Re: [v2 0/1] Jasper security fixes
It is a bit frightening that such a package with lots of CVE fixes apparently is dead upstream (since the patches from 2008 have not been incorporated into a new release). On the other hand, someone must have written the patches; is there no new upstream who has taken over? If not, is the software still useful and unique enough to keep it around? Apart from these more fundamental questions, it looks good to push. Andreas
[PATCH] gnu: Add murrine.
* gnu/packages/gtk.scm (murrine): New variable. --- gnu/packages/gtk.scm | 29 + 1 file changed, 29 insertions(+) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 3d8a652..cf13294 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -1159,3 +1159,32 @@ can also be used to document application code.") Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist, Redmond95 and ThinIce.") (license (list license:gpl2+ license:lgpl2.0+ + +(define-public murrine + (package +(name "murrine") +(version "0.98.2") +(source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.xz")) + (sha256 + (base32 +"129cs5bqw23i76h3nmc29c9mqkm9460iwc8vkl7hs4xr07h8mip9" +(build-system gnu-build-system) +(arguments + `(#:configure-flags + `("--enable-animation" + "--enable-animationrtl"))) +(native-inputs + `(("pkg-config" ,pkg-config) + ("intltool" ,intltool))) +(propagated-inputs + `(("gtk+" ,gtk+-2))) +(home-page "http://live.gnome.org/GnomeArt;) +(synopsis "Cairo-based Gtk+ 2 theming engine") +(description + "The murrine Gtk+ 2 engine is a cairo-based theming engine. It is named +after the glass artworks done by Venicians glass blowers.") +(license license:gpl2+))) -- 2.7.0
[PATCH] gnu: Add gtk-engines.
* gnu/packages/gtk.scm (gtk-engines): New variable. --- gnu/packages/gtk.scm | 29 + 1 file changed, 29 insertions(+) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 3f92d0a..3d8a652 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -1130,3 +1130,32 @@ information.") typically used to document the public API of GTK+ and GNOME libraries, but it can also be used to document application code.") (license license:gpl2+))) + +(define-public gtk-engines + (package +(name "gtk-engines") +(version "2.20.2") +(source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.bz2")) + (sha256 + (base32 +"1db65pb0j0mijmswrvpgkdabilqd23x22d95hp5kwxvcramq1dhm" +(build-system gnu-build-system) +(arguments + `(#:configure-flags + `("--enable-animation"))) +(native-inputs + `(("pkg-config" ,pkg-config) + ("intltool" ,intltool))) +(propagated-inputs + `(("gtk+" ,gtk+-2))) +(home-page "http://live.gnome.org/GnomeArt;) +(synopsis "Various theming engines for Gtk+ 2") +(description + "This package contains the standard Gtk+ 2 theming engines including +Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist, +Redmond95 and ThinIce.") +(license (list license:gpl2+ license:lgpl2.0+ -- 2.7.0
Re: Gnupg 2.1.11
It eventually built successfully, and we've learned more recently. See https://bugs.gnu.org/22558 for further discussion on this issue. Thanks, Mark
[PATCH] gnu: Add gtk-engines and murrine.
* gnu/packages/gtk.scm (gtk-engines): New variable. * gnu/packages/gtk.scm (murrine): New variable. --- gnu/packages/gtk.scm | 58 1 file changed, 58 insertions(+) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 3f92d0a..cf13294 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -1130,3 +1130,61 @@ information.") typically used to document the public API of GTK+ and GNOME libraries, but it can also be used to document application code.") (license license:gpl2+))) + +(define-public gtk-engines + (package +(name "gtk-engines") +(version "2.20.2") +(source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.bz2")) + (sha256 + (base32 +"1db65pb0j0mijmswrvpgkdabilqd23x22d95hp5kwxvcramq1dhm" +(build-system gnu-build-system) +(arguments + `(#:configure-flags + `("--enable-animation"))) +(native-inputs + `(("pkg-config" ,pkg-config) + ("intltool" ,intltool))) +(propagated-inputs + `(("gtk+" ,gtk+-2))) +(home-page "http://live.gnome.org/GnomeArt;) +(synopsis "Various theming engines for Gtk+ 2") +(description + "This package contains the standard Gtk+ 2 theming engines including +Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist, +Redmond95 and ThinIce.") +(license (list license:gpl2+ license:lgpl2.0+ + +(define-public murrine + (package +(name "murrine") +(version "0.98.2") +(source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.xz")) + (sha256 + (base32 +"129cs5bqw23i76h3nmc29c9mqkm9460iwc8vkl7hs4xr07h8mip9" +(build-system gnu-build-system) +(arguments + `(#:configure-flags + `("--enable-animation" + "--enable-animationrtl"))) +(native-inputs + `(("pkg-config" ,pkg-config) + ("intltool" ,intltool))) +(propagated-inputs + `(("gtk+" ,gtk+-2))) +(home-page "http://live.gnome.org/GnomeArt;) +(synopsis "Cairo-based Gtk+ 2 theming engine") +(description + "The murrine Gtk+ 2 engine is a cairo-based theming engine. It is named +after the glass artworks done by Venicians glass blowers.") +(license license:gpl2+))) -- 2.7.0
Re: [PATCH] gnu: net-tools: Use a different source mirror.
Jookia <166...@gmail.com> skribis: > The current mirror for the source code now points to a domain parking website, > so instead use this mirror I found online. Based on your suggestion and that of Leo, I’ve changed the home page to point to sf.net and the source URL to include both sf.net and ibiblio.org. Thanks! Ludo’.
Re: [PATCH] licenses: Add the fdl1.1+.
On Thu, Feb 04, 2016 at 05:17:14PM +0100, Fabian Harfert wrote: > On Wed, 3 Feb 2016 22:26:55 +0200 > Efraim Flashnerwrote: > > > On Wed, 3 Feb 2016 21:11:22 +0100 > > Fabian Harfert wrote: > > > > > Am Wed, 3 Feb 2016 21:54:15 +0200 > > > schrieb Efraim Flashner : > > > > > > [...] > > > [...] > > > [...] > > > > > > Could you please push that for me? I haven't got access to the git > > > repository(, yet). > > > > > > > Unfortunately something with the patch isn't letting me apply it > > against git so I'm going to have to ask someone else to do it since > > I'm about to head off to bed. Also, I realized you were missing > > `license: Add fdl1.1+` at the top line of your commit message. > > > > I thought that git generates the commit message from the mail subject. > Anyway, I don't know where else I should add the commit message. I didn't have problems with. Pushed, adding a copyright line for you. Thanks!
Re: [v2 0/1] Jasper security fixes
Thanks for taking care of it, Leo. Ludo’.
Re: [PATCH] gnu: Add gtk-engines and murrine.
Hi Fabian, These look good! Could you split them up into 2 patches so that only 1 package is added in each patch? Thanks! - Dave
Re: [PATCH] system: grub: Add 'libreboot?' install flag.
Jookia <166...@gmail.com> skribis: > Libreboot doesn't read GRUB from the disk, it chainloads configuration files. > As > such, grub-install is known to fail and require fragile workarounds. To solve > this issue, there's now a 'libreboot?' boolean flag that will instead use > '/boot/grub/libreboot_grub.cfg' for the GRUB menu and not run 'grub-install'. Glad you’re streamlining it! Unfortunately I don’t (yet!) have access to Libreboot-capable hardware, so I’ll let Mark comment on the method. Some “superficial” comments follow. > * gnu/system/grub.scm (): Add and export 'libreboot?' > flag. > * doc/guix.texi (GRUB Configuration): Explain the 'libreboot?' flag. > * guix/scripts/system.scm: Read and use 'libreboot?' flag when installing > GRUB. > (process-action): Read GRUB's 'libreboot?' flag and pass it to > perform-action. > (perform-action): Pass the 'libreboot?' flag to 'install-grub*' and > 'install'. > (install): Pass the 'libreboot?' flag to install-grub*. > (install-grub*): Pass the 'libreboot?' flag to install-grub. > * gnu/build/install.scm (install-grub): Read 'libreboot?' flag and based on > this [...] > Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@* > Copyright @copyright{} 2015, 2016 Leo Famulari > +Copyright @copyright{} 2016 Jookia Add “@*” at the end of the previous line so that a newline gets inserted. > +@item @code{libreboot?} (default: @code{#f}) > +Setting this boolean to true will tweak GRUB for systems running Libreboot > with s/boolean/Boolean/ > +the GRUB payload. Instead of installing GRUB to disk, a configuration will > be > +put in @code{/boot/grub/libreboot_grub.cfg} for Libreboot to load. s/a configuration will be put in @code/configuration is written to @file/ It would be nice to link to the relevant Libreboot documentation, if possible. > +(if libreboot? > + (rename-file target librebooter) > + (unless (zero? (system* "grub-install" "--no-floppy" Please align below the ‘l’ of ‘libreboot?’. > + (libreboot? grub-configuration-libreboot ; bool > + (default #f)) s/bool/Boolean/ :-) It’s a bit annoying that we have to pass the ‘libreboot?’ parameter across functions. Thanks for working on it! Ludo’.
Re: HTTPS for Hydra
On Thu, Feb 04, 2016 at 11:56:52PM +0100, Roel Janssen wrote: > Dear list, > > I would like to propose adding HTTPS support for hydra.gnu.org. The > direct need to have this set up, is to allow the build status icons to > load on the packages page of the Guix website. > > Fortunately, this should be possible without causing a lot of trouble > because Hydra uses nginx as web server. Here's the nginx manual on > adding support for SSL/TLS: > > http://nginx.org/en/docs/http/configuring_https_servers.html > > I'm not sure what the policy for SSL/TLS certificates is, but > personally, I think a LetsEncrypt certificate would be fine: > > https://www.letsencrypt.org > > A short guide to get it up and running is here: > > https://adambard.com/blog/using-letsencrypt-with-nginx/ If we decide to use Let's Encrypt, I recommend using the "webroot" [0] method instead of the method described in that link. The webroot method does not require server downtime, while the method used in that link does require you to stop the nginx server every couple months when you renew the certificates. > > What do you think about adding SSL/TLS to Hydra? And is anyone with > access to hydra.gnu.org willing to take the time to configure nginx and > get a certificate? > > Kind regards, > Roel > [0] http://letsencrypt.readthedocs.org/en/latest/using.html#webroot
Re: [PATCH] gnu: glibc/linux: Rename linux-headers input to kernel-headers.
Manolis Ragkousisskribis: > From 846930e55796b04b00d61c3d9c15546c978a0af0 Mon Sep 17 00:00:00 2001 > From: Manolis Ragkousis > Date: Thu, 4 Feb 2016 15:50:19 +0200 > Subject: [PATCH] gnu: glibc/linux: Rename linux-headers input to > kernel-headers. > > * gnu/packages/base.scm (glibc/linux)[propagated-inputs]: Use a kernel > agnostic name for the kernel headers. Sounds like something we could adopt on the next core-updates cycle. We should make sure no “linux-headers” uses remain. Thanks, Ludo’.
HTTPS for Hydra
Dear list, I would like to propose adding HTTPS support for hydra.gnu.org. The direct need to have this set up, is to allow the build status icons to load on the packages page of the Guix website. Fortunately, this should be possible without causing a lot of trouble because Hydra uses nginx as web server. Here's the nginx manual on adding support for SSL/TLS: http://nginx.org/en/docs/http/configuring_https_servers.html I'm not sure what the policy for SSL/TLS certificates is, but personally, I think a LetsEncrypt certificate would be fine: https://www.letsencrypt.org A short guide to get it up and running is here: https://adambard.com/blog/using-letsencrypt-with-nginx/ What do you think about adding SSL/TLS to Hydra? And is anyone with access to hydra.gnu.org willing to take the time to configure nginx and get a certificate? Kind regards, Roel
Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
On Thu, Feb 04, 2016 at 08:13:18PM -0500, Mark H Weaver wrote: > Leo Famulariwrites: > > > These are upstream patches, also applied by Debian: > > https://security-tracker.debian.org/tracker/CVE-2015-8629 > > Thanks for this, but I already updated mit-krb5 and applied fixes for > these CVEs on the new 'security-updates' branch about 17 hours ago. > > I'm sorry that your effort was wasted. It's okay. Your version is much better! > > Mark
Re: [PATCH] gnu: Add gtk-engines and murrine.
Hi Fabian, I wonder if this will work out of the box. Where does GTK+ look for engines? Was the patch enough to GTK+ to make it respect GUIX_GTK2_PATH and GUIX_GTK3_PATH? Or will we need to add some additional procedure to building profiles to generate a cache or a list of engines expected by GTK+? (I know that at least for input method modules something like that will be needed.) ~~ Ricardo
[PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
These are upstream patches, also applied by Debian: https://security-tracker.debian.org/tracker/CVE-2015-8629 Can somebody that actually uses mit-krb5 test and push? Or if you'd rather just push, feel free. By the way, I'm curious about this package's unusual method of applying patches. Does anyone have any insight? I read the git history but it doesn't give much detail on why the "normal" method doesn't work. Leo Famulari (1): gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}. gnu-system.am | 3 + gnu/packages/mit-krb5.scm | 6 +- gnu/packages/patches/mit-krb5-CVE-2015-8629.patch | 29 ++ gnu/packages/patches/mit-krb5-CVE-2015-8630.patch | 59 +++ gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++ 5 files changed, 646 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch -- 2.6.3
[PATCH 1/1] gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}.
* gnu/packages/patches/mit-krb5-CVE-2015-8629.patch, gnu/packages/patches/mit-krb5-CVE-2015-8630.patch, gnu/packages/patches/mit-krb5-CVE-2015-8631.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Apply patches. --- gnu-system.am | 3 + gnu/packages/mit-krb5.scm | 6 +- gnu/packages/patches/mit-krb5-CVE-2015-8629.patch | 29 ++ gnu/packages/patches/mit-krb5-CVE-2015-8630.patch | 59 +++ gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++ 5 files changed, 646 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch diff --git a/gnu-system.am b/gnu-system.am index 04bd519..e6ff131 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -626,6 +626,9 @@ dist_patch_DATA = \ gnu/packages/patches/mit-krb5-CVE-2015-2697.patch\ gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch\ gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch\ + gnu/packages/patches/mit-krb5-CVE-2015-8629.patch\ + gnu/packages/patches/mit-krb5-CVE-2015-8630.patch\ + gnu/packages/patches/mit-krb5-CVE-2015-8631.patch\ gnu/packages/patches/mpc123-initialize-ao.patch \ gnu/packages/patches/mplayer2-theora-fix.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm index 16bef8d..7591334 100644 --- a/gnu/packages/mit-krb5.scm +++ b/gnu/packages/mit-krb5.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013 Andreas Enge;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -54,7 +55,10 @@ "CVE-2015-2696" "CVE-2015-2697" "CVE-2015-2698-pt1" -"CVE-2015-2698-pt2" +"CVE-2015-2698-pt2" +"CVE-2015-8629" +"CVE-2015-8630" +"CVE-2015-8631" (arguments `(#:modules ((ice-9 ftw) (ice-9 match) diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch new file mode 100644 index 000..6d1c3e7 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch @@ -0,0 +1,29 @@ +Fix CVE-2015-8629 (xdr_nullstring() doesn't check for terminating null +character). + +From upstream git repository, commit +df17a1224a3406f57477bcd372c61e04c0e5a5bb. + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2bef858..ba67084 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) + return FALSE; + } + } +-return (xdr_opaque(xdrs, *objp, size)); ++if (!xdr_opaque(xdrs, *objp, size)) ++return FALSE; ++/* Check that the unmarshalled bytes are a C string. */ ++if ((*objp)[size - 1] != '\0') ++return FALSE; ++if (memchr(*objp, '\0', size - 1) != NULL) ++return FALSE; ++return TRUE; + + case XDR_ENCODE: + if (size != 0) +-- +2.6.3 + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch new file mode 100644 index 000..431eb27 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch @@ -0,0 +1,59 @@ +Fix CVE-2015-8630 (krb5 doesn't check for null policy when KADM5_POLICY +is set in the mask). + +From upstream git repository, commit +b863de7fbf080b15e347a736fdda0a82d42f4f6b. + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 5b95fa3..1d4365c 100644 +--- a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, + /* + * Argument sanity checking, and opening up the DB + */ ++if (entry == NULL) ++return EINVAL; + if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || +(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || +(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || +@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) + return KADM5_BAD_MASK; ++if((mask & KADM5_POLICY) && entry->policy == NULL) ++return KADM5_BAD_MASK; + if((mask &
Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}
Leo Famulariwrites: > These are upstream patches, also applied by Debian: > https://security-tracker.debian.org/tracker/CVE-2015-8629 Thanks for this, but I already updated mit-krb5 and applied fixes for these CVEs on the new 'security-updates' branch about 17 hours ago. I'm sorry that your effort was wasted. Mark
[PATCH] system: grub: Add 'libreboot?' install flag.
Libreboot doesn't read GRUB from the disk, it chainloads configuration files. As such, grub-install is known to fail and require fragile workarounds. To solve this issue, there's now a 'libreboot?' boolean flag that will instead use '/boot/grub/libreboot_grub.cfg' for the GRUB menu and not run 'grub-install'. * gnu/system/grub.scm (): Add and export 'libreboot?' flag. * doc/guix.texi (GRUB Configuration): Explain the 'libreboot?' flag. * guix/scripts/system.scm: Read and use 'libreboot?' flag when installing GRUB. (process-action): Read GRUB's 'libreboot?' flag and pass it to perform-action. (perform-action): Pass the 'libreboot?' flag to 'install-grub*' and 'install'. (install): Pass the 'libreboot?' flag to install-grub*. (install-grub*): Pass the 'libreboot?' flag to install-grub. * gnu/build/install.scm (install-grub): Read 'libreboot?' flag and based on this decide where to put the grub.cfg file and whether to run grub-install. --- doc/guix.texi | 6 ++ gnu/build/install.scm | 21 + gnu/system/grub.scm | 4 guix/scripts/system.scm | 23 ++- 4 files changed, 37 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 11664f4..704809f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17,6 +17,7 @@ Copyright @copyright{} 2015 Mathieu Lirzin@* Copyright @copyright{} 2014 Pierre-Antoine Rault@* Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@* Copyright @copyright{} 2015, 2016 Leo Famulari +Copyright @copyright{} 2016 Jookia Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -9132,6 +9133,11 @@ understood by the @command{grub-install} command, such as @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, GNU GRUB Manual}). +@item @code{libreboot?} (default: @code{#f}) +Setting this boolean to true will tweak GRUB for systems running Libreboot with +the GRUB payload. Instead of installing GRUB to disk, a configuration will be +put in @code{/boot/grub/libreboot_grub.cfg} for Libreboot to load. + @item @code{menu-entries} (default: @code{()}) A possibly empty list of @code{menu-entry} objects (see below), denoting entries to appear in the GRUB boot menu, in addition to the current diff --git a/gnu/build/install.scm b/gnu/build/install.scm index 9785b6d..471ff58 100644 --- a/gnu/build/install.scm +++ b/gnu/build/install.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès+;;; Copyright © 2016 Jookia <166...@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -36,15 +37,17 @@ ;;; ;;; Code: -(define* (install-grub grub.cfg device mount-point) +(define* (install-grub grub.cfg device mount-point libreboot?) "Install GRUB with GRUB.CFG on DEVICE, which is assumed to be mounted on MOUNT-POINT. Note that the caller must make sure that GRUB.CFG is registered as a GC root so that the fonts, background images, etc. referred to by GRUB.CFG are not GC'd." - (let* ((target (string-append mount-point "/boot/grub/grub.cfg")) - (pivot (string-append target ".new"))) + (let* ((base (string-append mount-point "/boot/grub/")) + (target (string-append base "grub.cfg")) + (pivot (string-append target ".new")) + (librebooter (string-append base "libreboot_grub.cfg"))) (mkdir-p (dirname target)) ;; Copy GRUB.CFG instead of just symlinking it, because symlinks won't @@ -52,11 +55,13 @@ GC'd." (copy-file grub.cfg pivot) (rename-file pivot target) -(unless (zero? (system* "grub-install" "--no-floppy" -"--boot-directory" -(string-append mount-point "/boot") -device)) - (error "failed to install GRUB" +(if libreboot? + (rename-file target librebooter) + (unless (zero? (system* "grub-install" "--no-floppy" + "--boot-directory" + (string-append mount-point "/boot") + device)) +(error "failed to install GRUB") (define (evaluate-populate-directive directive target) "Evaluate DIRECTIVE, an sexp describing a file or directory to create under diff --git a/gnu/system/grub.scm b/gnu/system/grub.scm index 45b46ca..d5a2df0 100644 --- a/gnu/system/grub.scm +++ b/gnu/system/grub.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2016 Jookia <166...@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -50,6 +51,7 @@ grub-configuration grub-configuration? grub-configuration-device +grub-configuration-libreboot menu-entry menu-entry? @@
Re: Gnupg 2.1.11
On Thu, Feb 04, 2016 at 05:58:12PM +0100, Ludovic Courtès wrote: > We discussed it on IRC We continued discussion there. It fails on hydra.gnunet.org and guix.sdj.se and succeeded on chapters.gnu.org. There is a dependency chain gnupg -> openldap -> openssl, so it may be related to the openssl update; that the failures are not uniform is worrying, however. Andreas
R
Yesterday I submitted a bug report for R on arm: https://bugs.r-project.org/bugzilla/show_bug.cgi?id=16697https://bugs.r-project.org/bugzilla/show_bug.cgi?id=16697 With all the different R packages failing consequently, I hoped that fixing R would reduce the number of failures. (On MIPS there is also a problem, but not the same one.) Andreas
Re: [PATCH shepherd] support: Ignore errors on parent directories in mkdir-p.
David Michaelskribis: > My use case for this is that I have a crazy Hurd setup that boots a > read-only root file system with a passive tmpfs translator on /run. > When mkdir-p runs with "/run/shepherd", it tries to mkdir "/run". On > Hurd, mkdir first tests for a read-only file system, so mkdir-p catches > and throws EROFS instead of catching and ignoring EEXIST. The init > process then dies when it tries to stat the non-existent /run/shepherd. > > This patch ignores all errors from parent directories, assuming we only > really care about the status of creating the final path component. > > Another possibility could be to try to change Hurd's error ordering > instead, but it seems to be acceptably standard behavior: > > If more than one error occurs in processing a function call, any one > of the possible errors may be returned, as the order of detection is > undefined.[0] Interesting! I think that it’s a case where it would be beneficial for the Hurd to follow what Linux does, which is to return EEXIST. How does Coreutils’ ‘mkdir -p’ behave in this situation? (I’ve looked at mkdir-p.c in Gnulib but it’s a bit complicated…) > Can this be applied, or do you prefer another option? I would prefer not to hide the initial error like the proposed patch does. OTOH, it’s no big deal, so if it turns out to be too much of a problem or adds too much latency to wait for the Hurd fix, we could apply this patch. WDYT? Ludo’.
Re: proposal for more options in gnu/services/networking.scm for blocklist
Nils Gillmannskribis: > l...@gnu.org (Ludovic Courtès) writes: > >> Nils Gillmann skribis: >> >>> A first version for google I just came up with starts like the attached >>> code. >>> >>> What do you think? >> >> I would use it! (Although I use Tor + Privoxy for most of my web >> browsing, so I would also need the black list there.) >> >> The only downside I see it having to maintain it. Do you know if anyone >> maintains a list of these hosts somewhere? If yes, we should put the >> URL as a comment and have a somewhat streamlined process to update the >> list. > > There are many lists out there which are not limited to google. > The downside I see with this is external authorities and the trust you > have to put into them, plus unnecessary downloads. > If it should be moved into a file, I would put it into the Guix system > source. (-> maybe mirrors of those listed below?) > I could try and see if I can find a blacklist which is not very long and > does not need extensive checking. OK. >> If there’s no publicly-maintained list of hosts, I think we won’t go >> beyond Google, because that would easily become unmaintained, and people >> would be disappointed to get an incomplete/outdated host list. >> >> What do people think? > > Ublock Origin uses the following sources: > https://easylist.adblockplus.org/en/policy#easylist > http://pgl.yoyo.org/adservers/policy.php > http://www.malwaredomainlist.com > http://www.malwaredomains.com > https://github.com/gorhil/uBlock/tree/master/assets/ublock > > Pro: Other people and collections of people maintain these lists. less > work for us > Pro: widely accepted and maintained > > Con: see section above (other authorities, traffic) Yeah. OTOH I don’t see us (Guix) claim maintenance of such lists. Another option would be for you to publish such lists, signed and versioned, on a hosting site you have access to? The advantage would be less churn in Guix proper, and the responsibility would be moved to you (or the collective that maintains the list) rather than Guix. We could refer to it in the manual. WDYT? Thanks, Ludo’.
Re: Gnupg 2.1.11
Andreas Engeskribis: > since my update to 2.1.11, gnupg fails to build on hydra: >http://hydra.gnu.org/build/990803 > with a failure of one of the tests. > > The package builds without problems on my machine. Could someone else > try it out, please? We discussed it on IRC and I can tell that a --rounds=3 build succeeded here on x86_64, yielding: /gnu/store/lk82n0sxjm9z2wciiadvd32nnkr2a404-gnupg-2.1.11 SHA256: 029qvi1k26rw6agx39gxaz12dx2shgzmm81f9bbagzvh9m2vfh2w Mark was suspecting a hardware issue on the build machine, so we’re running memtester on the presumed build machine. Ludo’.
[PATCH] gnu: glibc/linux: Rename linux-headers input to kernel-headers.
Hello everyone, This patch applies to wip-hurd. In order to use it on master, the (gnu packages commencement) module should also be modified, which is already the case in wip-hurd. I will push the patch to wip-hurd. Manolis >From 846930e55796b04b00d61c3d9c15546c978a0af0 Mon Sep 17 00:00:00 2001 From: Manolis RagkousisDate: Thu, 4 Feb 2016 15:50:19 +0200 Subject: [PATCH] gnu: glibc/linux: Rename linux-headers input to kernel-headers. * gnu/packages/base.scm (glibc/linux)[propagated-inputs]: Use a kernel agnostic name for the kernel headers. --- gnu/packages/base.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 4373716..547753d 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -493,7 +493,7 @@ store.") ;; Glibc's refers to , for instance, so glibc ;; users should automatically pull Linux headers as well. - (propagated-inputs `(("linux-headers" ,linux-libre-headers))) + (propagated-inputs `(("kernel-headers" ,linux-libre-headers))) (outputs '("out" "debug")) @@ -533,7 +533,7 @@ store.") ,version) (string-append "--with-headers=" - (assoc-ref %build-inputs "linux-headers") + (assoc-ref %build-inputs "kernel-headers") "/include") ;; This is the default for most architectures as of GNU libc 2.21, -- 2.7.0
Gnupg 2.1.11
Hello, since my update to 2.1.11, gnupg fails to build on hydra: http://hydra.gnu.org/build/990803 with a failure of one of the tests. The package builds without problems on my machine. Could someone else try it out, please? Andreas
[PATCH] gnu: libcanberra: Add input gtk+-2.
* gnu/packages/libcanberra.scm (libcanberra): Add input gtk+-2. --- gnu/packages/libcanberra.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/packages/libcanberra.scm b/gnu/packages/libcanberra.scm index 3769e3f..4110e88 100644 --- a/gnu/packages/libcanberra.scm +++ b/gnu/packages/libcanberra.scm @@ -67,6 +67,7 @@ (inputs `(("alsa-lib" ,alsa-lib) ("gstreamer" ,gstreamer) + ("gtk+" ,gtk+-2) ("gtk+" ,gtk+) ("libltdl" ,libltdl) ("libvorbis" ,libvorbis) -- 2.7.0
Re: [PATCH] gnu: libcanberra: Add input gtk+-2.
On Thu, 4 Feb 2016 17:04:42 +0100 Fabian Harfertwrote: > * gnu/packages/libcanberra.scm (libcanberra): Add input gtk+-2. > --- > gnu/packages/libcanberra.scm | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/gnu/packages/libcanberra.scm > b/gnu/packages/libcanberra.scm index 3769e3f..4110e88 100644 > --- a/gnu/packages/libcanberra.scm > +++ b/gnu/packages/libcanberra.scm > @@ -67,6 +67,7 @@ > (inputs > `(("alsa-lib" ,alsa-lib) > ("gstreamer" ,gstreamer) > + ("gtk+" ,gtk+-2) > ("gtk+" ,gtk+) > ("libltdl" ,libltdl) > ("libvorbis" ,libvorbis) This is because some packages I'm working on need libcanberra with gtk+-2.0 support.
Re: [PATCH] licenses: Add the fdl1.1+.
On Wed, 3 Feb 2016 22:26:55 +0200 Efraim Flashnerwrote: > On Wed, 3 Feb 2016 21:11:22 +0100 > Fabian Harfert wrote: > > > Am Wed, 3 Feb 2016 21:54:15 +0200 > > schrieb Efraim Flashner : > > > > [...] > > [...] > > [...] > > > > Could you please push that for me? I haven't got access to the git > > repository(, yet). > > > > Unfortunately something with the patch isn't letting me apply it > against git so I'm going to have to ask someone else to do it since > I'm about to head off to bed. Also, I realized you were missing > `license: Add fdl1.1+` at the top line of your commit message. > I thought that git generates the commit message from the mail subject. Anyway, I don't know where else I should add the commit message.
Re: Review of installation manual draft
Hi Ludo, Yes, i should be able to do that. I don't know texinfo yet but i'm learning it now. Petter
Re: The new Hydra
It's great! -- Daniel Pimentel (d4n1)
Re: [v2 0/1] Jasper security fixes
On Thu, Feb 04, 2016 at 11:45:38AM +0100, Andreas Enge wrote: > It is a bit frightening that such a package with lots of CVE fixes apparently > is dead upstream (since the patches from 2008 have not been incorporated into > a new release). On the other hand, someone must have written the patches; > is there no new upstream who has taken over? If not, is the software still > useful and unique enough to keep it around? I agree. The upstream developers claims to be responsive [0] but its hard to reconcile that with 9 years of unpatched CVEs. Especially when many of these patches address potential untrusted remote code execution. It seems that sometimes a distro adopts anothers distro's patch, or sometimes writes their own. Every distro is maintaining their own patch quilt. Not good! I haven't found a new upstream for jasper. Thankfully, only Kodi depends on jasper in our tree. I searched my store for other software that might have bundled it and found nothing, but I don't have many programs that would handle JPEGs installed. Perhaps it's possible to use some other JPEG implementation in Kodi and drop jasper. Sadly, there are many packages in our tree, with active upstreams, that are probably just as vulnerable. > > Apart from these more fundamental questions, it looks good to push. Done. [0] http://www.ece.uvic.ca/~frodo/jasper/#faq
Crude diffoscope report generator
I have been investigating some reproducibility problems using Guix and diffoscope. We have all the tools to make possible but it's not automated yet. I've attached the crude shell script I've been using to build, rebuild, and generate a diffoscope report. Perhaps it will help others and inspire more work in this area :) You use it from within your Guix checkout, and the only argument it accepts is the name of a package. BTW, the rsync options are adapted from --archive, but modified to alter symlinks so that they do not point into the store. I'm sure they could be improved. #!/bin/sh set -u set -e main() { if [ $# -lt 1 ]; then printf "Give a package name.\n" exit 1 fi package=$1 shift if [ $# -ne 0 ]; then printf "Unknown parameter %s\n" "$1" exit 1 fi mkdir a mkdir b mypath="$(./pre-inst-env guix build --no-substitutes $package)" \ && rsync -rLptgoD "$mypath" ./a \ && guix gc -d "$mypath" \ && mypath="$(./pre-inst-env guix build --no-substitutes $package)" \ && rsync -rLptgoD "$mypath" ./b \ && guix gc -d "$mypath" \ && diffoscope --html ./report ./a ./b } main "$@"
Re: [PATCH] gnu: net-tools: Use a different source mirror.
On Tue, Feb 02, 2016 at 09:38:43PM +, Jookia wrote: > The current mirror for the source code now points to a domain parking website, > so instead use this mirror I found online. It looks like Debian is packaging git checkouts. I didn't look at what repo they are of, but Debian also names this Sourceforge page as upstream's home-page: https://packages.debian.org/stretch/net/net-tools http://sourceforge.net/projects/net-tools/ The repo is 10 years old and seems to be actively maintained. We should see if it is suitable for packaging. > > * gnu/packages/linux.scm (net-tools): Use a different uri for the origin. > --- > gnu/packages/linux.scm | 6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 9d359e3..f6373a8 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -7,6 +7,7 @@ > ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer> ;;; Copyright © 2015, 2016 Efraim Flashner > ;;; Copyright © 2016 Christopher Allan Webber > +;;; Copyright © 2016 Jookia <166...@gmail.com> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -951,8 +952,9 @@ manpages.") > (home-page "http://www.tazenda.demon.co.uk/phil/net-tools/;) > (source (origin > (method url-fetch) > - (uri (string-append home-page "/" name "-" > - version ".tar.bz2")) > + (uri (string-append "http://distro.ibiblio.org/; > + "rootlinux/rootlinux-ports/base/" > + "net-tools/net-tools-1.60.tar.bz2")) > (sha256 >(base32 > "0yvxrzk0mzmspr7sa34hm1anw6sif39gyn85w4c5ywfn8inxvr3s")) > -- > 2.7.0 > >
[v2 0/1] Jasper security fixes
This is the same code as before with minor changes: 1. I realized that the jasper-stepsizes-overflow.patch was btter named jasper-CVE-2007-2721.patch and renamed it. 2. A whitespace fix. 3. I added my name in the copyright stanza. If there are no comments I'll push today, or someone else may push. Leo Famulari (1): gnu: jasper: Add fixes for several security flaws. gnu-system.am | 9 + gnu/packages/image.scm | 14 +- gnu/packages/patches/jasper-CVE-2007-2721.patch| 20 + gnu/packages/patches/jasper-CVE-2008-3520.patch| 931 + .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch | 31 + gnu/packages/patches/jasper-CVE-2014-8137.patch| 64 ++ gnu/packages/patches/jasper-CVE-2014-8138.patch| 21 + gnu/packages/patches/jasper-CVE-2014-8157.patch| 19 + gnu/packages/patches/jasper-CVE-2014-8158.patch| 336 gnu/packages/patches/jasper-CVE-2014-9029.patch| 36 + gnu/packages/patches/jasper-CVE-2016-1867.patch| 18 + 11 files changed, 1498 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch -- 2.6.3
[v2 1/1] gnu: jasper: Add fixes for several security flaws.
* gnu/packages/patches/jasper-CVE-2007-2721.patch, gnu/packages/patches/jasper-CVE-2008-3520.patch, gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch, gnu/packages/patches/jasper-CVE-2014-8137.patch, gnu/packages/patches/jasper-CVE-2014-8138.patch, gnu/packages/patches/jasper-CVE-2014-8157.patch, gnu/packages/patches/jasper-CVE-2014-8158.patch, gnu/packages/patches/jasper-CVE-2014-9029.patch, gnu/packages/patches/jasper-CVE-2016-1867.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (jasper)[source]: Add patches. --- gnu-system.am | 9 + gnu/packages/image.scm | 14 +- gnu/packages/patches/jasper-CVE-2007-2721.patch| 20 + gnu/packages/patches/jasper-CVE-2008-3520.patch| 931 + .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch | 31 + gnu/packages/patches/jasper-CVE-2014-8137.patch| 64 ++ gnu/packages/patches/jasper-CVE-2014-8138.patch| 21 + gnu/packages/patches/jasper-CVE-2014-8157.patch| 19 + gnu/packages/patches/jasper-CVE-2014-8158.patch| 336 gnu/packages/patches/jasper-CVE-2014-9029.patch| 36 + gnu/packages/patches/jasper-CVE-2016-1867.patch| 18 + 11 files changed, 1498 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch diff --git a/gnu-system.am b/gnu-system.am index 87ce88a..04bd519 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -545,7 +545,16 @@ dist_patch_DATA = \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ gnu/packages/patches/imagemagick-test-segv.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ + gnu/packages/patches/jasper-CVE-2007-2721.patch \ + gnu/packages/patches/jasper-CVE-2008-3520.patch \ gnu/packages/patches/jasper-CVE-2008-3522.patch \ + gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch \ + gnu/packages/patches/jasper-CVE-2014-8137.patch \ + gnu/packages/patches/jasper-CVE-2014-8138.patch \ + gnu/packages/patches/jasper-CVE-2014-8157.patch \ + gnu/packages/patches/jasper-CVE-2014-8158.patch \ + gnu/packages/patches/jasper-CVE-2014-9029.patch \ + gnu/packages/patches/jasper-CVE-2016-1867.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ gnu/packages/patches/kmod-module-directory.patch \ gnu/packages/patches/ldc-disable-tests.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index bf120f0..f287054 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer;;; Copyright © 2015 Amirouche Boubekki ;;; Copyright © 2014 John Darrington +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -719,7 +720,18 @@ convert, manipulate, filter and display a wide variety of image formats.") (sha256 (base32 "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b")) - (patches (list (search-patch "jasper-CVE-2008-3522.patch") + (patches +(list + (search-patch "jasper-CVE-2007-2721.patch") + (search-patch "jasper-CVE-2008-3520.patch") + (search-patch "jasper-CVE-2008-3522.patch") + (search-patch "jasper-CVE-2011-4516-and-CVE-2011-4517.patch") + (search-patch "jasper-CVE-2014-8137.patch") + (search-patch "jasper-CVE-2014-8138.patch") + (search-patch "jasper-CVE-2014-8157.patch") + (search-patch "jasper-CVE-2014-8158.patch") + (search-patch "jasper-CVE-2014-9029.patch") + (search-patch "jasper-CVE-2016-1867.patch") (build-system gnu-build-system) (native-inputs `(("unzip" ,unzip))) diff --git a/gnu/packages/patches/jasper-CVE-2007-2721.patch b/gnu/packages/patches/jasper-CVE-2007-2721.patch new file mode 100644 index 000..9838247 --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2007-2721.patch @@ -0,0 +1,20 @@ +Fix