest’ public variable pointing to > that commit that you picked. That way, users running ‘guix install > patch’ or similar will get the latest version of Patch. I see what you mean, but for all practical purposes, using a graft seems a more thorough (because it affects the original 'patch' *variable* as well) means that have the same effect for users, so I'd seems like a slightly better option to me. So e.g. someone using the Guix API referencing exactly to the 'patch' package variable would get a secure version, but would otherwise need to know to adjust their code to use 'patch/latest'. Does that make sense? -- Thanks, Maxim
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Tue, 04 Jun 2024 17:41:01 GMT) Full text and rfc822 format available.Message #65 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Simon Tournier <zimon.toutoune <at> gmail.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, 47144 <at> debbugs.gnu.org, Vivien Kraus <vivien <at> planete-kraus.eu>, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Tue, 04 Jun 2024 17:39:57 +0200
Hi Maxim, On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> wrote: > I preferred inheritance to avoid having to manually sync things in the > long run... (hopefully the graft gets ungrafted before 'patch' amasses > new phatces, but we never know...) What would be the long run? ;-) Well, from my perspective, there is nothing to manually sync in the future. I mean, the only patch applied to release “2.7.6” will be still required for patch/fixed; hence one will need to do what I am proposing if ’patch’ is removed. Else if ’patch’ receives some security fixes, then it seems expected to assume that the fix will be included in the latest patch (here ’patch/fixed’). Last, please note that ’patch’ is barely modified. --8<---------------cut here---------------start------------->8--- $ git log --format="%cd %s" -- gnu/packages/base.scm | grep 'gnu: patch' Thu May 30 11:35:13 2024 -0400 gnu: patch: Fix indentation. Sun Apr 22 22:40:48 2018 +0200 gnu: patch: Work around a cross-compilation issue. Wed Mar 14 22:11:34 2018 +0100 gnu: patch: Update to 2.7.6. Fri Jun 12 15:46:25 2015 +0300 gnu: patch: Set PATH_MAX for Hurd systems. Mon Mar 9 22:56:50 2015 -0400 gnu: patch: Update to 2.7.5. Sat Mar 7 20:34:50 2015 -0500 Revert "gnu: patch: Update to 2.7.5." Sun Mar 8 00:32:11 2015 +0100 gnu: patch: Update to 2.7.5. Wed Feb 11 11:23:46 2015 +0100 gnu: patch: Update to 2.7.4. Fri Feb 6 13:53:28 2015 +0100 gnu: patch: Add 2.7.4 and make it a replacement for the default one. Sat Apr 27 00:23:19 2013 +0200 gnu: patch: Update to 2.7.1. --8<---------------cut here---------------end--------------->8--- I still think that it eases to have the patch close to the source instead of coming from inheritance. Anyway. :-) Cheers, simon
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 01:10:01 GMT) Full text and rfc822 format available.Message #68 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Simon Tournier <zimon.toutoune <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, 47144 <at> debbugs.gnu.org, Vivien Kraus <vivien <at> planete-kraus.eu>, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Tue, 04 Jun 2024 21:08:14 -0400
Hi, Simon Tournier <zimon.toutoune <at> gmail.com> writes: > Hi Maxim, > > On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> wrote: > >> I preferred inheritance to avoid having to manually sync things in the >> long run... (hopefully the graft gets ungrafted before 'patch' amasses >> new phatces, but we never know...) > > What would be the long run? ;-) > Well, from my perspective, there is nothing to manually sync in the > future. You're probably right. > I mean, the only patch applied to release “2.7.6” will be still required > for patch/fixed; hence one will need to do what I am proposing if > ’patch’ is removed. Else if ’patch’ receives some security fixes, then > it seems expected to assume that the fix will be included in the latest > patch (here ’patch/fixed’). Last, please note that ’patch’ is barely > modified. OK. I don't mind to do this change. I'll send e revised version with that done. -- Thanks, Maxim
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 01:27:01 GMT) Full text and rfc822 format available.Message #71 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0. Date: Tue, 4 Jun 2024 21:24:26 -0400
* gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.45.1
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 01:27:02 GMT) Full text and rfc822 format available.Message #74 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. Date: Tue, 4 Jun 2024 21:24:27 -0400
Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim <at> flashner.co.il> ;;; Copyright © 2021 qblade <qblade <at> protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli <at> incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.45.1
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 01:27:03 GMT) Full text and rfc822 format available.Message #77 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes]. Date: Tue, 4 Jun 2024 21:24:28 -0400
* gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw <at> netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v3: - Do not use inheritance for patch/fixed origin Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..3246b7bd0a 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout <at> zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex <at> twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias <at> protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev <at> jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,53 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + ;; TODO: Uncomment when ungrafting. + ;;(version (git-version "2.7.6" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + ;; TODO: Uncomment when ungrafting and using the above + ;; 'git-version'-computed version. + ;;(file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle with. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed))))) + (define-public diffutils (package (name "diffutils") -- 2.45.1
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 16:06:02 GMT) Full text and rfc822 format available.Message #80 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, 47144 <at> debbugs.gnu.org, Vivien Kraus <vivien <at> planete-kraus.eu>, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#47144: security patching of 'patch' package Date: Wed, 05 Jun 2024 18:04:39 +0200
Hi Maxim, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: > Ludovic Courtès <ludo <at> gnu.org> writes: [...] >> Unless I’m mistaken, this will have practically no effect because Patch >> is a build-time-only dependency. >> >> My recommendation would be to not add a ‘replacement’ field at all. >> Instead, you could add a new ‘patch/latest’ public variable pointing to >> that commit that you picked. That way, users running ‘guix install >> patch’ or similar will get the latest version of Patch. > > I see what you mean, but for all practical purposes, using a graft seems > a more thorough (because it affects the original 'patch' *variable* as > well) means that have the same effect for users, so I'd seems like a > slightly better option to me. Strictly speaking, yes, but in practice the benefit are largely theoretical IMO, and the cost of having a graft this deep in the dependency graph. What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point to the new version? Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user code etc. would refer to ‘patch’ and thus get the latest version. Ludo’.
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Wed, 05 Jun 2024 16:47:01 GMT) Full text and rfc822 format available.Message #83 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Simon Tournier <zimon.toutoune <at> gmail.com> To: Ludovic Courtès <ludo <at> gnu.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: security patching of 'patch' package Date: Wed, 05 Jun 2024 18:44:40 +0200
Hi, On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo <at> gnu.org> wrote: > What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point > to the new version? > > Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user > code etc. would refer to ‘patch’ and thus get the latest version. I agree; it appears to me “safer” than the graft. However, the cost is to identify which package needs ’patch/pinned’ and which needs new ’patch’. Then once upstream Patch upgrades, there is also the question to unpin all the packages. Somehow, your previous suggestion ’patch-latest’ for this new package appears to me the best solution. Because it does not require any update here and there, and since the source field follows the Git upstream latest instead of the released tarball, this solution of ’patch-latest’ seems appropriated. Cheers, simon
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 06 Jun 2024 00:49:01 GMT) Full text and rfc822 format available.Message #86 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0. Date: Wed, 5 Jun 2024 20:46:19 -0400
* gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.45.1
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 06 Jun 2024 00:49:02 GMT) Full text and rfc822 format available.Message #89 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. Date: Wed, 5 Jun 2024 20:46:20 -0400
Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim <at> flashner.co.il> ;;; Copyright © 2021 qblade <qblade <at> protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli <at> incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.45.1
bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 06 Jun 2024 00:52:01 GMT) Full text and rfc822 format available.Message #92 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Simon Tournier <zimon.toutoune <at> gmail.com> Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org Subject: Re: bug#47144: security patching of 'patch' package Date: Wed, 05 Jun 2024 20:49:54 -0400
Hi Simon, Simon Tournier <zimon.toutoune <at> gmail.com> writes: > Hi, > > On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo <at> gnu.org> wrote: > >> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point >> to the new version? >> >> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user >> code etc. would refer to ‘patch’ and thus get the latest version. > > I agree; it appears to me “safer” than the graft. > > However, the cost is to identify which package needs ’patch/pinned’ and > which needs new ’patch’. Then once upstream Patch upgrades, there is > also the question to unpin all the packages. Indeed. It'll be easy though to grep for 'patch/pinned', which are far and few in between, compared to grepping for 'patch'... I've implemented Ludovic's suggestion in v4, before I actually read this reply of yours... I think it's OK; it goes a bit further than 'patch-latest' to protect users in case they refer to the 'patch' package variable directly. -- Thanks, Maxim
mhw <at> netris.org, ludo <at> gnu.org, lle-bout <at> zaclys.net, leo <at> famulari.name, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, guix <at> cbaines.net, efraim <at> flashner.co.il, ekaitz <at> elenq.tech, glv <at> posteo.net, dev <at> jpoiret.xyz, cox.katherine.e+guix <at> gmail.com, othacehe <at> gnu.org, me <at> bonfacemunyoki.com, rekado <at> elephly.net, sharlatanus <at> gmail.com, me <at> tobias.gr, jgart <at> dismail.de, bug-guix <at> gnu.org
:bug#47144
; Package guix
.
(Thu, 06 Jun 2024 00:57:02 GMT) Full text and rfc822 format available.Message #95 received at 47144 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144 <at> debbugs.gnu.org Cc: Mark H Weaver <mhw <at> netris.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes]. Date: Wed, 5 Jun 2024 20:46:21 -0400
* gnu/packages/base.scm (patch): Rename to... (patch/pinned): ... this. Hide package. (patch): New variable. * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned. (patch-boot0): Likewise. (%final-inputs): Replace patch with patch/pinned. * gnu/packages/lisp.scm (cl-asdf): Likewise. * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw <at> netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v4: - Use a hidden patch/pinned and patch variables instead of a graft Changes in v3: - Do not use inheritance for patch/fixed origin Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 102 +++++++++++++++++++++++++--------- gnu/packages/commencement.scm | 8 +-- gnu/packages/lisp.scm | 2 +- guix/packages.scm | 2 +- 4 files changed, 82 insertions(+), 32 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..66c5b7d237 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout <at> zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex <at> twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias <at> protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev <at> jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -261,35 +263,83 @@ (define-public tar (license gpl3+) (home-page "https://www.gnu.org/software/tar/"))) -(define-public patch - (package - (name "patch") - (version "2.7.6") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnu/patch/patch-" - version ".tar.xz")) - (sha256 - (base32 - "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) - (patches (search-patches "patch-hurd-path-max.patch")))) - (build-system gnu-build-system) - (arguments - ;; Work around a cross-compilation bug whereby libpatch.a would provide - ;; '__mktime_internal', which conflicts with the one in libc.a. - (if (%current-target-system) - `(#:configure-flags '("gl_cv_func_working_mktime=yes")) - '())) - (native-inputs (list ed)) - (synopsis "Apply differences to originals, with optional backups") - (description - "Patch is a program that applies changes to files based on differences +;;; TODO: Replace/merge with 'patch' on core-updates. +(define-public patch/pinned + (hidden-package + (package + (name "patch") + (version "2.7.6") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnu/patch/patch-" + version ".tar.xz")) + (sha256 + (base32 + "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (build-system gnu-build-system) + (arguments + ;; Work around a cross-compilation bug whereby libpatch.a would provide + ;; '__mktime_internal', which conflicts with the one in libc.a. + (if (%current-target-system) + `(#:configure-flags '("gl_cv_func_working_mktime=yes")) + '())) + (native-inputs (list ed)) + (synopsis "Apply differences to originals, with optional backups") + (description + "Patch is a program that applies changes to files based on differences laid out as by the program \"diff\". The changes may be applied to one or more files depending on the contents of the diff file. It accepts several different diff formats. It may also be used to revert previously applied differences.") - (license gpl3+) - (home-page "https://savannah.gnu.org/projects/patch/"))) + (license gpl3+) + (home-page "https://savannah.gnu.org/projects/patch/")))) + +(define-public patch + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92") + (base patch/pinned)) + (package + (inherit base) + (name "patch") + (version (git-version "2.7.6" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments base) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed)) + (properties '())))) (define-public diffutils (package diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index b4d236c35b..0433059493 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -878,7 +878,7 @@ (define tcc-boot (define patch-mesboot ;; The initial patch. (package - (inherit patch) + (inherit patch/pinned) (name "patch-mesboot") (version "2.5.9") (source (origin @@ -2167,8 +2167,8 @@ (define gawk-boot0 (define patch-boot0 (package - (inherit patch) - (source (bootstrap-origin (package-source patch))) + (inherit patch/pinned) + (source (bootstrap-origin (package-source patch/pinned))) (name "patch-boot0") (native-inputs '()) (inputs @@ -3482,7 +3482,7 @@ (define-public %final-inputs ("bzip2" ,bzip2) ("file" ,file) ("diffutils" ,diffutils) - ("patch" ,patch) + ("patch" ,patch/pinned) ("findutils" ,findutils) ("gawk" ,gawk))) ("sed" ,sed-final) diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm index 6bf93d83c7..6f3bd126cc 100644 --- a/gnu/packages/lisp.scm +++ b/gnu/packages/lisp.scm @@ -121,7 +121,7 @@ (define-public cl-asdf (build-system trivial-build-system) (native-inputs `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch")) - ("patch" ,patch))) + ("patch" ,patch/pinned))) (arguments `(#:modules ((guix build utils) (guix build lisp-utils)) diff --git a/guix/packages.scm b/guix/packages.scm index abe89cdb07..f3a9a61785 100644 --- a/guix/packages.scm +++ b/guix/packages.scm @@ -899,7 +899,7 @@ (define (%standard-patch-inputs system) ("gzip" ,(ref '(gnu packages compression) 'gzip)) ("lzip" ,(ref '(gnu packages compression) 'lzip)) ("unzip" ,(ref '(gnu packages compression) 'unzip)) - ("patch" ,(ref '(gnu packages base) 'patch)) + ("patch" ,(ref '(gnu packages base) 'patch/pinned)) ("locales" ,(parameterize ((%current-target-system #f) (%current-system system)) -- 2.45.1
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:Mark H Weaver <mhw <at> netris.org>
:Message #100 received at 47144-done <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 47144-done <at> debbugs.gnu.org Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>, Sharlatan Hellseher <sharlatanus <at> gmail.com>, Ekaitz Zarraga <ekaitz <at> elenq.tech>, Simon Tournier <zimon.toutoune <at> gmail.com>, Guillaume Le Vaillant <glv <at> posteo.net>, Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Katherine Cox-Buday <cox.katherine.e+guix <at> gmail.com>, Efraim Flashner <efraim <at> flashner.co.il>, Leo Famulari <leo <at> famulari.name>, Ricardo Wurmus <rekado <at> elephly.net>, Munyoki Kilyungi <me <at> bonfacemunyoki.com>, jgart <jgart <at> dismail.de>, Mathieu Othacehe <othacehe <at> gnu.org>, Christopher Baines <guix <at> cbaines.net>, Léo Le Bouter <lle-bout <at> zaclys.net> Subject: Re: bug#47144: security patching of 'patch' package Date: Mon, 24 Jun 2024 00:43:46 -0400
Hi, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > * gnu/packages/base.scm (patch): Rename to... > (patch/pinned): ... this. Hide package. > (patch): New variable. > * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned. > (patch-boot0): Likewise. > (%final-inputs): Replace patch with patch/pinned. > * gnu/packages/lisp.scm (cl-asdf): Likewise. > * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned. > > Fixes: https://issues.guix.gnu.org/47144 > Reported-by: Mark H Weaver <mhw <at> netris.org> > Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 Applied locally and will push shortly. -- Thanks, Maxim
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org
.
(Mon, 22 Jul 2024 11:24:18 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.