Package: guix;
Reported by: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>
Date: Tue, 14 Mar 2023 06:07:01 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 62177 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-guix <at> gnu.org:bug#62177; Package guix.
(Tue, 14 Mar 2023 06:07:01 GMT) Full text and rfc822 format available."Dr. Arne Babenhauserheide" <arne_bab <at> web.de>:bug-guix <at> gnu.org.
(Tue, 14 Mar 2023 06:07:01 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> To: bug-guix <at> gnu.org Subject: [PATCH] [WIP] update node to version 16 Date: Tue, 14 Mar 2023 07:02:14 +0100
[Message part 1 (text/plain, inline)]
Hi, this is an initial stab at getting node to version 16. It is far from perfect, but I hope it gives someone a good starting point to move forward. The llhttp bootstrap fixes are currently commented out — I’m not sure what these should be doing and how they interact with node — so this cannot be merged as is.
[0001-WIP-try-to-update-node-to-16.19.0.patch (text/x-patch, inline)]
From 14d58ab181c9087420a5f955d28d72cb086884fc Mon Sep 17 00:00:00 2001
From: Arne Babenhauserheide <arne_bab <at> web.de>
Date: Sat, 28 Jan 2023 20:45:16 +0100
Subject: [PATCH] WIP try to update node to 16.19.0
---
gnu/packages/node.scm | 40 +++++++++++++++++++++-------------------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index be39f3b25a..34d13d849c 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -668,7 +668,7 @@ (define-public node-llparse-bootstrap
(define-public llhttp-bootstrap
(package
(name "llhttp")
- (version "2.1.4")
+ (version "8.1.0")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -677,7 +677,7 @@ (define-public llhttp-bootstrap
(file-name (git-file-name name version))
(sha256
(base32
- "115mwyds9655p76lhglxg2blc1ksgrix6zhigaxnc2q6syy3pa6x"))
+ "1cq3q3jybibppjhhiymdfmnqgbvn77j7b4ks7lil0lrc3vnnp87f"))
(patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch"))
(modules '((guix build utils)))
(snippet
@@ -738,14 +738,14 @@ (define-public llhttp-bootstrap
(define-public node-lts
(package
(inherit node)
- (version "14.19.3")
+ (version "16.19.0")
(source (origin
(method url-fetch)
(uri (string-append "https://nodejs.org/dist/v" version
"/node-v" version ".tar.xz"))
(sha256
(base32
- "15691j5zhiikyamiwwd7f282g6d9acfhq91nrwx54xya38gmpx2w"))
+ "01k72p0hp4lhlpz1syd9cbkm2gpfww0hn10xdpmzd4i3x8dfq7sg"))
(modules '((guix build utils)))
(snippet
`(begin
@@ -808,9 +808,12 @@ (define-public node-lts
;; FIXME: These tests fail in the build container, but they don't
;; seem to be indicative of real problems in practice.
(for-each delete-file
- '("test/parallel/test-cluster-master-error.js"
- "test/parallel/test-cluster-master-kill.js"))
+ '("test/parallel/test-cluster-primary-error.js"
+ "test/parallel/test-cluster-primary-kill.js"))
+ ;; requires /bin/sh
+ (delete-file "test/parallel/test-stdin-from-file-spawn.js")
+
;; These require a DNS resolver.
(for-each delete-file
'("test/parallel/test-dns.js"
@@ -818,8 +821,7 @@ (define-public node-lts
;; These tests require networking.
(for-each delete-file
- '("test/parallel/test-https-agent-unref-socket.js"
- "test/parallel/test-corepack-yarn-install.js"))
+ '("test/parallel/test-https-agent-unref-socket.js"))
;; This test is timing-sensitive, and fails sporadically on
;; slow, busy, or even very fast machines.
@@ -847,21 +849,21 @@ (define-public node-lts
;; TLS certificates that are bundled with the source. We want this
;; package to be reproducible forever, so remove those.
;; TODO: Regenerate certs instead.
- (for-each delete-file
+ (for-each (λ(x)(display x)(delete-file x))
'("test/parallel/test-tls-passphrase.js"
"test/parallel/test-tls-server-verify.js"))))
(add-after 'delete-problematic-tests 'replace-llhttp-sources
- (lambda* (#:key inputs #:allow-other-keys)
+ (lambda* (#:key inputs #:allow-other-keys) #f))))))
;; Replace pre-generated llhttp sources
- (let ((llhttp (assoc-ref inputs "llhttp")))
- (copy-file (string-append llhttp "/src/llhttp.c")
- "deps/llhttp/src/llhttp.c")
- (copy-file (string-append llhttp "/src/api.c")
- "deps/llhttp/src/api.c")
- (copy-file (string-append llhttp "/src/http.c")
- "deps/llhttp/src/http.c")
- (copy-file (string-append llhttp "/include/llhttp.h")
- "deps/llhttp/include/llhttp.h"))))))))
+ ;;(let ((llhttp (assoc-ref inputs "llhttp")))
+ ;; (copy-file (string-append llhttp "/src/llhttp.c")
+ ;; "deps/llhttp/src/llhttp.c")
+ ;; (copy-file (string-append llhttp "/src/api.c")
+ ;; "deps/llhttp/src/api.c")
+ ;; (copy-file (string-append llhttp "/src/http.c")
+ ;; "deps/llhttp/src/http.c")
+ ;; (copy-file (string-append llhttp "/include/llhttp.h")
+ ;; "deps/llhttp/include/llhttp.h"))))))))
(native-inputs
(list ;; Runtime dependencies for binaries used as a bootstrap.
c-ares-for-node
--
2.39.2
[Message part 3 (text/plain, inline)]
Updating llhttp also needs the CVE-2020-8287 patch to be removed (it is fixed upstream).
[0001-gnu-do-not-patch-llhttp-bootstrap-CVE-2020-8287-is-f.patch (text/x-patch, inline)]
From 4e9e7905a9a8792b164e96aa31e0dcf3945283d2 Mon Sep 17 00:00:00 2001
From: Arne Babenhauserheide <arne_bab <at> web.de>
Date: Tue, 14 Mar 2023 06:48:38 +0100
Subject: [PATCH] gnu: do not patch llhttp-bootstrap: CVE-2020-8287 is fixed in
node 16 upstream.
---
gnu/local.mk | 1 -
gnu/packages/node.scm | 1 -
.../llhttp-bootstrap-CVE-2020-8287.patch | 100 ------------------
3 files changed, 102 deletions(-)
delete mode 100644 gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 403c5f483e..0efa292322 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1492,7 +1492,6 @@ dist_patch_DATA = \
%D%/packages/patches/linuxdcpp-openssl-1.1.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/lirc-reproducible-build.patch \
- %D%/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch \
%D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \
%D%/packages/patches/llvm-3.6-fix-build-with-gcc-10.patch \
%D%/packages/patches/llvm-3.x.1-fix-build-with-gcc.patch \
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index 34d13d849c..774c0b3ae8 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -678,7 +678,6 @@ (define-public llhttp-bootstrap
(sha256
(base32
"1cq3q3jybibppjhhiymdfmnqgbvn77j7b4ks7lil0lrc3vnnp87f"))
- (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch
deleted file mode 100644
index 215c920e53..0000000000
--- a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-This patch comes from upstream. It corresponds to a patch applied to
-the generated C source code for llhttp included in Node.js 14.16.0
-(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit
-fixes CVE-2020-8287. With this patch, the output of our
-llhttp-bootstrap package matches the files included in Node.js 14.16.0
-exactly.
-
-commit e9b36ea64709c35ca66094d5cf3787f444029601
-Author: Fedor Indutny <fedor <at> indutny.com>
-Date: Sat Oct 10 19:56:01 2020 -0700
-
- http: unset `F_CHUNKED` on new `Transfer-Encoding`
-
- Duplicate `Transfer-Encoding` header should be a treated as a single,
- but with original header values concatenated with a comma separator. In
- the light of this, even if the past `Transfer-Encoding` ended with
- `chunked`, we should be not let the `F_CHUNKED` to leak into the next
- header, because mere presence of another header indicates that `chunked`
- is not the last transfer-encoding token.
-
-diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
-index f4f1a6e..0a0c365 100644
---- a/src/llhttp/http.ts
-+++ b/src/llhttp/http.ts
-@@ -460,11 +460,19 @@ export class HTTP {
- .match([ ' ', '\t' ], n('header_value_discard_ws'))
- .otherwise(checkContentLengthEmptiness);
-
-+ // Multiple `Transfer-Encoding` headers should be treated as one, but with
-+ // values separate by a comma.
-+ //
-+ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2
-+ const toTransferEncoding = this.unsetFlag(
-+ FLAGS.CHUNKED,
-+ 'header_value_te_chunked');
-+
- n('header_value_start')
- .otherwise(this.load('header_state', {
- [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback),
- [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag(
-- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'),
-+ FLAGS.TRANSFER_ENCODING, toTransferEncoding),
- [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'),
- [HEADER_STATE.CONNECTION]: n('header_value_connection'),
- }, 'header_value'));
-@@ -847,6 +855,11 @@ export class HTTP {
- return span.start(span.end(this.node(next)));
- }
-
-+ private unsetFlag(flag: FLAGS, next: string | Node): Node {
-+ const p = this.llparse;
-+ return p.invoke(p.code.and('flags', ~flag), this.node(next));
-+ }
-+
- private setFlag(flag: FLAGS, next: string | Node): Node {
- const p = this.llparse;
- return p.invoke(p.code.or('flags', flag), this.node(next));
-diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md
-index a7d1681..b0891d6 100644
---- a/test/request/transfer-encoding.md
-+++ b/test/request/transfer-encoding.md
-@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0
- off=106 error code=15 reason="Request has invalid `Transfer-Encoding`"
- ```
-
-+## POST with `chunked` and duplicate transfer-encoding
-+
-+<!-- meta={"type": "request", "noScan": true} -->
-+```http
-+POST /post_identity_body_world?q=search#hey HTTP/1.1
-+Accept: */*
-+Transfer-Encoding: chunked
-+Transfer-Encoding: deflate
-+
-+World
-+```
-+
-+```log
-+off=0 message begin
-+off=5 len=38 span[url]="/post_identity_body_world?q=search#hey"
-+off=44 url complete
-+off=54 len=6 span[header_field]="Accept"
-+off=61 header_field complete
-+off=62 len=3 span[header_value]="*/*"
-+off=67 header_value complete
-+off=67 len=17 span[header_field]="Transfer-Encoding"
-+off=85 header_field complete
-+off=86 len=7 span[header_value]="chunked"
-+off=95 header_value complete
-+off=95 len=17 span[header_field]="Transfer-Encoding"
-+off=113 header_field complete
-+off=114 len=7 span[header_value]="deflate"
-+off=123 header_value complete
-+off=125 headers complete method=3 v=1/1 flags=200 content_length=0
-+off=125 error code=15 reason="Request has invalid `Transfer-Encoding`"
-+```
-+
- ## POST with `chunked` before other transfer-coding (lenient)
-
- TODO(indutny): should we allow it even in lenient mode? (Consider disabling
--
2.39.2
[Message part 5 (text/plain, inline)]
Best wishes, Arne -- Unpolitisch sein heißt politisch sein, ohne es zu merken. draketo.de
[signature.asc (application/pgp-signature, inline)]
bug-guix <at> gnu.org:bug#62177; Package guix.
(Tue, 14 Mar 2023 10:38:02 GMT) Full text and rfc822 format available.Message #8 received at 62177 <at> debbugs.gnu.org (full text, mbox):
From: Jelle Licht <jlicht <at> fsfe.org> To: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>, 62177 <at> debbugs.gnu.org Subject: Re: bug#62177: [PATCH] [WIP] update node to version 16 Date: Tue, 14 Mar 2023 11:37:11 +0100
Hi Dr. Arne, "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> writes: > Hi, > > > this is an initial stab at getting node to version 16. [snip] Issue 59188 (https://issues.guix.gnu.org/59188) already updates node to the 18.X LTS series. Would that version also work for you, or do you have a specific need for the 16.X series? I ask because the "active" LTS version is 18, while the 16 "maintenance" LTS window already closes on 2023-09-11, which is (IMHO) pretty soon. - Jelle
bug-guix <at> gnu.org:bug#62177; Package guix.
(Tue, 14 Mar 2023 16:10:02 GMT) Full text and rfc822 format available.Message #11 received at 62177 <at> debbugs.gnu.org (full text, mbox):
From: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> To: Jelle Licht <jlicht <at> fsfe.org> Cc: 62177 <at> debbugs.gnu.org Subject: Re: bug#62177: [PATCH] [WIP] update node to version 16 Date: Tue, 14 Mar 2023 17:08:54 +0100
[Message part 1 (text/plain, inline)]
Hi Jelle, Jelle Licht <jlicht <at> fsfe.org> writes: > Issue 59188 (https://issues.guix.gnu.org/59188) already updates node to > the 18.X LTS series. Would that version also work for you, or do you > have a specific need for the 16.X series? I ask because the "active" LTS > version is 18, while the 16 "maintenance" LTS window already closes on > 2023-09-11, which is (IMHO) pretty soon. Version 18 is even better :-) Thank you! Best wishes, Arne -- Unpolitisch sein heißt politisch sein, ohne es zu merken. draketo.de
[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.