Re: [v2 0/1] Jasper security fixes

[Andreas Enge]

It is a bit frightening that such a package with lots of CVE fixes apparently
is dead upstream (since the patches from 2008 have not been incorporated into
a new release). On the other hand, someone must have written the patches;
is there no new upstream who has taken over? If not, is the software still
useful and unique enough to keep it around?

Apart from these more fundamental questions, it looks good to push.

Andreas

[PATCH] gnu: Add murrine.

[Fabian Harfert]

* gnu/packages/gtk.scm (murrine): New variable.
---
 gnu/packages/gtk.scm | 29 +
 1 file changed, 29 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 3d8a652..cf13294 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -1159,3 +1159,32 @@ can also be used to document application code.")
 Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist,
 Redmond95 and ThinIce.")
 (license (list license:gpl2+ license:lgpl2.0+
+
+(define-public murrine
+  (package
+(name "murrine")
+(version "0.98.2")
+(source (origin
+  (method url-fetch)
+  (uri (string-append "mirror://gnome/sources/" name "/"
+  (version-major+minor version) "/"
+  name "-" version ".tar.xz"))
+  (sha256
+   (base32
+"129cs5bqw23i76h3nmc29c9mqkm9460iwc8vkl7hs4xr07h8mip9"
+(build-system gnu-build-system)
+(arguments
+ `(#:configure-flags
+   `("--enable-animation"
+ "--enable-animationrtl")))
+(native-inputs
+ `(("pkg-config" ,pkg-config)
+   ("intltool" ,intltool)))
+(propagated-inputs
+ `(("gtk+" ,gtk+-2)))
+(home-page "http://live.gnome.org/GnomeArt;)
+(synopsis "Cairo-based Gtk+ 2 theming engine")
+(description
+ "The murrine Gtk+ 2 engine is a cairo-based theming engine. It is named
+after the glass artworks done by Venicians glass blowers.")
+(license license:gpl2+)))
-- 
2.7.0

[PATCH] gnu: Add gtk-engines.

[Fabian Harfert]

* gnu/packages/gtk.scm (gtk-engines): New variable.
---
 gnu/packages/gtk.scm | 29 +
 1 file changed, 29 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 3f92d0a..3d8a652 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -1130,3 +1130,32 @@ information.")
 typically used to document the public API of GTK+ and GNOME libraries, but it
 can also be used to document application code.")
 (license license:gpl2+)))
+
+(define-public gtk-engines
+  (package
+(name "gtk-engines")
+(version "2.20.2")
+(source (origin
+  (method url-fetch)
+  (uri (string-append "mirror://gnome/sources/" name "/"
+  (version-major+minor version) "/"
+  name "-" version ".tar.bz2"))
+  (sha256
+   (base32
+"1db65pb0j0mijmswrvpgkdabilqd23x22d95hp5kwxvcramq1dhm"
+(build-system gnu-build-system)
+(arguments
+ `(#:configure-flags
+   `("--enable-animation")))
+(native-inputs
+ `(("pkg-config" ,pkg-config)
+   ("intltool" ,intltool)))
+(propagated-inputs
+ `(("gtk+" ,gtk+-2)))
+(home-page "http://live.gnome.org/GnomeArt;)
+(synopsis "Various theming engines for Gtk+ 2")
+(description
+ "This package contains the standard Gtk+ 2 theming engines including
+Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist,
+Redmond95 and ThinIce.")
+(license (list license:gpl2+ license:lgpl2.0+
-- 
2.7.0

Re: Gnupg 2.1.11

[Mark H Weaver]

It eventually built successfully, and we've learned more recently.
See https://bugs.gnu.org/22558 for further discussion on this issue.

 Thanks,
   Mark

[PATCH] gnu: Add gtk-engines and murrine.

[Fabian Harfert]

* gnu/packages/gtk.scm (gtk-engines): New variable.
* gnu/packages/gtk.scm (murrine): New variable.
---
 gnu/packages/gtk.scm | 58 
 1 file changed, 58 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 3f92d0a..cf13294 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -1130,3 +1130,61 @@ information.")
 typically used to document the public API of GTK+ and GNOME libraries, but it
 can also be used to document application code.")
 (license license:gpl2+)))
+
+(define-public gtk-engines
+  (package
+(name "gtk-engines")
+(version "2.20.2")
+(source (origin
+  (method url-fetch)
+  (uri (string-append "mirror://gnome/sources/" name "/"
+  (version-major+minor version) "/"
+  name "-" version ".tar.bz2"))
+  (sha256
+   (base32
+"1db65pb0j0mijmswrvpgkdabilqd23x22d95hp5kwxvcramq1dhm"
+(build-system gnu-build-system)
+(arguments
+ `(#:configure-flags
+   `("--enable-animation")))
+(native-inputs
+ `(("pkg-config" ,pkg-config)
+   ("intltool" ,intltool)))
+(propagated-inputs
+ `(("gtk+" ,gtk+-2)))
+(home-page "http://live.gnome.org/GnomeArt;)
+(synopsis "Various theming engines for Gtk+ 2")
+(description
+ "This package contains the standard Gtk+ 2 theming engines including
+Clearlooks, Crux, High Contrast, Industrial, LighthouseBlue, Metal, Mist,
+Redmond95 and ThinIce.")
+(license (list license:gpl2+ license:lgpl2.0+
+
+(define-public murrine
+  (package
+(name "murrine")
+(version "0.98.2")
+(source (origin
+  (method url-fetch)
+  (uri (string-append "mirror://gnome/sources/" name "/"
+  (version-major+minor version) "/"
+  name "-" version ".tar.xz"))
+  (sha256
+   (base32
+"129cs5bqw23i76h3nmc29c9mqkm9460iwc8vkl7hs4xr07h8mip9"
+(build-system gnu-build-system)
+(arguments
+ `(#:configure-flags
+   `("--enable-animation"
+ "--enable-animationrtl")))
+(native-inputs
+ `(("pkg-config" ,pkg-config)
+   ("intltool" ,intltool)))
+(propagated-inputs
+ `(("gtk+" ,gtk+-2)))
+(home-page "http://live.gnome.org/GnomeArt;)
+(synopsis "Cairo-based Gtk+ 2 theming engine")
+(description
+ "The murrine Gtk+ 2 engine is a cairo-based theming engine. It is named
+after the glass artworks done by Venicians glass blowers.")
+(license license:gpl2+)))
-- 
2.7.0

Re: [PATCH] gnu: net-tools: Use a different source mirror.

[Ludovic Courtès]

Jookia <166...@gmail.com> skribis:

> The current mirror for the source code now points to a domain parking website,
> so instead use this mirror I found online.

Based on your suggestion and that of Leo, I’ve changed the home page to
point to sf.net and the source URL to include both sf.net and
ibiblio.org.

Thanks!

Ludo’.

Re: [PATCH] licenses: Add the fdl1.1+.

[Leo Famulari]

On Thu, Feb 04, 2016 at 05:17:14PM +0100, Fabian Harfert wrote:
> On Wed, 3 Feb 2016 22:26:55 +0200
> Efraim Flashner  wrote:
> 
> > On Wed, 3 Feb 2016 21:11:22 +0100
> > Fabian Harfert  wrote:
> > 
> > > Am Wed, 3 Feb 2016 21:54:15 +0200
> > > schrieb Efraim Flashner :
> > > 
> > >  [...]  
> > >  [...]  
> > >  [...]  
> > > 
> > > Could you please push that for me? I haven't got access to the git
> > > repository(, yet).
> > >   
> > 
> > Unfortunately something with the patch isn't letting me apply it
> > against git so I'm going to have to ask someone else to do it since
> > I'm about to head off to bed. Also, I realized you were missing
> > `license: Add fdl1.1+` at the top line of your commit message.
> > 
> 
> I thought that git generates the commit message from the mail subject.
> Anyway, I don't know where else I should add the commit message.

I didn't have problems with. Pushed, adding a copyright line for you.
Thanks!

Re: [v2 0/1] Jasper security fixes

[Ludovic Courtès]

Thanks for taking care of it, Leo.

Ludo’.

Re: [PATCH] gnu: Add gtk-engines and murrine.

[Thompson, David]

Hi Fabian,

These look good!  Could you split them up into 2 patches so that only
1 package is added in each patch?  Thanks!

- Dave

Re: [PATCH] system: grub: Add 'libreboot?' install flag.

[Ludovic Courtès]

Jookia <166...@gmail.com> skribis:

> Libreboot doesn't read GRUB from the disk, it chainloads configuration files. 
> As
> such, grub-install is known to fail and require fragile workarounds. To solve
> this issue, there's now a 'libreboot?' boolean flag that will instead use
> '/boot/grub/libreboot_grub.cfg' for the GRUB menu and not run 'grub-install'.

Glad you’re streamlining it!  Unfortunately I don’t (yet!) have access
to Libreboot-capable hardware, so I’ll let Mark comment on the method.

Some “superficial” comments follow.

> * gnu/system/grub.scm (): Add and export 'libreboot?' 
> flag.
> * doc/guix.texi (GRUB Configuration): Explain the 'libreboot?' flag.
> * guix/scripts/system.scm: Read and use 'libreboot?' flag when installing 
> GRUB.
>   (process-action): Read GRUB's 'libreboot?' flag and pass it to 
> perform-action.
>   (perform-action): Pass the 'libreboot?' flag to 'install-grub*' and 
> 'install'.
>   (install): Pass the 'libreboot?' flag to install-grub*.
>   (install-grub*): Pass the 'libreboot?' flag to install-grub.
> * gnu/build/install.scm (install-grub): Read 'libreboot?' flag and based on 
> this

[...]

>  Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
>  Copyright @copyright{} 2015, 2016 Leo Famulari
> +Copyright @copyright{} 2016 Jookia

Add “@*” at the end of the previous line so that a newline gets
inserted.

> +@item @code{libreboot?} (default: @code{#f})
> +Setting this boolean to true will tweak GRUB for systems running Libreboot 
> with

s/boolean/Boolean/

> +the GRUB payload.  Instead of installing GRUB to disk, a configuration will 
> be
> +put in @code{/boot/grub/libreboot_grub.cfg} for Libreboot to load.

s/a configuration will be put in @code/configuration is written to @file/

It would be nice to link to the relevant Libreboot documentation, if
possible.

> +(if libreboot?
> +  (rename-file target librebooter)
> +  (unless (zero? (system* "grub-install" "--no-floppy"

Please align below the ‘l’ of ‘libreboot?’.

> +  (libreboot?  grub-configuration-libreboot  ; bool
> +   (default #f))

s/bool/Boolean/  :-)

It’s a bit annoying that we have to pass the ‘libreboot?’ parameter
across functions.

Thanks for working on it!

Ludo’.

Re: HTTPS for Hydra

[Leo Famulari]

On Thu, Feb 04, 2016 at 11:56:52PM +0100, Roel Janssen wrote:
> Dear list,
> 
> I would like to propose adding HTTPS support for hydra.gnu.org.  The
> direct need to have this set up, is to allow the build status icons to
> load on the packages page of the Guix website.
> 
> Fortunately, this should be possible without causing a lot of trouble
> because Hydra uses nginx as web server.  Here's the nginx manual on
> adding support for SSL/TLS:
> 
>   http://nginx.org/en/docs/http/configuring_https_servers.html
> 
> I'm not sure what the policy for SSL/TLS certificates is, but
> personally, I think a LetsEncrypt certificate would be fine:
> 
>   https://www.letsencrypt.org
> 
> A short guide to get it up and running is here:
> 
>   https://adambard.com/blog/using-letsencrypt-with-nginx/

If we decide to use Let's Encrypt, I recommend using the "webroot" [0]
method instead of the method described in that link. The webroot method
does not require server downtime, while the method used in that link
does require you to stop the nginx server every couple months when you
renew the certificates.

> 
> What do you think about adding SSL/TLS to Hydra?  And is anyone with
> access to hydra.gnu.org willing to take the time to configure nginx and
> get a certificate?
> 
> Kind regards,
> Roel
> 

[0]
http://letsencrypt.readthedocs.org/en/latest/using.html#webroot

Re: [PATCH] gnu: glibc/linux: Rename linux-headers input to kernel-headers.

[Ludovic Courtès]

Manolis Ragkousis  skribis:

> From 846930e55796b04b00d61c3d9c15546c978a0af0 Mon Sep 17 00:00:00 2001
> From: Manolis Ragkousis 
> Date: Thu, 4 Feb 2016 15:50:19 +0200
> Subject: [PATCH] gnu: glibc/linux: Rename linux-headers input to
>  kernel-headers.
>
> * gnu/packages/base.scm (glibc/linux)[propagated-inputs]: Use a kernel
>   agnostic name for the kernel headers.

Sounds like something we could adopt on the next core-updates cycle.  We
should make sure no “linux-headers” uses remain.

Thanks,
Ludo’.

HTTPS for Hydra

[Roel Janssen]

Dear list,

I would like to propose adding HTTPS support for hydra.gnu.org.  The
direct need to have this set up, is to allow the build status icons to
load on the packages page of the Guix website.

Fortunately, this should be possible without causing a lot of trouble
because Hydra uses nginx as web server.  Here's the nginx manual on
adding support for SSL/TLS:

  http://nginx.org/en/docs/http/configuring_https_servers.html

I'm not sure what the policy for SSL/TLS certificates is, but
personally, I think a LetsEncrypt certificate would be fine:

  https://www.letsencrypt.org

A short guide to get it up and running is here:

  https://adambard.com/blog/using-letsencrypt-with-nginx/

What do you think about adding SSL/TLS to Hydra?  And is anyone with
access to hydra.gnu.org willing to take the time to configure nginx and
get a certificate?

Kind regards,
Roel

Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}

[Leo Famulari]

On Thu, Feb 04, 2016 at 08:13:18PM -0500, Mark H Weaver wrote:
> Leo Famulari  writes:
> 
> > These are upstream patches, also applied by Debian:
> > https://security-tracker.debian.org/tracker/CVE-2015-8629
> 
> Thanks for this, but I already updated mit-krb5 and applied fixes for
> these CVEs on the new 'security-updates' branch about 17 hours ago.
> 
> I'm sorry that your effort was wasted.

It's okay. Your version is much better!

> 
>  Mark

Re: [PATCH] gnu: Add gtk-engines and murrine.

[Ricardo Wurmus]

Hi Fabian,

I wonder if this will work out of the box.  Where does GTK+ look for
engines?  Was the patch enough to GTK+ to make it respect GUIX_GTK2_PATH
and GUIX_GTK3_PATH?

Or will we need to add some additional procedure to building profiles to
generate a cache or a list of engines expected by GTK+?  (I know that at
least for input method modules something like that will be needed.)

~~ Ricardo

[PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}

[Leo Famulari]

These are upstream patches, also applied by Debian:
https://security-tracker.debian.org/tracker/CVE-2015-8629

Can somebody that actually uses mit-krb5 test and push? Or if you'd
rather just push, feel free.

By the way, I'm curious about this package's unusual method of applying
patches. Does anyone have any insight? I read the git history but it
doesn't give much detail on why the "normal" method doesn't work.

Leo Famulari (1):
  gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}.

 gnu-system.am |   3 +
 gnu/packages/mit-krb5.scm |   6 +-
 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch |  29 ++
 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch |  59 +++
 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++
 5 files changed, 646 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch

-- 
2.6.3

[PATCH 1/1] gnu: mit-krb5: Fix CVE-2015-{8629, 8630, 8631}.

[Leo Famulari]

* gnu/packages/patches/mit-krb5-CVE-2015-8629.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8630.patch,
gnu/packages/patches/mit-krb5-CVE-2015-8631.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Apply patches.
---
 gnu-system.am |   3 +
 gnu/packages/mit-krb5.scm |   6 +-
 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch |  29 ++
 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch |  59 +++
 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch | 550 ++
 5 files changed, 646 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
 create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-8631.patch

diff --git a/gnu-system.am b/gnu-system.am
index 04bd519..e6ff131 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -626,6 +626,9 @@ dist_patch_DATA =   
\
   gnu/packages/patches/mit-krb5-CVE-2015-2697.patch\
   gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch\
   gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch\
+  gnu/packages/patches/mit-krb5-CVE-2015-8629.patch\
+  gnu/packages/patches/mit-krb5-CVE-2015-8630.patch\
+  gnu/packages/patches/mit-krb5-CVE-2015-8631.patch\
   gnu/packages/patches/mpc123-initialize-ao.patch  \
   gnu/packages/patches/mplayer2-theora-fix.patch   \
   gnu/packages/patches/module-init-tools-moduledir.patch   \
diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm
index 16bef8d..7591334 100644
--- a/gnu/packages/mit-krb5.scm
+++ b/gnu/packages/mit-krb5.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013 Andreas Enge 
 ;;; Copyright © 2015 Mark H Weaver 
+;;; Copyright © 2016 Leo Famulari 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -54,7 +55,10 @@
 "CVE-2015-2696"
 "CVE-2015-2697"
 "CVE-2015-2698-pt1"
-"CVE-2015-2698-pt2"
+"CVE-2015-2698-pt2"
+"CVE-2015-8629"
+"CVE-2015-8630"
+"CVE-2015-8631"
 (arguments
  `(#:modules ((ice-9 ftw)
   (ice-9 match)
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch 
b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
new file mode 100644
index 000..6d1c3e7
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
@@ -0,0 +1,29 @@
+Fix CVE-2015-8629 (xdr_nullstring() doesn't check for terminating null
+character).
+
+From upstream git repository, commit
+df17a1224a3406f57477bcd372c61e04c0e5a5bb.
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2bef858..ba67084 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
 b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
+   return FALSE;
+  }
+ }
+-return (xdr_opaque(xdrs, *objp, size));
++if (!xdr_opaque(xdrs, *objp, size))
++return FALSE;
++/* Check that the unmarshalled bytes are a C string. */
++if ((*objp)[size - 1] != '\0')
++return FALSE;
++if (memchr(*objp, '\0', size - 1) != NULL)
++return FALSE;
++return TRUE;
+ 
+  case XDR_ENCODE:
+ if (size != 0)
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch 
b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
new file mode 100644
index 000..431eb27
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch
@@ -0,0 +1,59 @@
+Fix CVE-2015-8630 (krb5 doesn't check for null policy when KADM5_POLICY
+is set in the mask).
+
+From upstream git repository, commit
+b863de7fbf080b15e347a736fdda0a82d42f4f6b.
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c 
b/src/lib/kadm5/srv/svr_principal.c
+index 5b95fa3..1d4365c 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
 b/src/lib/kadm5/srv/svr_principal.c
+@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
+ /*
+  * Argument sanity checking, and opening up the DB
+  */
++if (entry == NULL)
++return EINVAL;
+ if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
+(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
+(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
+ return KADM5_BAD_MASK;
++if((mask & KADM5_POLICY) && entry->policy == NULL)
++return KADM5_BAD_MASK;
+ if((mask & 

Re: [PATCH 0/1] Fix CVE-2015-{8629, 8630, 8631}

[Mark H Weaver]

Leo Famulari  writes:

> These are upstream patches, also applied by Debian:
> https://security-tracker.debian.org/tracker/CVE-2015-8629

Thanks for this, but I already updated mit-krb5 and applied fixes for
these CVEs on the new 'security-updates' branch about 17 hours ago.

I'm sorry that your effort was wasted.

 Mark

[PATCH] system: grub: Add 'libreboot?' install flag.

[Jookia]

Libreboot doesn't read GRUB from the disk, it chainloads configuration files. As
such, grub-install is known to fail and require fragile workarounds. To solve
this issue, there's now a 'libreboot?' boolean flag that will instead use
'/boot/grub/libreboot_grub.cfg' for the GRUB menu and not run 'grub-install'.

* gnu/system/grub.scm (): Add and export 'libreboot?' flag.
* doc/guix.texi (GRUB Configuration): Explain the 'libreboot?' flag.
* guix/scripts/system.scm: Read and use 'libreboot?' flag when installing GRUB.
  (process-action): Read GRUB's 'libreboot?' flag and pass it to perform-action.
  (perform-action): Pass the 'libreboot?' flag to 'install-grub*' and 'install'.
  (install): Pass the 'libreboot?' flag to install-grub*.
  (install-grub*): Pass the 'libreboot?' flag to install-grub.
* gnu/build/install.scm (install-grub): Read 'libreboot?' flag and based on this
  decide where to put the grub.cfg file and whether to run grub-install.
---
 doc/guix.texi   |  6 ++
 gnu/build/install.scm   | 21 +
 gnu/system/grub.scm |  4 
 guix/scripts/system.scm | 23 ++-
 4 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 11664f4..704809f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17,6 +17,7 @@ Copyright @copyright{} 2015 Mathieu Lirzin@*
 Copyright @copyright{} 2014 Pierre-Antoine Rault@*
 Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
 Copyright @copyright{} 2015, 2016 Leo Famulari
+Copyright @copyright{} 2016 Jookia
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -9132,6 +9133,11 @@ understood by the @command{grub-install} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
 GNU GRUB Manual}).
 
+@item @code{libreboot?} (default: @code{#f})
+Setting this boolean to true will tweak GRUB for systems running Libreboot with
+the GRUB payload.  Instead of installing GRUB to disk, a configuration will be
+put in @code{/boot/grub/libreboot_grub.cfg} for Libreboot to load.
+
 @item @code{menu-entries} (default: @code{()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
 entries to appear in the GRUB boot menu, in addition to the current
diff --git a/gnu/build/install.scm b/gnu/build/install.scm
index 9785b6d..471ff58 100644
--- a/gnu/build/install.scm
+++ b/gnu/build/install.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès 
+;;; Copyright © 2016 Jookia <166...@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,15 +37,17 @@
 ;;;
 ;;; Code:
 
-(define* (install-grub grub.cfg device mount-point)
+(define* (install-grub grub.cfg device mount-point libreboot?)
   "Install GRUB with GRUB.CFG on DEVICE, which is assumed to be mounted on
 MOUNT-POINT.
 
 Note that the caller must make sure that GRUB.CFG is registered as a GC root
 so that the fonts, background images, etc. referred to by GRUB.CFG are not
 GC'd."
-  (let* ((target (string-append mount-point "/boot/grub/grub.cfg"))
- (pivot  (string-append target ".new")))
+  (let* ((base (string-append mount-point "/boot/grub/"))
+ (target (string-append base "grub.cfg"))
+ (pivot  (string-append target ".new"))
+ (librebooter (string-append base "libreboot_grub.cfg")))
 (mkdir-p (dirname target))
 
 ;; Copy GRUB.CFG instead of just symlinking it, because symlinks won't
@@ -52,11 +55,13 @@ GC'd."
 (copy-file grub.cfg pivot)
 (rename-file pivot target)
 
-(unless (zero? (system* "grub-install" "--no-floppy"
-"--boot-directory"
-(string-append mount-point "/boot")
-device))
-  (error "failed to install GRUB"
+(if libreboot?
+  (rename-file target librebooter)
+  (unless (zero? (system* "grub-install" "--no-floppy"
+  "--boot-directory"
+  (string-append mount-point "/boot")
+  device))
+(error "failed to install GRUB")
 
 (define (evaluate-populate-directive directive target)
   "Evaluate DIRECTIVE, an sexp describing a file or directory to create under
diff --git a/gnu/system/grub.scm b/gnu/system/grub.scm
index 45b46ca..d5a2df0 100644
--- a/gnu/system/grub.scm
+++ b/gnu/system/grub.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès 
+;;; Copyright © 2016 Jookia <166...@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,6 +51,7 @@
 grub-configuration
 grub-configuration?
 grub-configuration-device
+grub-configuration-libreboot
 
 menu-entry
 menu-entry?
@@ 

Re: Gnupg 2.1.11

[Andreas Enge]

On Thu, Feb 04, 2016 at 05:58:12PM +0100, Ludovic Courtès wrote:
> We discussed it on IRC

We continued discussion there. It fails on hydra.gnunet.org and
guix.sdj.se and succeeded on chapters.gnu.org.

There is a dependency chain gnupg -> openldap -> openssl, so it may be
related to the openssl update; that the failures are not uniform is
worrying, however.

Andreas

R

[Andreas Enge]

Yesterday I submitted a bug report for R on arm:
   
https://bugs.r-project.org/bugzilla/show_bug.cgi?id=16697https://bugs.r-project.org/bugzilla/show_bug.cgi?id=16697

With all the different R packages failing consequently, I hoped that fixing R
would reduce the number of failures. (On MIPS there is also a problem, but
not the same one.)

Andreas

Re: [PATCH shepherd] support: Ignore errors on parent directories in mkdir-p.

[Ludovic Courtès]

David Michael  skribis:

> My use case for this is that I have a crazy Hurd setup that boots a
> read-only root file system with a passive tmpfs translator on /run.
> When mkdir-p runs with "/run/shepherd", it tries to mkdir "/run".  On
> Hurd, mkdir first tests for a read-only file system, so mkdir-p catches
> and throws EROFS instead of catching and ignoring EEXIST.  The init
> process then dies when it tries to stat the non-existent /run/shepherd.
>
> This patch ignores all errors from parent directories, assuming we only
> really care about the status of creating the final path component.
>
> Another possibility could be to try to change Hurd's error ordering
> instead, but it seems to be acceptably standard behavior:
>
> If more than one error occurs in processing a function call, any one
> of the possible errors may be returned, as the order of detection is
> undefined.[0]

Interesting!

I think that it’s a case where it would be beneficial for the Hurd to
follow what Linux does, which is to return EEXIST.

How does Coreutils’ ‘mkdir -p’ behave in this situation?  (I’ve looked
at mkdir-p.c in Gnulib but it’s a bit complicated…)

> Can this be applied, or do you prefer another option?

I would prefer not to hide the initial error like the proposed patch
does.

OTOH, it’s no big deal, so if it turns out to be too much of a problem
or adds too much latency to wait for the Hurd fix, we could apply this
patch.

WDYT?

Ludo’.

Re: proposal for more options in gnu/services/networking.scm for blocklist

[Ludovic Courtès]

Nils Gillmann  skribis:

> l...@gnu.org (Ludovic Courtès) writes:
>
>> Nils Gillmann  skribis:
>>
>>> A first version for google I just came up with starts like the attached
>>> code.
>>>
>>> What do you think?
>>
>> I would use it!  (Although I use Tor + Privoxy for most of my web
>> browsing, so I would also need the black list there.)
>>
>> The only downside I see it having to maintain it.  Do you know if anyone
>> maintains a list of these hosts somewhere?  If yes, we should put the
>> URL as a comment and have a somewhat streamlined process to update the
>> list.
>
> There are many lists out there which are not limited to google.
> The downside I see with this is external authorities and the trust you
> have to put into them, plus unnecessary downloads.
> If it should be moved into a file, I would put it into the Guix system
> source. (-> maybe mirrors of those listed below?)
> I could try and see if I can find a blacklist which is not very long and
> does not need extensive checking.

OK.

>> If there’s no publicly-maintained list of hosts, I think we won’t go
>> beyond Google, because that would easily become unmaintained, and people
>> would be disappointed to get an incomplete/outdated host list.
>>
>> What do people think?
>
> Ublock Origin uses the following sources:
> https://easylist.adblockplus.org/en/policy#easylist
> http://pgl.yoyo.org/adservers/policy.php
> http://www.malwaredomainlist.com
> http://www.malwaredomains.com
> https://github.com/gorhil/uBlock/tree/master/assets/ublock
>
> Pro: Other people and collections of people maintain these lists. less
> work for us
> Pro: widely accepted and maintained
>
> Con: see section above (other authorities, traffic)

Yeah.  OTOH I don’t see us (Guix) claim maintenance of such lists.

Another option would be for you to publish such lists, signed and
versioned, on a hosting site you have access to?  The advantage would be
less churn in Guix proper, and the responsibility would be moved to you
(or the collective that maintains the list) rather than Guix.  We could
refer to it in the manual.

WDYT?

Thanks,
Ludo’.

Re: Gnupg 2.1.11

[Ludovic Courtès]

Andreas Enge  skribis:

> since my update to 2.1.11, gnupg fails to build on hydra:
>http://hydra.gnu.org/build/990803
> with a failure of one of the tests.
>
> The package builds without problems on my machine. Could someone else
> try it out, please?

We discussed it on IRC and I can tell that a --rounds=3 build succeeded
here on x86_64, yielding:

  /gnu/store/lk82n0sxjm9z2wciiadvd32nnkr2a404-gnupg-2.1.11
  SHA256: 029qvi1k26rw6agx39gxaz12dx2shgzmm81f9bbagzvh9m2vfh2w

Mark was suspecting a hardware issue on the build machine, so we’re
running memtester on the presumed build machine.

Ludo’.

[PATCH] gnu: glibc/linux: Rename linux-headers input to kernel-headers.

[Manolis Ragkousis]

Hello everyone,

This patch applies to wip-hurd. In order to use it on master, the (gnu
packages commencement) module should also be modified, which is already
the case in wip-hurd.

I will push the patch to wip-hurd.

Manolis
>From 846930e55796b04b00d61c3d9c15546c978a0af0 Mon Sep 17 00:00:00 2001
From: Manolis Ragkousis 
Date: Thu, 4 Feb 2016 15:50:19 +0200
Subject: [PATCH] gnu: glibc/linux: Rename linux-headers input to
 kernel-headers.

* gnu/packages/base.scm (glibc/linux)[propagated-inputs]: Use a kernel
  agnostic name for the kernel headers.
---
 gnu/packages/base.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 4373716..547753d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -493,7 +493,7 @@ store.")
 
;; Glibc's  refers to , for instance, so glibc
;; users should automatically pull Linux headers as well.
-   (propagated-inputs `(("linux-headers" ,linux-libre-headers)))
+   (propagated-inputs `(("kernel-headers" ,linux-libre-headers)))
 
(outputs '("out" "debug"))
 
@@ -533,7 +533,7 @@ store.")
,version)
 
 (string-append "--with-headers="
-   (assoc-ref %build-inputs "linux-headers")
+   (assoc-ref %build-inputs "kernel-headers")
"/include")
 
 ;; This is the default for most architectures as of GNU libc 2.21,
-- 
2.7.0

Gnupg 2.1.11

[Andreas Enge]

Hello,

since my update to 2.1.11, gnupg fails to build on hydra:
   http://hydra.gnu.org/build/990803
with a failure of one of the tests.

The package builds without problems on my machine. Could someone else
try it out, please?

Andreas

[PATCH] gnu: libcanberra: Add input gtk+-2.

[Fabian Harfert]

* gnu/packages/libcanberra.scm (libcanberra): Add input gtk+-2.
---
 gnu/packages/libcanberra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/libcanberra.scm b/gnu/packages/libcanberra.scm
index 3769e3f..4110e88 100644
--- a/gnu/packages/libcanberra.scm
+++ b/gnu/packages/libcanberra.scm
@@ -67,6 +67,7 @@
 (inputs
  `(("alsa-lib" ,alsa-lib)
("gstreamer" ,gstreamer)
+   ("gtk+" ,gtk+-2)
("gtk+" ,gtk+)
("libltdl" ,libltdl)
("libvorbis" ,libvorbis)
-- 
2.7.0

Re: [PATCH] gnu: libcanberra: Add input gtk+-2.

[Fabian Harfert]

On Thu,  4 Feb 2016 17:04:42 +0100
Fabian Harfert  wrote:

> * gnu/packages/libcanberra.scm (libcanberra): Add input gtk+-2.
> ---
>  gnu/packages/libcanberra.scm | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/gnu/packages/libcanberra.scm
> b/gnu/packages/libcanberra.scm index 3769e3f..4110e88 100644
> --- a/gnu/packages/libcanberra.scm
> +++ b/gnu/packages/libcanberra.scm
> @@ -67,6 +67,7 @@
>  (inputs
>   `(("alsa-lib" ,alsa-lib)
> ("gstreamer" ,gstreamer)
> +   ("gtk+" ,gtk+-2)
> ("gtk+" ,gtk+)
> ("libltdl" ,libltdl)
> ("libvorbis" ,libvorbis)

This is because some packages I'm working on need libcanberra with
gtk+-2.0 support.

Re: [PATCH] licenses: Add the fdl1.1+.

[Fabian Harfert]

On Wed, 3 Feb 2016 22:26:55 +0200
Efraim Flashner  wrote:

> On Wed, 3 Feb 2016 21:11:22 +0100
> Fabian Harfert  wrote:
> 
> > Am Wed, 3 Feb 2016 21:54:15 +0200
> > schrieb Efraim Flashner :
> > 
> >  [...]  
> >  [...]  
> >  [...]  
> > 
> > Could you please push that for me? I haven't got access to the git
> > repository(, yet).
> >   
> 
> Unfortunately something with the patch isn't letting me apply it
> against git so I'm going to have to ask someone else to do it since
> I'm about to head off to bed. Also, I realized you were missing
> `license: Add fdl1.1+` at the top line of your commit message.
> 

I thought that git generates the commit message from the mail subject.
Anyway, I don't know where else I should add the commit message.

Re: Review of installation manual draft

[Petter]

Hi Ludo,

Yes, i should be able to do that. I don't know texinfo yet but i'm 
learning it now.


Petter

Re: The new Hydra

[Daniel Pimentel]

It's great!

--
Daniel Pimentel (d4n1)

Re: [v2 0/1] Jasper security fixes

[Leo Famulari]

On Thu, Feb 04, 2016 at 11:45:38AM +0100, Andreas Enge wrote:
> It is a bit frightening that such a package with lots of CVE fixes apparently
> is dead upstream (since the patches from 2008 have not been incorporated into
> a new release). On the other hand, someone must have written the patches;
> is there no new upstream who has taken over? If not, is the software still
> useful and unique enough to keep it around?

I agree. The upstream developers claims to be responsive [0] but its
hard to reconcile that with 9 years of unpatched CVEs. Especially when
many of these patches address potential untrusted remote code execution.

It seems that sometimes a distro adopts anothers distro's patch, or
sometimes writes their own. Every distro is maintaining their own patch
quilt. Not good!

I haven't found a new upstream for jasper.

Thankfully, only Kodi depends on jasper in our tree. I searched my store
for other software that might have bundled it and found nothing, but I
don't have many programs that would handle JPEGs installed. Perhaps it's
possible to use some other JPEG implementation in Kodi and drop jasper.

Sadly, there are many packages in our tree, with active upstreams, that
are probably just as vulnerable.

> 
> Apart from these more fundamental questions, it looks good to push.

Done.

[0]
http://www.ece.uvic.ca/~frodo/jasper/#faq

Crude diffoscope report generator

[Leo Famulari]

I have been investigating some reproducibility problems using Guix and
diffoscope. We have all the tools to make possible but it's not
automated yet.

I've attached the crude shell script I've been using to build, rebuild,
and generate a diffoscope report. Perhaps it will help others and
inspire more work in this area :)

You use it from within your Guix checkout, and the only argument it
accepts is the name of a package.

BTW, the rsync options are adapted from --archive, but modified to alter
symlinks so that they do not point into the store. I'm sure they could
be improved.
#!/bin/sh

set -u
set -e

main() {
if [ $# -lt 1 ]; then
printf "Give a package name.\n"
exit 1
fi
package=$1
shift

if [ $# -ne 0 ]; then
printf "Unknown parameter %s\n" "$1"
exit 1
fi

mkdir a
mkdir b

mypath="$(./pre-inst-env guix build --no-substitutes $package)" \
&& rsync -rLptgoD "$mypath" ./a \
&& guix gc -d "$mypath" \
&& mypath="$(./pre-inst-env guix build --no-substitutes $package)" \
&& rsync -rLptgoD "$mypath" ./b \
&& guix gc -d "$mypath" \
&& diffoscope --html ./report ./a ./b
}
main "$@"

Re: [PATCH] gnu: net-tools: Use a different source mirror.

[Leo Famulari]

On Tue, Feb 02, 2016 at 09:38:43PM +, Jookia wrote:
> The current mirror for the source code now points to a domain parking website,
> so instead use this mirror I found online.

It looks like Debian is packaging git checkouts. I didn't look at what
repo they are of, but Debian also names this Sourceforge page as
upstream's home-page:
https://packages.debian.org/stretch/net/net-tools
http://sourceforge.net/projects/net-tools/

The repo is 10 years old and seems to be actively maintained. We should
see if it is suitable for packaging.

> 
> * gnu/packages/linux.scm (net-tools): Use a different uri for the origin.
> ---
>  gnu/packages/linux.scm | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 9d359e3..f6373a8 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -7,6 +7,7 @@
>  ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer 
>  ;;; Copyright © 2015, 2016 Efraim Flashner 
>  ;;; Copyright © 2016 Christopher Allan Webber 
> +;;; Copyright © 2016 Jookia <166...@gmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -951,8 +952,9 @@ manpages.")
>  (home-page "http://www.tazenda.demon.co.uk/phil/net-tools/;)
>  (source (origin
>   (method url-fetch)
> - (uri (string-append home-page "/" name "-"
> - version ".tar.bz2"))
> + (uri (string-append "http://distro.ibiblio.org/;
> +  "rootlinux/rootlinux-ports/base/"
> +  "net-tools/net-tools-1.60.tar.bz2"))
>   (sha256
>(base32
> "0yvxrzk0mzmspr7sa34hm1anw6sif39gyn85w4c5ywfn8inxvr3s"))
> -- 
> 2.7.0
> 
> 

[v2 0/1] Jasper security fixes

[Leo Famulari]

This is the same code as before with minor changes:

1. I realized that the jasper-stepsizes-overflow.patch was btter named
jasper-CVE-2007-2721.patch and renamed it.

2. A whitespace fix.

3. I added my name in the copyright stanza.

If there are no comments I'll push today, or someone else may push.

Leo Famulari (1):
  gnu: jasper: Add fixes for several security flaws.

 gnu-system.am  |   9 +
 gnu/packages/image.scm |  14 +-
 gnu/packages/patches/jasper-CVE-2007-2721.patch|  20 +
 gnu/packages/patches/jasper-CVE-2008-3520.patch| 931 +
 .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
 gnu/packages/patches/jasper-CVE-2014-8137.patch|  64 ++
 gnu/packages/patches/jasper-CVE-2014-8138.patch|  21 +
 gnu/packages/patches/jasper-CVE-2014-8157.patch|  19 +
 gnu/packages/patches/jasper-CVE-2014-8158.patch| 336 
 gnu/packages/patches/jasper-CVE-2014-9029.patch|  36 +
 gnu/packages/patches/jasper-CVE-2016-1867.patch|  18 +
 11 files changed, 1498 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
 create mode 100644 
gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch

-- 
2.6.3

[v2 1/1] gnu: jasper: Add fixes for several security flaws.

[Leo Famulari]

* gnu/packages/patches/jasper-CVE-2007-2721.patch,
gnu/packages/patches/jasper-CVE-2008-3520.patch,
gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch,
gnu/packages/patches/jasper-CVE-2014-8137.patch,
gnu/packages/patches/jasper-CVE-2014-8138.patch,
gnu/packages/patches/jasper-CVE-2014-8157.patch,
gnu/packages/patches/jasper-CVE-2014-8158.patch,
gnu/packages/patches/jasper-CVE-2014-9029.patch,
gnu/packages/patches/jasper-CVE-2016-1867.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jasper)[source]: Add patches.
---
 gnu-system.am  |   9 +
 gnu/packages/image.scm |  14 +-
 gnu/packages/patches/jasper-CVE-2007-2721.patch|  20 +
 gnu/packages/patches/jasper-CVE-2008-3520.patch| 931 +
 .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
 gnu/packages/patches/jasper-CVE-2014-8137.patch|  64 ++
 gnu/packages/patches/jasper-CVE-2014-8138.patch|  21 +
 gnu/packages/patches/jasper-CVE-2014-8157.patch|  19 +
 gnu/packages/patches/jasper-CVE-2014-8158.patch| 336 
 gnu/packages/patches/jasper-CVE-2014-9029.patch|  36 +
 gnu/packages/patches/jasper-CVE-2016-1867.patch|  18 +
 11 files changed, 1498 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
 create mode 100644 
gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch

diff --git a/gnu-system.am b/gnu-system.am
index 87ce88a..04bd519 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -545,7 +545,16 @@ dist_patch_DATA =  
\
   gnu/packages/patches/icu4c-CVE-2015-4760.patch   \
   gnu/packages/patches/imagemagick-test-segv.patch \
   gnu/packages/patches/irrlicht-mesa-10.patch  \
+  gnu/packages/patches/jasper-CVE-2007-2721.patch  \
+  gnu/packages/patches/jasper-CVE-2008-3520.patch  \
   gnu/packages/patches/jasper-CVE-2008-3522.patch  \
+  gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch \
+  gnu/packages/patches/jasper-CVE-2014-8137.patch  \
+  gnu/packages/patches/jasper-CVE-2014-8138.patch  \
+  gnu/packages/patches/jasper-CVE-2014-8157.patch  \
+  gnu/packages/patches/jasper-CVE-2014-8158.patch  \
+  gnu/packages/patches/jasper-CVE-2014-9029.patch  \
+  gnu/packages/patches/jasper-CVE-2016-1867.patch  \
   gnu/packages/patches/jbig2dec-ignore-testtest.patch  \
   gnu/packages/patches/kmod-module-directory.patch \
   gnu/packages/patches/ldc-disable-tests.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index bf120f0..f287054 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer 
 ;;; Copyright © 2015 Amirouche Boubekki 
 ;;; Copyright © 2014 John Darrington 
+;;; Copyright © 2016 Leo Famulari 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -719,7 +720,18 @@ convert, manipulate, filter and display a wide variety of 
image formats.")
   (sha256
(base32
 "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b"))
-  (patches (list (search-patch "jasper-CVE-2008-3522.patch")
+  (patches
+(list
+  (search-patch "jasper-CVE-2007-2721.patch")
+  (search-patch "jasper-CVE-2008-3520.patch")
+  (search-patch "jasper-CVE-2008-3522.patch")
+  (search-patch "jasper-CVE-2011-4516-and-CVE-2011-4517.patch")
+  (search-patch "jasper-CVE-2014-8137.patch")
+  (search-patch "jasper-CVE-2014-8138.patch")
+  (search-patch "jasper-CVE-2014-8157.patch")
+  (search-patch "jasper-CVE-2014-8158.patch")
+  (search-patch "jasper-CVE-2014-9029.patch")
+  (search-patch "jasper-CVE-2016-1867.patch")
 (build-system gnu-build-system)
 (native-inputs
  `(("unzip" ,unzip)))
diff --git a/gnu/packages/patches/jasper-CVE-2007-2721.patch 
b/gnu/packages/patches/jasper-CVE-2007-2721.patch
new file mode 100644
index 000..9838247
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2007-2721.patch
@@ -0,0 +1,20 @@
+Fix