GNU bug report logs - #55399
libgit2 1.4.3 directory owner validation breaks Guix

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: important; Reported by: André Batista <nandre@HIDDEN>; Keywords: patch; dated Fri, 13 May 2022 15:22:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added indication that bug 55399 blocks53144 Request was from Maxime Devos <maximedevos@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 28 Aug 2022 11:02:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 28 07:02:53 2022
Received: from localhost ([127.0.0.1]:57700 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oSG45-0001Lr-4G
	for submit <at> debbugs.gnu.org; Sun, 28 Aug 2022 07:02:53 -0400
Received: from albert.telenet-ops.be ([195.130.137.90]:54464)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1oSG43-0001Lj-Sq
 for 55399 <at> debbugs.gnu.org; Sun, 28 Aug 2022 07:02:52 -0400
Received: from [IPV6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16]
 ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16])
 by albert.telenet-ops.be with bizsmtp
 id Cz2o2800A20ykKC06z2oU5; Sun, 28 Aug 2022 13:02:49 +0200
Message-ID: <7db0f45d-b2ff-5ff9-691b-26775b0cf3c6@HIDDEN>
Date: Sun, 28 Aug 2022 13:02:48 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.12.0
Subject: Re: [PATCH 1/2] guix: Disable owner validation.
Content-Language: en-US
To: 55399 <at> debbugs.gnu.org
References: <20220828105827.26161-1-maximedevos@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
In-Reply-To: <20220828105827.26161-1-maximedevos@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------lVDrBYTJ0BJwQ4O0Y52t9WMn"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1661684569; bh=Sw4GIw4lqGz6099fkyTH+qNAn40rhcA8PvolgJA8AyU=;
 h=Date:Subject:To:Cc:References:From:In-Reply-To;
 b=iDLXPkryf/5KcMoLtNklJoFOHXKctnF/4Tp2mXaF1uLJgQaWmDlQK8f6Q7rBJJZCg
 S8olJWs1bNKbBDvgwzqA0WkRIWUt861fVClYwik2zCKDxexlGvx2lPp/IMstjyQtYg
 hC3lWzaPRD8YW8PhWWFkrZdEQaesQ5gtEsGXO135pWNf4vBUGX+y+tMhiFV6FlUq53
 NF/EJ7P30I2mV/aEbrDiBSRkUTRF2Q9aZE+CHi4U5U3EJ9kw0zoW3iY6z5zPcGpf8C
 UgK2YpMAYRS+q76z0J6/bWPaX6dghz4oKVr4vZf031qJu3OcK0vV+thI1A+GpN8TQM
 yQOvFp06Zl4xA==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 55399
Cc: =?UTF-8?Q?Andr=c3=a9_Batista?= <nandre@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------lVDrBYTJ0BJwQ4O0Y52t9WMn
Content-Type: multipart/mixed; boundary="------------lUDgrx0MshKoZuNYOGnl8rDb";
 protected-headers="v1"
From: Maxime Devos <maximedevos@HIDDEN>
To: 55399 <at> debbugs.gnu.org
Cc: =?UTF-8?Q?Andr=c3=a9_Batista?= <nandre@HIDDEN>
Message-ID: <7db0f45d-b2ff-5ff9-691b-26775b0cf3c6@HIDDEN>
Subject: Re: [PATCH 1/2] guix: Disable owner validation.
References: <20220828105827.26161-1-maximedevos@HIDDEN>
In-Reply-To: <20220828105827.26161-1-maximedevos@HIDDEN>

--------------lUDgrx0MshKoZuNYOGnl8rDb
Content-Type: multipart/mixed; boundary="------------r3TpuF4Rv5u6mRtneIOrc09H"

--------------r3TpuF4Rv5u6mRtneIOrc09H
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

T29wcywgdGhlIHRlc3QgSSBkaWQgaW4gdGhlIHNlY29uZCB0ZXN0IGlzIGJvZ3VzIChJIGRp
ZG4ndCB0ZXN0IGFzIHJvb3QpLg0KDQpIb3dldmVyLCBpdCBhcHBlYXJzIHRoYXQgb3duZXIg
dmFsaWRhdGlvbiBpcyBwcm9wZXJseSBkaXNhYmxlZDoNCg0KW2luc2lkZSB0aGUgcHVsbGVk
IGd1aXhdDQoNCj4gc2NoZW1lQChndWl4LXVzZXIpPiAsbSAoZ3VpeCBnaXQpDQo+IHNjaGVt
ZUAoZ3VpeCBnaXQpPiAob3duZXItdmFsaWRhdGlvbj8pIC0tPiAjdHJ1ZQ0KPiBzY2hlbWVA
KGd1aXggZ2l0KT4gKHdpdGgtbGliZ2l0MiAob3duZXItdmFsaWRhdGlvbj8pKSAtLT4gI2Zh
bHNlDQpHcmVldGluZ3MsDQpNYXhpbWUuDQoNCg==
--------------r3TpuF4Rv5u6mRtneIOrc09H
Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc"
Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m
xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2
ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL
CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc
/gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4
LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C
kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK
CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W
ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ
Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0
k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo
AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE
fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D
=3DOVqp
-----END PGP PUBLIC KEY BLOCK-----

--------------r3TpuF4Rv5u6mRtneIOrc09H--

--------------lUDgrx0MshKoZuNYOGnl8rDb--

--------------lVDrBYTJ0BJwQ4O0Y52t9WMn
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYwtLWAUDAAAAAAAKCRBJ4+4iGRcl7pVR
AP9HKKWE7eFOHE0Kj/WscnOnJXgcWX0YCwr8siZDCjYyEgEAxnydDOzuCaCop6u4gBbE6FhTd2KB
Me7lfHEAukxDtQ8=
=dc5F
-----END PGP SIGNATURE-----

--------------lVDrBYTJ0BJwQ4O0Y52t9WMn--




Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 28 Aug 2022 10:58:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 28 06:58:39 2022
Received: from localhost ([127.0.0.1]:57683 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oSFzz-0001Da-4X
	for submit <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:58:39 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:53150)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1oSFzr-0001D7-S8
 for 55399 <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:58:34 -0400
Received: from localhost.localdomain
 ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16])
 by baptiste.telenet-ops.be with bizsmtp
 id CyyV2800920ykKC01yyVDt; Sun, 28 Aug 2022 12:58:30 +0200
From: Maxime Devos <maximedevos@HIDDEN>
To: 55399 <at> debbugs.gnu.org
Subject: [PATCH 1/2] guix: Disable owner validation.
Date: Sun, 28 Aug 2022 12:58:26 +0200
Message-Id: <20220828105827.26161-1-maximedevos@HIDDEN>
X-Mailer: git-send-email 2.37.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1661684310; bh=AlGgcz12DhwPIjv9mFcEnpDVWGLLooc+fGUhx/H3O5g=;
 h=From:To:Cc:Subject:Date;
 b=MWMOyMri8l4NalXrQwfthFpRO4pi3Y+A4aEENWLYRtknEIZHqdUXPlHWS9760GvDb
 zhXnDkC3AH3aJN0mPkCRYFuOMPTQxbnGndikVxJ9cxlIAiq6KQo+twnqNhlIGEC9vq
 Kb+mSq2GfHF7LYmkyctyJppNm4/Ucuf3qT3ujS74TgjZUdGJiGF1no7M+WM4TSVDnp
 VocZoqWo+O8OQyop4j1gn1lF7MLnFuVg61aqyRs7kRnR21loqqDrrL7tmAOBVBA+Y5
 Fr0wRv/vwlCKEBa3WhEDVMkHVr3gMdIofxpHAH5n63QjQVmQ9dGINaH/IY2jaV2zbv
 BXtNhKrU3Etfw==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 55399
Cc: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@HIDDEN>,
 Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

The original patch disabled it only when updating cached checkouts, but the
disabling persisted afterwards, making it stateful. To avoid statefulness, it
is disabled during with-libgit2 instead.

For compatibility with guile-git versions that do not yet have
set-owner-validation!, the setting is skipped when set-owner-validation! does
not exist.

* guix/git.scm (update-cached-checkout): Disable owner validation checks.

Co-Authored-By: André Batista <nandre@HIDDEN>
---
 guix/git.scm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..0fe6e65549 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2021 Kyle Meyer <kyle@HIDDEN>
 ;;; Copyright © 2021 Marius Bakke <marius@HIDDEN>
 ;;; Copyright © 2022 Maxime Devos <maximedevos@HIDDEN>
+;;; Copyright © 2022 André Batista <nandre@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -117,6 +119,16 @@ (define-syntax-rule (with-libgit2 thunk ...)
     ;; but pointer finalizers used in guile-git may be called after shutdown,
     ;; resulting in a segfault. Hence, let's skip shutdown call for now.
     (libgit2-init!)
+    ;; libgit2@HIDDEN ‘fixed’ a git CVE it never shared, breaking some uses
+    ;; of Guix channels (see <https://issues.guix.gnu.org/55399>).  Disable
+    ;; the owner validation that does not fit in the security model in Guix.
+    ;;
+    ;; For compatibility with old guile-git that do not have
+    ;; 'set-owner-validation!', do nothing if 'set-owner-validation!'
+    ;; does not exist.
+    ((catch 'unbound-variable
+            (lambda () set-owner-validation!)
+            (lambda _ identity)) #false)
     (unless %certificates-initialized?
       (honor-system-x509-certificates!)
       (set! %certificates-initialized? #t))

base-commit: d519305d83d08058e4def2c4d72fe62102d9599d
prerequisite-patch-id: 62949e6148bb8aae2f792aaf4d54f2a136351d28
prerequisite-patch-id: 72191ec47cb3876c5fcd6233880dea7dfc1b165f
prerequisite-patch-id: bbfd96d673e491ddd684e8270c90347547dceaa5
prerequisite-patch-id: fbdac7446d0c3f529f313f89cb9ba975d469d7ac
prerequisite-patch-id: d0a5804a92d868c5ee6726e6e0555a8af25e442c
-- 
2.37.1





Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 28 Aug 2022 10:58:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 28 06:58:35 2022
Received: from localhost ([127.0.0.1]:57681 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oSFzu-0001DM-68
	for submit <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:58:35 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:53158)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1oSFzr-0001D8-Ru
 for 55399 <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:58:33 -0400
Received: from localhost.localdomain
 ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16])
 by baptiste.telenet-ops.be with bizsmtp
 id CyyV2800920ykKC01yyWDz; Sun, 28 Aug 2022 12:58:30 +0200
From: Maxime Devos <maximedevos@HIDDEN>
To: 55399 <at> debbugs.gnu.org
Subject: [PATCH 2/2] gnu: guile-git: Add patches to support owner validation,
 and use libgit2@HIDDEN
Date: Sun, 28 Aug 2022 12:58:27 +0200
Message-Id: <20220828105827.26161-2-maximedevos@HIDDEN>
X-Mailer: git-send-email 2.37.1
In-Reply-To: <20220828105827.26161-1-maximedevos@HIDDEN>
References: <20220828105827.26161-1-maximedevos@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1661684310; bh=yb5KY9eI13aJJQUMtwUpM+jPaOxtHUJR0zmiHjoKwrE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=aGSBt+XjFL2QiFIcjxWSmt/7ZnDhNj4rvEjEFRjzlNPRv3J317RqxWFO0BUsqHs99
 y+SB/121dLKFjaSpkvd4qGluHzlr4UVhcMbL4W2J3cBLDIIBs5NSqLbYI5+XvoPTKE
 AKPZXBeNXSh9n9xzwll3nhvvupPFAY8Qm2WJtXXrbwg8aQb4GxBgoly3QwDc+OKfPb
 kTF9/51CELK1aD+i0Ht/qea5e7UWFvxb7KTsCNQmds6xTVQ8X7ralUa4Dddq6Ld+5Z
 6/Il1k30YazxZ6ix9Dca20jwQgQ0GBsuC5d4pqZemGO8BG+S8EMO7A2odayTDDxnUM
 mrGV8gRW+yd2Q==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 55399
Cc: Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

These two changes have to be done at the same time -- if the libgit2
dependency is updated first, then we would have a commit during which
"guix pull" is broken when using local channels (see:
<https://issues.guix.gnu.org/55399>).  And if the patches are added first,
then the build of guile-git breaks because the tests assume a new libgit2.

Together with the previous commit, this fixes
<https://issues.guix.gnu.org/55399>.

Tested with (first step):

$ ./pre-inst-env guix pull --url=$PWD
--commit=b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b
--profile=../guix-with-libgit2 --disable-authentication
--channels=../channels.scm

where b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b is the commit after applying
these two patches. Make sure to only put the Guix channel in ../channels.scm,
because of --disable-authentication.  This builds a Guix that uses the new
libgit2 and patched guile-git.  Then, it is tested that pulling still works
from a local checkout:

$ ../guix-with-libgit2/bin/guix pull --url=$PWD
--commit=c3d9ddbf3d34b58261ab9e03c794f5fbad34142d --channels=../channels.scm
--disable-authentication -p../another-guix

where c3d9ddbf3d34b58261ab9e03c794f5fbad34142d is a commit that hasn't been
seen before by the "guix pull" machinery.

* gnu/packages/patches/guile-git-fix-git-opt.patch: New patch.
* gnu/packages/patches/guile-git-set-owner-validation.patch: New patch.
* gnu/packages/patches/guile-git-test-owner-validation.patch: New patch.
* gnu/packages/guile.scm (guile-git)[source]{patches}: Add new patches.
* gnu/local.mk (dist_patch_DATA): Register new patches.
---
 gnu/local.mk                                  |   3 +
 gnu/packages/guile.scm                        |  15 +-
 .../patches/guile-git-fix-git-opt.patch       |  57 +++++++
 .../guile-git-set-owner-validation.patch      |  41 +++++
 .../guile-git-test-owner-validation.patch     | 153 ++++++++++++++++++
 5 files changed, 264 insertions(+), 5 deletions(-)
 create mode 100644 gnu/packages/patches/guile-git-fix-git-opt.patch
 create mode 100644 gnu/packages/patches/guile-git-set-owner-validation.patch
 create mode 100644 gnu/packages/patches/guile-git-test-owner-validation.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 412d512775..081f240157 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1244,6 +1244,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/guile-fibers-wait-for-io-readiness.patch \
   %D%/packages/patches/guile-gdbm-ffi-support-gdbm-1.14.patch	\
   %D%/packages/patches/guile-git-adjust-for-libgit2-1.2.0.patch \
+  %D%/packages/patches/guile-git-fix-git-opt.patch		\
+  %D%/packages/patches/guile-git-set-owner-validation.patch	\
+  %D%/packages/patches/guile-git-test-owner-validation.patch	\
   %D%/packages/patches/guile-present-coding.patch		\
   %D%/packages/patches/guile-rsvg-pkgconfig.patch		\
   %D%/packages/patches/guile-emacs-fix-configure.patch		\
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index d320763a61..87b35e2db2 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -16,7 +16,7 @@
 ;;; Copyright © 2018 Eric Bavier <bavier@HIDDEN>
 ;;; Copyright © 2019 Taylan Kammer <taylan.kammer@HIDDEN>
 ;;; Copyright © 2020, 2021, 2022 Efraim Flashner <efraim@HIDDEN>
-;;; Copyright © 2021 Maxime Devos <maximedevos@HIDDEN>
+;;; Copyright © 2021, 2022 Maxime Devos <maximedevos@HIDDEN>
 ;;; Copyright © 2021 Timothy Sample <samplet@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -817,7 +817,14 @@ (define-public guile-git
                (base32
                 "11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
               (patches (search-patches
-                        "guile-git-adjust-for-libgit2-1.2.0.patch"))))
+                        "guile-git-adjust-for-libgit2-1.2.0.patch"
+                        ;; These three patches from
+                        ;; <https://gitlab.com/guile-git/guile-git/-/issues/26>
+                        ;; together add procedures to disable/enable owner validation,
+                        ;; which is required for fixing <https://issues.guix.gnu.org/55399>.
+                        "guile-git-fix-git-opt.patch"
+                        "guile-git-set-owner-validation.patch"
+                        "guile-git-test-owner-validation.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags '("GUILE_AUTO_COMPILE=0")       ; to prevent guild warnings
@@ -833,9 +840,7 @@ (define-public guile-git
     (native-inputs
      (list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
     (inputs
-     ;; libgit2@HIDDEN ‘fixed’ a git CVE it never shared, breaking Guix.  Use
-     ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
-     (list guile-3.0 libgit2-1.3))
+     (list guile-3.0 libgit2))
     (propagated-inputs
      (list guile-bytestructures))
     (synopsis "Guile bindings for libgit2")
diff --git a/gnu/packages/patches/guile-git-fix-git-opt.patch b/gnu/packages/patches/guile-git-fix-git-opt.patch
new file mode 100644
index 0000000000..050c72818a
--- /dev/null
+++ b/gnu/packages/patches/guile-git-fix-git-opt.patch
@@ -0,0 +1,57 @@
+From 99054837c6616e06c48c944094114ae8c9b628f3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@HIDDEN>
+Date: Thu, 19 May 2022 09:35:25 -0300
+To: incoming+guile-git-guile-git-1792500-1ffl9ys3eg9dz7xscimedvf7n-merge-request@HIDDEN
+Subject: Update GIT_OPT definitions to match upstream enum
+
+* git/settings.scm: Update definitions to match libgit2 v. 1.4.3.
+
+---
+ git/settings.scm | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 83e2483..4621f43 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,5 +1,6 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@HIDDEN>
++;;; Copyright © 2022 André Batista <nandre@HIDDEN>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -38,8 +39,28 @@
+ (define GIT_OPT_SET_SSL_CERT_LOCATIONS 12)
+ (define GIT_OPT_SET_USER_AGENT 13)
+ (define GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)
+-(define GIT_OPT_SET_SSL_CIPHERS 15)
+-(define GIT_OPT_GET_USER_AGENT 16)
++(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)
++(define GIT_OPT_SET_SSL_CIPHERS 16)
++(define GIT_OPT_GET_USER_AGENT 17)
++(define GIT_OPT_ENABLE_OFS_DELTA 18)
++(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)
++(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)
++(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)
++(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)
++(define GIT_OPT_SET_ALLOCATOR 23)
++(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)
++(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)
++(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)
++(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)
++(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)
++(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)
++(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)
++(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)
++(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)
++(define GIT_OPT_GET_EXTENSIONS 33)
++(define GIT_OPT_SET_EXTENSIONS 34)
++(define GIT_OPT_GET_OWNER_VALIDATION 35)
++(define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
+ (define set-tls-certificate-locations!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+-- 
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-set-owner-validation.patch b/gnu/packages/patches/guile-git-set-owner-validation.patch
new file mode 100644
index 0000000000..becef644ad
--- /dev/null
+++ b/gnu/packages/patches/guile-git-set-owner-validation.patch
@@ -0,0 +1,41 @@
+From 88091a17f8276b03c95837b422adf5b0b7eda79e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@HIDDEN>
+Date: Thu, 19 May 2022 09:47:36 -0300
+Subject: [PATCH] settings: Add 'set-owner-validation!'.
+To: guile-git@HIDDEN
+
+* git/settings.scm: (set-owner-validation!): New procedure.
+---
+ git/settings.scm | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 4621f43..f6857d5 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -20,7 +20,8 @@
+ (define-module (git settings)
+   #:use-module (system foreign)
+   #:use-module (git bindings)
+-  #:export (set-tls-certificate-locations!
++  #:export (set-owner-validation!
++            set-tls-certificate-locations!
+             set-user-agent!))
+ 
+ ;; 'git_libgit2_opt_t' enum defined in <git2/common.h>.
+@@ -62,6 +63,12 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
++(define set-owner-validation!
++  (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
++    (lambda (owner-validation)
++      "Boolean: enable/disable owner validation checks. See CVE 2022-24765."
++      (proc GIT_OPT_SET_OWNER_VALIDATION (if owner-validation 1 0)))))
++
+ (define set-tls-certificate-locations!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+     (lambda* (directory #:optional file)
+-- 
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-test-owner-validation.patch b/gnu/packages/patches/guile-git-test-owner-validation.patch
new file mode 100644
index 0000000000..3ef2fa3557
--- /dev/null
+++ b/gnu/packages/patches/guile-git-test-owner-validation.patch
@@ -0,0 +1,153 @@
+From 4a2a6d3723afc05b93edfe430c7f95abbe6db021 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@HIDDEN>
+Date: Tue, 14 Jun 2022 23:00:07 -0300
+Subject: [PATCH] settings: Add 'owner-validation?'.
+To: guile-git@HIDDEN
+
+* git/settings.scm: (owner-validation?): New procedure.
+* tests/settings.scm: Add owner-validation? tests.
+---
+ Makefile.am        |  1 +
+ git/settings.scm   | 13 ++++++++++++-
+ git/types.scm      | 11 +++++++++++
+ tests/settings.scm | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 69 insertions(+), 1 deletion(-)
+ create mode 100644 tests/settings.scm
+
+diff --git a/Makefile.am b/Makefile.am
+index 0f92d4c..033033d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -95,6 +95,7 @@ TESTS =                                         \
+   tests/remote.scm                              \
+   tests/rev-parse.scm                           \
+   tests/status.scm                              \
++  tests/settings.scm                            \
+   tests/submodule.scm                           \
+   tests/tag.scm                                 \
+   tests/tree.scm
+diff --git a/git/settings.scm b/git/settings.scm
+index 5022945..582f519 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,6 +1,7 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@HIDDEN>
+ ;;; Copyright © 2022 André Batista <nandre@HIDDEN>
++;;; Copyright © 2022 Maxime Devos <maximedevos@HIDDEN>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -20,7 +21,9 @@
+ (define-module (git settings)
+   #:use-module (system foreign)
+   #:use-module (git bindings)
+-  #:export (set-owner-validation!
++  #:use-module (git types)
++  #:export (owner-validation?
++            set-owner-validation!
+             set-tls-certificate-locations!
+             set-user-agent!))
+ 
+@@ -63,6 +66,14 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+ 
++(define owner-validation?
++  (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '*))))
++      (lambda ()
++        "Boolean: Return owner validation setting."
++        (let ((out (make-int-pointer)))
++          (proc GIT_OPT_GET_OWNER_VALIDATION out)
++          (if (equal? (pointer->int out) 0) #f #t)))))
++
+ (define set-owner-validation!
+   (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
+     (lambda (owner-validation)
+diff --git a/git/types.scm b/git/types.scm
+index 3503ccf..7609a8a 100644
+--- a/git/types.scm
++++ b/git/types.scm
+@@ -46,7 +46,9 @@
+             tree? pointer->tree tree->pointer
+             tree-entry? pointer->tree-entry tree-entry->pointer
+             submodule? pointer->submodule submodule->pointer
++            pointer->int
+             pointer->size_t
++            make-int-pointer
+             make-size_t-pointer
+             make-double-pointer))
+ 
+@@ -102,9 +104,18 @@
+ (define (make-double-pointer)
+   (bytevector->pointer (make-bytevector (sizeof '*))))
+ 
++(define (make-int-pointer)
++  (bytevector->pointer (make-bytevector (sizeof int))))
++
+ (define (make-size_t-pointer)
+   (bytevector->pointer (make-bytevector (sizeof size_t))))
+ 
++(define (pointer->int ptr)
++  (bytevector-sint-ref (pointer->bytevector ptr (sizeof int))
++                       0
++                       (native-endianness)
++                       (sizeof int)))
++
+ (define (pointer->size_t ptr)
+   (bytevector-uint-ref (pointer->bytevector ptr (sizeof size_t))
+                        0
+diff --git a/tests/settings.scm b/tests/settings.scm
+new file mode 100644
+index 0000000..a82c5ca
+--- /dev/null
++++ b/tests/settings.scm
+@@ -0,0 +1,45 @@
++;;; Guile-Git --- GNU Guile bindings of libgit2
++;;; Copyright © 2022 André Batista <nandre@HIDDEN>
++;;;
++;;; This file is part of Guile-Git.
++;;;
++;;; Guile-Git is free software; you can redistribute it and/or modify it
++;;; under the terms of the GNU General Public License as published by
++;;; the Free Software Foundation; either version 3 of the License, or
++;;; (at your option) any later version.
++;;;
++;;; Guile-Git is distributed in the hope that it will be useful, but
++;;; WITHOUT ANY WARRANTY; without even the implied warranty of
++;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++;;; General Public License for more details.
++;;;
++;;; You should have received a copy of the GNU General Public License
++;;; along with Guile-Git.  If not, see <http://www.gnu.org/licenses/>.
++
++(define-module (tests settings)
++  #:use-module (srfi srfi-64))
++
++(use-modules (tests helpers))
++(use-modules (git))
++
++(test-begin "settings")
++
++(libgit2-init!)
++
++(with-repository "simple" directory
++
++  (test-equal "disable owner validation"
++    #f
++    ((lambda ()
++      (set-owner-validation! #f)
++      (owner-validation?))))
++
++  (test-equal "enable owner validation"
++    #t
++    ((lambda ()
++      (set-owner-validation! #t)
++      (owner-validation?)))))
++
++(libgit2-shutdown!)
++
++(test-end)
+-- 
+2.36.0
+
-- 
2.37.1





Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 28 Aug 2022 10:44:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 28 06:44:37 2022
Received: from localhost ([127.0.0.1]:57669 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1oSFmP-0000qC-HL
	for submit <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:44:37 -0400
Received: from michel.telenet-ops.be ([195.130.137.88]:60254)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1oSFmL-0000pz-Rk
 for 55399 <at> debbugs.gnu.org; Sun, 28 Aug 2022 06:44:36 -0400
Received: from [IPV6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16]
 ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16])
 by michel.telenet-ops.be with bizsmtp
 id CykW2800A20ykKC06ykXec; Sun, 28 Aug 2022 12:44:31 +0200
Message-ID: <c778d6b6-d93e-a62a-e771-74ac413851bd@HIDDEN>
Date: Sun, 28 Aug 2022 12:44:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.12.0
Subject: Re: guix system reconfigure fails on channel validation
Content-Language: en-US
To: =?UTF-8?Q?Andr=c3=a9_Batista?= <nandre@HIDDEN>, 55399 <at> debbugs.gnu.org
References: <Yn53d4GR+kohZh/b@andel>
From: Maxime Devos <maximedevos@HIDDEN>
In-Reply-To: <Yn53d4GR+kohZh/b@andel>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------s0v2m7vpty3ytUrT4iRUyKlx"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1661683472; bh=x/F0BMI1JdwMtjELXciQejhhhouk6zJ117WQ7VS3xzM=;
 h=Date:Subject:To:References:From:In-Reply-To;
 b=h5OJ0N1SyErl4VzhopToc0tz+HAJYr9B/BkVFtLzjYoyPO7psXFBL/B4cbK53RZnS
 R8KY3J/ZWB3Dgc+6x1pD5rLW4aKoQpfnMmjmJTPbOViS9rqG+CN7gvQTMdDx74u1YX
 zgXdG6zYEi1ogA0bMN0MR5vrhpEjTH8T5163NVDYakDMQpfkEft+R50xuU72qEnmYb
 6C7axaUMSn2NbJCBkL8A9y/BSxVZj1ekjrOTEHrX5YVoXB+32+/351JTTKTPw9bMLw
 987zLv97+zsLtWGylvIpF4W9Eznhzzv2ZEQPtVZuKza8wNsWRO5XJUUfNqr0BL4anr
 vmoTBtHKyeSSA==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 55399
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------s0v2m7vpty3ytUrT4iRUyKlx
Content-Type: multipart/mixed; boundary="------------pgn0JZRaUiqL84AJud0dI2nh";
 protected-headers="v1"
From: Maxime Devos <maximedevos@HIDDEN>
To: =?UTF-8?Q?Andr=c3=a9_Batista?= <nandre@HIDDEN>, 55399 <at> debbugs.gnu.org
Message-ID: <c778d6b6-d93e-a62a-e771-74ac413851bd@HIDDEN>
Subject: Re: guix system reconfigure fails on channel validation
References: <Yn53d4GR+kohZh/b@andel>
In-Reply-To: <Yn53d4GR+kohZh/b@andel>

--------------pgn0JZRaUiqL84AJud0dI2nh
Content-Type: multipart/mixed; boundary="------------K31rjvFfYF3cYsin7JoI8yha"

--------------K31rjvFfYF3cYsin7JoI8yha
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

SSdtIHByZXBhcmluZyBhIF9jb21wbGV0ZV8gc2V0IG9mIHBhdGNoZXMgdG8gR3VpeCB0byBm
aXggdGhpcywgSSdsbCBzZW5kIA0KdGhlbSBvbmNlIHRlc3RlZC4NCg0KR3JlZXRpbmdzLA0K
TWF4aW1lLg0KDQo=
--------------K31rjvFfYF3cYsin7JoI8yha
Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc"
Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m
xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2
ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL
CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc
/gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4
LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C
kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK
CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W
ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ
Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0
k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo
AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE
fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D
=3DOVqp
-----END PGP PUBLIC KEY BLOCK-----

--------------K31rjvFfYF3cYsin7JoI8yha--

--------------pgn0JZRaUiqL84AJud0dI2nh--

--------------s0v2m7vpty3ytUrT4iRUyKlx
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYwtHDgUDAAAAAAAKCRBJ4+4iGRcl7rJc
AQCtFiS2GiRMwxgjv504hlQSRX6TkRI1F8TF9lxI2T9RdgEAvuToYUlg/OrtfaSu3ApdYcZJ7Ee+
M92AH80PyHzSjAE=
=d8hy
-----END PGP SIGNATURE-----

--------------s0v2m7vpty3ytUrT4iRUyKlx--




Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.
Added tag(s) patch. Request was from Maxim Cournoyer <maxim.cournoyer@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 24 May 2022 23:44:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 24 19:44:34 2022
Received: from localhost ([127.0.0.1]:53820 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nteCV-0005mN-Im
	for submit <at> debbugs.gnu.org; Tue, 24 May 2022 19:44:34 -0400
Received: from mx1.riseup.net ([198.252.153.129]:56150)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nandre@HIDDEN>) id 1nteCR-0005m6-FB
 for 55399 <at> debbugs.gnu.org; Tue, 24 May 2022 19:44:30 -0400
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.riseup.net", Issuer "R3" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4L79lT5yBBzDqxK;
 Tue, 24 May 2022 16:44:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1653435862; bh=klXF4xU3bm+i0MfXVt77ZPkOziGAGpw83lVNtNnLSG8=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=PggFNkO5W5DTKwqqcSsx+887QRI7g13FADQc3kWfasHs9bQdbdfQYAmCSaVrbmiAI
 teWNqqyA2jf/XeU37BtMh98ou19F3MFsoNjTnvmQ7GLDu2cCDt4SHHjsnxQa3owAJF
 GjDJ89GEsE0Ivd6tCm6tMG4d3g3A5134egaMNH3U=
X-Riseup-User-ID: F07CB6E760F5805AC51D445A715C2E783B74CC52B78ECB9F77561D4EEB36923D
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews2.riseup.net (Postfix) with ESMTPSA id 4L79lS4YqRz1yQc;
 Tue, 24 May 2022 16:44:20 -0700 (PDT)
Date: Tue, 24 May 2022 20:44:13 -0300
From: =?iso-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#55399: guix system reconfigure fails on channel validation
Message-ID: <Yo1tzQLys4R8aAyA@andel>
References: <Yn53d4GR+kohZh/b@andel>
 <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
 <YoUvHJ24iYDBrO9v@andel> <87a6b85o37.fsf_-_@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="VTQOZ90TQgTRYNmT"
Content-Disposition: inline
In-Reply-To: <87a6b85o37.fsf_-_@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 55399
Cc: 55399 <at> debbugs.gnu.org, Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--VTQOZ90TQgTRYNmT
Content-Type: multipart/mixed; boundary="tLL1RHzY3GxXA7/F"
Content-Disposition: inline


--tLL1RHzY3GxXA7/F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi again,

seg 23 mai 2022 =E0s 16:18:52 (1653333532), ludo@HIDDEN enviou:
> ...
> (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

After upgrading guile-git, the attached patches disables owner
validation and reverts the above commit which made Guix's guile-git
depend on libgit2 1.3 instead of latest.

Cheers!

--tLL1RHzY3GxXA7/F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="guix.git.patch"
Content-Transfer-Encoding: quoted-printable

=46rom f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@HIDDEN>
References: <87a6b85o37.fsf_-_@HIDDEN>
=46rom: =3D?UTF-8?q?Andr=3DC3=3DA9=3D20Batista?=3D <nandre@HIDDEN>
To: 55399 <at> debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:17 -0300
Subject: [PATCH] guix: Disable owner validation when updating cached checko=
ut

* guix/git.scm (update-cached-checkout): Disable owner validation
checks.
---
 guix/git.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..d5e12188a2 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
 ;;; Copyright =A9 2021 Kyle Meyer <kyle@HIDDEN>
 ;;; Copyright =A9 2021 Marius Bakke <marius@HIDDEN>
 ;;; Copyright =A9 2022 Maxime Devos <maximedevos@HIDDEN>
+;;; Copyright =A9 2022 Andr=E9 Batista <nandre@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +465,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))=
))
+     ;; Disable owner validation. See <https://issues.guix.gnu.org/55399>.
+     (set-owner-validation! #f)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
--
2.36.0

--tLL1RHzY3GxXA7/F
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="guix.guile.patch"
Content-Transfer-Encoding: quoted-printable

=46rom f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@HIDDEN>
References: <87a6b85o37.fsf_-_@HIDDEN>
=46rom: =3D?UTF-8?q?Andr=3DC3=3DA9=3D20Batista?=3D <nandre@HIDDEN>
To: 55399 <at> debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:18 -0300
Subject: [PATCH] gnu: guile-git: Use latest libgit2

* gnu/packages/guile.scm (guile-git) [inputs]: Use latest libgit2.
Reverts commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab.
---
 gnu/packages/guile.scm | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a9e04cb476..138fb4d6bc 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -833,9 +833,7 @@ (define-public guile-git
     (native-inputs
      (list pkg-config autoconf automake texinfo guile-3.0 guile-bytestruct=
ures))
     (inputs
-     ;; libgit2@HIDDEN =E2=80=98fixed=E2=80=99 a git CVE it never shared, b=
reaking Guix.  Use
-     ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternati=
ves.
-     (list guile-3.0 libgit2-1.3))
+     (list guile-3.0 libgit2))
     (propagated-inputs
      (list guile-bytestructures))
     (synopsis "Guile bindings for libgit2")

--tLL1RHzY3GxXA7/F--

--VTQOZ90TQgTRYNmT
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQG5BAABCgAjFiEEXo3OJhMk/jL9rLM1Nj97Uq5OMvYFAmKNbcsFgwPCZwAACgkQ
Nj97Uq5OMvb0AQv9HGwqf48upFCiCc0W+Ag9eQ1pceB4Lkl9GxLNJRoc9bfb3Wch
kAKKuBlyDzn5Tp/WwQtKcNoR0X6OEel2lNsM6NLoJdlxMN0QDU674Tnt16r5BZfD
Oam2s9vSdf+C99nrFxwAXd1Jqi5vLLfXNIcA9bArRgF8CnooOX8VWYbPvtTaqxNN
Z0i1XE5qtOtX+Jx3pwmF1Ve/dx5xP1+JZ11b9RqGWv+is9AbexBLl8WNna3KC/qL
shFAwCMiCSLgBfPhzhNolBdvrVeBkWkLGF+6L5WsGLiK3McBpv58UI9jJTTnETG0
EeNtzlBFMzyJUU2K8THdyoFTNclehZ0xI1W+DqzpcLdjz9c2Uy/4NvCtOJGYBXyy
g7YkZtYbsIYvx0LcG1ntcpDuNB7PaqovprTOYGUF9ntbrpCAOvIkebIVQRAcHOQt
lcijp4KWv+ZPt8dVDbPZ87Z7QAuAj64K2rpJlz+2y0HfuYPWTLXpaCz4LUqiWU88
LGX9yqQ6QXMXME9Z
=Or2r
-----END PGP SIGNATURE-----

--VTQOZ90TQgTRYNmT--




Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 24 May 2022 01:44:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 23 21:44:48 2022
Received: from localhost ([127.0.0.1]:50515 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ntJbM-000295-8A
	for submit <at> debbugs.gnu.org; Mon, 23 May 2022 21:44:48 -0400
Received: from mx1.riseup.net ([198.252.153.129]:58898)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nandre@HIDDEN>) id 1ntJbI-00028n-TB
 for 55399 <at> debbugs.gnu.org; Mon, 23 May 2022 21:44:47 -0400
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.riseup.net", Issuer "R3" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4L6cSg5X0LzDqdj;
 Mon, 23 May 2022 18:44:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1653356679; bh=XSQr7Ps4rHrxNSV4/lfDjwdtNZegrOd8wPT1trdiIF8=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=WPl4vha2Diay1mDzRBfVAsdDs8J/9MtbdIY7CCFlt3iUfx19qEwqyKxBGbAooz8FH
 F/M2OljCzurn/dMunnVBrdG2E5VxWc5SBB1HrFTn/Wlz6OyrFjRokUK5u3X+9LBM6a
 vGB0WSnuUJFEqx1As2vUuP5uUn/Ap8joqHJmOvww=
X-Riseup-User-ID: 6FAE4BDD7BD4E33388CF21EFF286DFE3DE2A36625E494BA65300CE8B5B01A1C5
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews2.riseup.net (Postfix) with ESMTPSA id 4L6cSf5Dnqz1yQc;
 Mon, 23 May 2022 18:44:34 -0700 (PDT)
Date: Mon, 23 May 2022 22:44:23 -0300
From: =?iso-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#55399: guix system reconfigure fails on channel validation
Message-ID: <Yow4dwnY1SdpL3qm@andel>
References: <Yn53d4GR+kohZh/b@andel>
 <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
 <YoUvHJ24iYDBrO9v@andel> <87a6b85o37.fsf_-_@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87a6b85o37.fsf_-_@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 55399
Cc: 55399 <at> debbugs.gnu.org, Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi!

seg 23 mai 2022 s 16:18:52 (1653333532), ludo@HIDDEN enviou:
> Yes please!  You pretty much already have the code, so we could put
> together a new Guile-Git release instead of carrying these modifications
> in Guix proper.

Done! Issue 26.

https://gitlab.com/guile-git/guile-git/-/issues/26






Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Changed bug title to 'libgit2 1.4.3 directory owner validation breaks Guix' from 'guix system reconfigure fails on channel validation' Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 23 May 2022 14:19:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 23 10:19:05 2022
Received: from localhost ([127.0.0.1]:49910 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nt8tk-0000sk-VC
	for submit <at> debbugs.gnu.org; Mon, 23 May 2022 10:19:05 -0400
Received: from eggs.gnu.org ([209.51.188.92]:50284)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1nt8th-0000sB-CV
 for 55399 <at> debbugs.gnu.org; Mon, 23 May 2022 10:19:04 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:34906)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1nt8tb-0000TE-9u; Mon, 23 May 2022 10:18:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=T+JmCtPsjXVRZbsiaA9yaG/N1UzLZKm1lLqQicTqQVA=; b=JugF7Byc6CQ8Z/jv9w06
 nwpGshFHKx49oyYPTv5fQyq/il3aRiVJGN36zkbdGZFfK0Ry/VCpCGBAeXEfLtSjuDj2aAmDCAjjI
 d2z37/mdki+BBPMKuOm2byks66XhHgZHWyEzBZANkaC3Pvooq9uHkHfeYeyaZqS0vLP/T+Ntn2SWP
 srMHVsRkUjggy0UnMprRzsJzdKx7Rot/5/uSco8PrG+oO+HynnccairYXi+ELLBupX3z28dhSsEVc
 pmpV5YbgyHWdEXDfl1Wg/DvOMNIsB/Gt/Px5MilOgid+BGUuNeFYY4OIEslVXsSf4AQ5J3BrTQJbg
 xutV8SwGxcI8XQ==;
Received: from [193.50.110.143] (port=39852 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1nt8ta-0001Yq-TJ; Mon, 23 May 2022 10:18:55 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: =?utf-8?Q?Andr=C3=A9?= Batista <nandre@HIDDEN>
Subject: Re: bug#55399: guix system reconfigure fails on channel validation
References: <Yn53d4GR+kohZh/b@andel>
 <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
 <YoUvHJ24iYDBrO9v@andel>
Date: Mon, 23 May 2022 16:18:52 +0200
In-Reply-To: <YoUvHJ24iYDBrO9v@andel> (=?utf-8?Q?=22Andr=C3=A9?= Batista"'s
 message of "Wed, 18 May 2022 14:38:36 -0300")
Message-ID: <87a6b85o37.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 55399
Cc: 55399 <at> debbugs.gnu.org, Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Andr=C3=A9,

Andr=C3=A9 Batista <nandre@HIDDEN> skribis:

> Anyway, the proper think to do is to update guile-git, so I'll be
> opening an issue there.

Yes please!  You pretty much already have the code, so we could put
together a new Guile-Git release instead of carrying these modifications
in Guix proper.

(For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

Thanks!

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 18 May 2022 17:38:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 18 13:38:56 2022
Received: from localhost ([127.0.0.1]:33436 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nrNdQ-0005Pf-75
	for submit <at> debbugs.gnu.org; Wed, 18 May 2022 13:38:56 -0400
Received: from mx0.riseup.net ([198.252.153.6]:34478)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nandre@HIDDEN>) id 1nrNdN-0005PN-No
 for 55399 <at> debbugs.gnu.org; Wed, 18 May 2022 13:38:54 -0400
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.riseup.net", Issuer "R3" (not verified))
 by mx0.riseup.net (Postfix) with ESMTPS id 4L3KwR61yvz9s7d;
 Wed, 18 May 2022 10:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1652895527; bh=fSs5/fwayNjAHvWegiXT7W2GPI3W/VykORODsKHsfuw=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=AgqJUJj2LW8jqZirSFlXeo82OYOIQb+mRwbWUjje1wO6OQU40hP7LP+oUTF+Ngeqv
 E/dej6v6zQcvJoL28ZmKp85yqc/oeMmPsxSC5EiorExsfAwMirLEStzujFOueEZjII
 zrsSQoMDm5RWbVgyaJAZsbrJJGnJ97Up+zmmFsEk=
X-Riseup-User-ID: 002575DF375A5763B8CA8BF8DC280711774570187A6E4E21A089A840382E0E5F
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews2.riseup.net (Postfix) with ESMTPSA id 4L3KwQ5Q91z1xph;
 Wed, 18 May 2022 10:38:46 -0700 (PDT)
Date: Wed, 18 May 2022 14:38:36 -0300
From: =?iso-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>
To: Maxime Devos <maximedevos@HIDDEN>
Subject: Re: bug#55399: Temporary fix
Message-ID: <YoUvHJ24iYDBrO9v@andel>
References: <Yn53d4GR+kohZh/b@andel>
 <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="BW/eXf9dR20dld1M"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 55399
Cc: 55399 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--BW/eXf9dR20dld1M
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Hi Maxime!

sex 13 mai 2022 s 17:28:29 (1652473709), maximedevos@HIDDEN enviou:
> Andr Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> > Any thoughts?
> 
> According to
> <https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb112987443916cdedcfc8e274121e9d>,
>  the ownership check can be relaxed by setting an option.  The guile-
> git library would need to be adjusted to support the option though.

Thanks for your pointers. I've only had a substitute* hammer and this
certainly seemed like a loose nail, so I've hammered my way through.

The patch bellow addresses the issue on guix side only and it was
applied/tested locally before b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab
So this later commit would need to be reverted, otherwise guix will
not use the new libgit2 v1.4.3 anyway.

Anyway, the proper think to do is to update guile-git, so I'll be
opening an issue there.

Happy hacking!



--BW/eXf9dR20dld1M
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="guile-git.patch"

From 370bf9bec714747244da00a7fd793da04c49c523 Mon Sep 17 00:00:00 2001
In-Reply-To: <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
References: <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@HIDDEN>
Date: Tue, 17 May 2022 19:18:49 -0300
Subject: [PATCH] guix/git: Disable owner validation when updating cache.
To: 55399 <at> debbugs.gnu.org
Cc: maximedevos@HIDDEN

---
 gnu/packages/guile.scm | 40 +++++++++++++++++++++++++++++++++++++++-
 guix/git.scm           |  3 +++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9d58c8d4cd..b120f3eefe 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -816,6 +816,44 @@ (define-public guile-git
               (sha256
                (base32
                 "11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (substitute* "git/settings.scm"
+                    (("set-user-agent!))")
+                     (string-append "set-user-agent!\n"
+                                    "            set-owner-validation!))"))
+                    (("GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)" m)
+                     (string-append m "\n" "(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)"))
+
+                    (("(GIT_OPT_SET_SSL_CIPHERS).*" _ m)
+                     (string-append m " 16)\n"))
+
+                    (("(GIT_OPT_GET_USER_AGENT).*" _ m)
+                     (string-append m " 17)\n"
+                       "(define GIT_OPT_ENABLE_OFS_DELTA 18)\n"
+                       "(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)\n"
+                       "(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)\n"
+                       "(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)\n"
+                       "(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)\n"
+                       "(define GIT_OPT_SET_ALLOCATOR 23)\n"
+                       "(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)\n"
+                       "(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)\n"
+                       "(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)\n"
+                       "(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)\n"
+                       "(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)\n"
+                       "(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)\n"
+                       "(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)\n"
+                       "(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)\n"
+                       "(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)\n"
+                       "(define GIT_OPT_GET_EXTENSIONS 33)\n"
+                       "(define GIT_OPT_SET_EXTENSIONS 34)\n"
+                       "(define GIT_OPT_GET_OWNER_VALIDATION 35)\n"
+                       "(define GIT_OPT_SET_OWNER_VALIDATION 36)\n\n"
+                       "(define set-owner-validation!\n"
+                       "  (let  ((proc (libgit2->procedure* \"git_libgit2_opts\" (list int int))))\n"
+                       "    (lambda* (owner-validation)\n"
+                       "     (proc GIT_OPT_SET_OWNER_VALIDATION owner-validation))))\n")))))
               (patches (search-patches
                         "guile-git-adjust-for-libgit2-1.2.0.patch"))))
     (build-system gnu-build-system)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..ced6a9c62c 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -23,6 +23,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +464,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))))
+     ;; Disable owner validation for local repos see #55399
+     (set-owner-validation! 0)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))

--BW/eXf9dR20dld1M--




Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 13 May 2022 15:28:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 13 11:28:32 2022
Received: from localhost ([127.0.0.1]:44640 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1npXDU-0002sU-8z
	for submit <at> debbugs.gnu.org; Fri, 13 May 2022 11:28:32 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:42970)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1npXDS-0002sI-Fr
 for 55399 <at> debbugs.gnu.org; Fri, 13 May 2022 11:28:30 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by xavier.telenet-ops.be with bizsmtp
 id WFUV2700J4UW6Th01FUVXQ; Fri, 13 May 2022 17:28:29 +0200
Message-ID: <c5a0381129feb0a20c4642ca97409e967471a537.camel@HIDDEN>
Subject: Re: bug#55399: guix system reconfigure fails on channel validation
From: Maxime Devos <maximedevos@HIDDEN>
To: =?ISO-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>, 
 55399 <at> debbugs.gnu.org
Date: Fri, 13 May 2022 17:28:29 +0200
In-Reply-To: <Yn53d4GR+kohZh/b@andel>
References: <Yn53d4GR+kohZh/b@andel>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-A8/gSho3tij3TOCPSWT7"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1652455709; bh=6D4REXBID5X3x4CeWpE84/cJcITsTtguEKHnrG5RWNc=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=Usv4OKG7Rw+q8bacH/+D9FFGPd9Z65gTX4eWVtvDulUAqSquIb+q9RofOsMe/4wFf
 OlS+IOXtFgBgdIkChy6nnZOqo7QeeMlBGfXzqv9gnTp7ueYPST/4NImILyNey25uqg
 sW9KklX/S07+/iOCO8pfED8SS0sxONP31ZFHzifyMCX0J3jY56EPIOGS+TcJ9zw2nA
 P3e1oyBlUJAWrPKDGCUtTRlJfSI/vBn8VXsp1KhZTW9f2Et7ZQq67KEhJMvmEw8MeS
 T7CmT+xiTnbjRGe0Q9ureYIL8ajmBY34bHKTwqQKJWv7eaTfiSV2XmKsETu1p2mPty
 CR3FrxM4rdrlg==
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 55399
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-A8/gSho3tij3TOCPSWT7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Andr=C3=A9 Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> Any thoughts?

According to
<https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb11298744391=
6cdedcfc8e274121e9d>,
 the ownership check can be relaxed by setting an option.  The guile-
git library would need to be adjusted to support the option though.

Greetings,
Maxime.

--=-A8/gSho3tij3TOCPSWT7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn55HRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sCyAQDfwyWmtyToJRDlZV70quA6O2XJ
q55xtkI/mmttol638gEAr8O7Qb6uM7vbIM0oSQRHJgNiJVKatgfUAHipcnWC3Ak=
=Fxlz
-----END PGP SIGNATURE-----

--=-A8/gSho3tij3TOCPSWT7--





Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at 55399 <at> debbugs.gnu.org:


Received: (at 55399) by debbugs.gnu.org; 13 May 2022 15:26:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 13 11:26:08 2022
Received: from localhost ([127.0.0.1]:44633 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1npXB9-0002n8-UK
	for submit <at> debbugs.gnu.org; Fri, 13 May 2022 11:26:08 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:39514)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1npXB8-0002mz-Gl
 for 55399 <at> debbugs.gnu.org; Fri, 13 May 2022 11:26:06 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by xavier.telenet-ops.be with bizsmtp
 id WFS42700H4UW6Th01FS47t; Fri, 13 May 2022 17:26:05 +0200
Message-ID: <1f9a73621562c5fe96a0d254aef893f95ab33ff0.camel@HIDDEN>
Subject: Re: bug#55399: guix system reconfigure fails on channel validation
From: Maxime Devos <maximedevos@HIDDEN>
To: =?ISO-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>, 
 55399 <at> debbugs.gnu.org
Date: Fri, 13 May 2022 17:26:04 +0200
In-Reply-To: <Yn53d4GR+kohZh/b@andel>
References: <Yn53d4GR+kohZh/b@andel>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-039nLV/U5R2BaD5o8stT"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1652455565; bh=r4KJmDLzooWn7y2oKdj6Gsg98yNLmvEYTGtvjlI+Lg4=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=bgzD8yHjdzZu+fu25xsZDCrKMeutsaVtMVmnIsTUsOGvMTtBUXalEh2jC/XR0BoxS
 rEMD/ynzc0fXY18oS1CEIHVbx/LCTjTyiKj9mAKnwKRrTevPpzUi/PkfPB4T0XzsT2
 aKI8eVilXaUrhY9dSu6Rw2oYhixft5+U9rr6OKNxZKys3/x2feVGvb+YCB3kBG/rNZ
 o2JmhfTL06I+H2b3vWK0gZ9qbNzVn8urKLssBOhc2Epw1YVFww0rnuEPbTk2nwZCyb
 97VlpSlWA+t1CM+prxmtwi38+dThPr/mVcw5D3KKuyqTLLYummj4tG2EvKpXoGNG3b
 KVwQfRkyAk6jw==
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 55399
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-039nLV/U5R2BaD5o8stT
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Andr=C3=A9 Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> Any thoughts?

For now, let 'guile-git' use the libgit2-1.3 variant, look into
relaxing the =E2=80=98is owned by=E2=80=99 check later?

Greetings,
Maxime

--=-039nLV/U5R2BaD5o8stT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn54jBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7m4iAPoCZrJ2G9KOnpQMrRr0NRkW6KMp
d8HjPHGZlNWtk466eQD/ZG3OedO6KSPKmWu7im29bg1CI4Ntuo3DfL3YkwHakAo=
=VcFh
-----END PGP SIGNATURE-----

--=-039nLV/U5R2BaD5o8stT--





Information forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 May 2022 15:21:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 13 11:21:48 2022
Received: from localhost ([127.0.0.1]:44603 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1npX6x-0002bw-RA
	for submit <at> debbugs.gnu.org; Fri, 13 May 2022 11:21:48 -0400
Received: from lists.gnu.org ([209.51.188.17]:54204)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nandre@HIDDEN>) id 1npX6w-0002bp-6z
 for submit <at> debbugs.gnu.org; Fri, 13 May 2022 11:21:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40810)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <nandre@HIDDEN>) id 1npX6w-00011H-26
 for bug-guix@HIDDEN; Fri, 13 May 2022 11:21:46 -0400
Received: from mx0.riseup.net ([198.252.153.6]:55370)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <nandre@HIDDEN>) id 1npX6t-0004kl-MD
 for bug-guix@HIDDEN; Fri, 13 May 2022 11:21:45 -0400
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.riseup.net", Issuer "R3" (not verified))
 by mx0.riseup.net (Postfix) with ESMTPS id 4L0C6X3PV8z9s7f
 for <bug-guix@HIDDEN>; Fri, 13 May 2022 08:21:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1652455300; bh=TMxbG2DvezrP8tFrRmR+pKDZpr+J8ZsAWihxQwEL6bE=;
 h=Date:From:To:Subject:From;
 b=YMf2cmxgV4RGFYTOunOe+nHWOG7piyvQDN/AK0tseiVCMzyfE2ZMCbhuhv5bd+v1e
 SXxA1DUbEymsD8qLE8usnjLK7XGs+j7cMwVQM9237MqBJLQWAJUVRaIJNrmC38fNjd
 NfegQob1J2JET9fEs3gmMvjdX4hGgZtbwk+hpdyI=
X-Riseup-User-ID: A422B65AA728CA59D5DC920278E4FA4F43FAD4E46B87EAC9E1140F38A1AE7074
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews2.riseup.net (Postfix) with ESMTPSA id 4L0C6V5dk9z1yBZ
 for <bug-guix@HIDDEN>; Fri, 13 May 2022 08:21:38 -0700 (PDT)
Date: Fri, 13 May 2022 12:21:27 -0300
From: =?iso-8859-1?Q?Andr=E9?= Batista <nandre@HIDDEN>
To: bug-guix@HIDDEN
Subject: guix system reconfigure fails on channel validation
Message-ID: <Yn53d4GR+kohZh/b@andel>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Received-SPF: pass client-ip=198.252.153.6; envelope-from=nandre@HIDDEN;
 helo=mx0.riseup.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Hello Guix!

Recently, I've not been able to reconfigure some of my guix systems
because guix fails to forward validate the commits in between the
current system deployment and the newer one. This appears to be
related to the new libgit2 version 1.4.3[1][2], which addressed CVE
2022-24765, since there was no change to the related guix routines
on the time lapse since the last deploy.

This is the error I'm getting:

$ sudo guix system --fallback -c 3 -M 3  reconfigure myconfig.scm
Backtrace:
          19 (primitive-load "/home/user/.config/guix/current/bin/g?")
In guix/ui.scm:
   2230:7 18 (run-guix . _)
  2193:10 17 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1752:10 16 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
    829:3 15 (_)
    809:4 14 (call-with-status-report _ _)
In guix/scripts/system.scm:
   1253:4 13 (_)
In ice-9/boot-9.scm:
  1752:10 12 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
   658:37 11 (thunk)
   1320:8 10 (call-with-build-handler #<procedure b445f18 at guix/u?> ?)
  2129:25  9 (run-with-store #<store-connection 256.99 b0934d8> _ # _ ?)
In guix/scripts/system.scm:
  1277:15  8 (_ _)
    819:5  7 (perform-action reconfigure #<<image> name: #f format:?> ?)
In guix/scripts/system/reconfigure.scm:
    345:3  6 (check-forward-update _ #:current-channels _)
In srfi/srfi-1.scm:
   691:23  5 (filter-map #<procedure ba4c460 at guix/scripts/syst?> . #)
In guix/scripts/system/reconfigure.scm:
   352:37  4 (_ #<<channel> name: guix url: "/src/guix.git" branch: ?>)
In guix/git.scm:
    469:7  3 (update-cached-checkout _ #:ref _ #:recursive? _ # _ # _ ?)
In git/bindings.scm:
     77:2  2 (raise-git-error _)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Git error: repository path '/src/guix.git/' is not owned by current user


-----

And these are the commits being compared:

$ guix system describe
Generation 214  May 06 2022 22:47:43    (current)
  file name: /var/guix/profiles/system-214-link
  canonical file name: /gnu/store/b0wrzz8sxqi9hywpqz29cm73l9adxjy9-system
  label: GNU with Linux-Libre-Atom 5.17.5
  bootloader: grub
  root device: label: "rootfs"
  kernel: /gnu/store/xmdskyk85sypr4wgf5iwg5iid08l4aiq-linux-libre-atom-5.17.5/bzImage
  channels:
    guix:
      repository URL: /src/guix.git
      branch: master
      commit: ee70ed5bf50e781a6a43985211aa763e28db62b9
  configuration file: /gnu/store/g653hksfz0iwnbpynaq2mx4nv7ayb7r7-configuration.scm


$ guix describe
Generation 200  May 12 2022 13:48:01    (current)
  guix a1cb645
    repository URL: /src/guix.git
    branch: master
    commit: a1cb645d83d085382eaf64f4c097642aa47c297a

Any thoughts?

1. https://github.com/libgit2/libgit2/blob/v1.4.3/docs/changelog.md
2. https://github.com/libgit2/libgit2/commit/0cc4a70db0942f65528f4877be14a6a987fe3c64
3. https://github.blog/2022-04-12-git-security-vulnerability-announced/




Acknowledgement sent to André Batista <nandre@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#55399; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 30 Oct 2022 16:00:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.