Re: Thoughts on GuixSD and IDS like AIDE and Tripwire

[Pjotr Prins]

On Sat, Dec 31, 2016 at 05:28:14AM -0800, dian_ce...@zoho.com wrote:
> Hello everyone,
> 
>  I have been giving GuixSD some thought as the holiday's pass and I had a
> question I wanted to ask. During a recent scare with a computer on my LAN 
> being
> compromised (a Windows system), I've been giving thought to some issues with
> securing desktops, and one of those is file integrity wrt 
> unsolicited/undesired
> modification. Naturally (which may point out my general inexperience with this
> kind of thing) I thought of things like AIDE and Tripwire, and gave some 
> thought
> to how such system (which are hash-based, iirc) could possibly be useful to 
> help
> recover a system from a break-in (given the hash records aren't available
> locally), which brings us back to one of GuixSD's goals of deterministic 
> builds.
> 
>  I seem to recall that there was some goal to be able to check each 
> other's
> builds by comparing hashes of builds via some currently unknown method (I 
> think
> GNUnet was going to be the transport medium, but I'm not entirely sure if that
> was a serious plan or what), and while that is certainly interesting for
> checking to make sure a build completed properly or that a build is in fact
> deterministic (and, by extension, that there isn't an obscure bug in someone's
> CPU ala Pentium Floating Point bug from ages past), I had given some thought
> about all of this in relation to IDSs. Has anyone given any thought to 
> possibly
> compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
> (GPL as well) for use with GuixSD systems. While this certainly isn't a 
> complete
> solution for an IDS (in fact, I havn't even looked yet to see how feasible 
> this
> is with the aforementioned software; this is more a thought experiment than
> anything), if feels like it might be something useful, which is why I'm
> mentioning it here.

Yes, you can do a challenge build. Not all builds are fully
deterministic yet, so you there will be conflicts. I use guix publish
on a server, so I can compare the stores on two machines for
comparison which ought to be identical. That is a pretty fast way to
do it provided they are not both compromised ;)

At the moment we don't store hashes in a database for the contents of
a build tree. I think it is a good idea to have the option to create a
tripwire-like database at build/install time, almost for free,
provided the user moves that database off-site for later (fast)
comparisons. It can actually speed up challenge builds.

I used to run tripwire a lot, but somehow have become
confident in my security setup (rightly or wrongly so). At least with
Guix I know I can quickly rebuild a new system that behaves as the
compromised one. That makes me happy.

Pj.
-- 

Re: Icecat crash

[Maxim Cournoyer]

Hi Danny!

Good find; I can reproduce the crash here... I don't even need to
scroll, it's nearly instant! Here's the IceCat generated report
(copied from IceCat's crash popup window):

AbortMessage: [31898] ###!!! ABORT: X_CopyArea: BadDrawable (invalid Pixmap or 
Window parameter); 3 requests ago: file 
/tmp/guix-build-icecat-45.5.1-gnu1.drv-0/icecat-45.5.1/toolkit/xre/nsX11ErrorHandler.cpp,
 line 157
Add-ons: 
%7B46551EC9-40F0-4e47-8E18-8E5CF550CFB8%7D:2.0.7,abouticecat%40gnu.org:1.0,https-everywhere-eff%40eff.org:5.2.7,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:45.5.1,loop%40mozilla.org:1.1.14,spyblock%40gnu.org:2.6.9.0,html5-video-everywhere%40lejenome.me:0.3.4,jid1-KtlZuoiikVfFew%40jetpack:6.0.13
AddonsShouldHaveBlockedE10s: 1
BuildID: 20161211072134
CrashTime: 1483219996
EMCheckCompatibility: true
FramePoisonBase: 70dea000
FramePoisonSize: 4096
InstallTime: 1481616437
Notes: OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) 
Ironlake Mobile  -- 2.1 Mesa 13.0.2 -- texture_from_pixmap
X_CopyArea: BadDrawable (invalid Pixmap or Window parameter); 3 requests 
agoxpcom_runtime_abort([31898] ###!!! ABORT: X_CopyArea: BadDrawable (invalid 
Pixmap or Window parameter); 3 requests ago: file 
/tmp/guix-build-icecat-45.5.1-gnu1.drv-0/icecat-45.5.1/toolkit/xre/nsX11ErrorHandler.cpp,
 line 157)
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: IceCat
ReleaseChannel: default
SafeMode: 0
SecondsSinceLastCrash: 285
StartupTime: 1483219929
TelemetryEnvironment: 
{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"IceCat","architecture":"x86-64","buildId":"20161211072134","version":"45.5.1","vendor":"GNU","platformVersion":"45.5.1","xpcomAbi":"x86_64-gcc3","hotfixVersion":null},"partner":{"distributionId":"gnu","distributionVersion":"1.0","partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":3753,"virtualMaxMB":null,"cpu":{"count":2,"cores":2,"vendor":"GenuineIntel","family":6,"model":37,"stepping":5,"l2cacheKB":256,"l3cacheKB":2048,"speedMHz":1197,"extensions":["hasMMX","hasSSE","hasSSE2","hasSSE3","hasSSSE3"]},"os":{"name":"Linux","version":"4.8.14-gnu","locale":"en-US"},"hdd":{"profile":{"model":null,"revision":null},"binary":{"model":null,"revision":null},"system":{"model":null,"revision":null}},"gfx":{"D2DEnabled":null,"DWriteEnabled":null,"adapters":[{"description":"Intel
 Open Source Technology Center -- Mesa DRI Intel(R) Ironlake Mobile 
","vendorID":"Intel Open Source Technology Center","deviceID":"Mesa DRI 
Intel(R) Ironlake Mobile 
","subsysID":null,"RAM":null,"driver":null,"driverVersion":"2.1 Mesa 
13.0.2","driverDate":null,"GPUActive":true}],"monitors":[],"features":{"compositor":"none"}}},"settings":{"blocklistEnabled":false,"e10sEnabled":false,"telemetryEnabled":false,"isInOptoutSample":false,"locale":"en-US","update":{"channel":"default","enabled":false,"autoDownload":false},"userPrefs":{"browser.cache.disk.capacity":358400,"browser.newtabpage.enhanced":false,"browser.startup.page":3,"general.smoothScroll":false},"addonCompatibilityCheckEnabled":true,"isDefaultBrowser":false},"profile":{"creationDate":17094,"resetDate":17100},"addons":{"activeAddons":{"{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}":{"blocklisted":false,"description":"Restyle
 the web with Stylish, a user styles 
manager.","name":"Stylish","userDisabled":false,"appDisabled":false,"version":"2.0.7","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17100,"updateDay":17100,"signedState":2},"l...@mozilla.org":{"blocklisted":false,"description":"Web
 sharing for IceCat","name":"IceCat Hello 
Beta","userDisabled":false,"appDisabled":false,"version":"1.1.14","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":0,"updateDay":0},"aboutice...@gnu.org":{"blocklisted":false,"description":null,"name":"IceCatHome","userDisabled":false,"appDisabled":false,"version":"1.0","scope":4,"type":"extension","foreignInstall":true,"hasBinaryComponents":false,"installDay":0,"updateDay":0,"signedState":0},"spybl...@gnu.org":{"blocklisted":false,"description":"Privacy
 blacklist 
filter","name":"SpyBlock","userDisabled":false,"appDisabled":false,"version":"2.6.9.0","scope":4,"type":"extension","foreignInstall":true,"hasBinaryComponents":false,"installDay":0,"updateDay":0,"signedState":0},"https-everywhere-...@eff.org":{"blocklisted":false,"description":"Encrypt
 the Web! Automatically use HTTPS security on many sites.","name":"HTTPS 
Everywhere","userDisabled":false,"appDisabled":false,"version":"5.2.7","scope":4,"type":"extension","foreignInstall":true,"hasBinaryComponents":false,"installDay":0,"updateDay":0,"signedState":-2},"html5-video-everywh...@lejenome.me":{"blocklisted":false,"description":"Replace
 video player with Firefox native video player","name":"HTML5 Video 

Re: 01/01: gnu: Add Nagios.

[Ludovic Courtès]

Leo Famulari  skribis:

> On Wed, Nov 30, 2016 at 10:31:09PM +, Ludovic Court�s wrote:
>> civodul pushed a commit to branch master
>> in repository guix.
>> 
>> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c
>> Author: Ludovic Courtès 
>> Date:   Wed Nov 30 23:26:57 2016 +0100
>> 
>> gnu: Add Nagios.
>> 
>> * gnu/packages/monitoring.scm: New file.
>> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
>
>> +(version "4.0.8")
>> +;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS.
>
> This version of Nagios includes some severe security vulnerabilities:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565
>
> They allow remote attackers to read and write arbitrary files (leading
> to remote code execution) or to escalate privilege to the superuser.
>
> What should we do?

Updated to 4.2.4 in 7fc2d377d16b5aefacf01e3c9105dc0344a33dbe.

Ludo’.

Re: 01/01: gnu: Add Nagios.

[Ludovic Courtès]

Leo Famulari  skribis:

> On Wed, Nov 30, 2016 at 10:31:09PM +, Ludovic Court�s wrote:
>> civodul pushed a commit to branch master
>> in repository guix.
>> 
>> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c
>> Author: Ludovic Courtès 
>> Date:   Wed Nov 30 23:26:57 2016 +0100
>> 
>> gnu: Add Nagios.
>> 
>> * gnu/packages/monitoring.scm: New file.
>> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
>
>> +(version "4.0.8")
>> +;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS.
>
> This version of Nagios includes some severe security vulnerabilities:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565
>
> They allow remote attackers to read and write arbitrary files (leading
> to remote code execution) or to escalate privilege to the superuser.
>
> What should we do?

We should upgrade, even if that means bundling AngularJS (there’s no
other way :-/).  I’ll look into it ASAP.

Thanks for the reminder!

Ludo’.

‘guix copy’

[Ludovic Courtès]

Hello Guix!  :-)

I’m pleased to announce the last(?) feature of the year: ‘guix copy’!
It copies store items over SSH, pretty much like ‘guix offload’ already
does; documentation below.

Currently there’s no progress report and error reporting is suboptimal,
but I find it useful already.

Feedback welcome!

Ludo’.


5.13 Invoking ‘guix copy’
=

The ‘guix copy’ command copies items from the store of one machine to
that of another machine over a secure shell (SSH) connection(1).  For
example, the following command copies the ‘coreutils’ package, the
user’s profile, and all their dependencies over to HOST, logged in as
USER:

 guix copy --to=USER@HOST \
   coreutils `readlink -f ~/.guix-profile`

   If some of the items to be copied are already present on HOST, they
are not actually sent.

   The command below retrieves ‘libreoffice’ and ‘gimp’ from HOST,
assuming they are available there:

 guix copy --from=HOST libreoffice gimp

   The SSH connection is established using the Guile-SSH client, which
is compatible with OpenSSH: it honors ‘~/.ssh/known_hosts’ and
‘~/.ssh/config’, and uses the SSH agent for authentication.

   The key used to sign items that are sent must be accepted by the
remote machine.  Likewise, the key used by the remote machine to sign
items you are retrieving must be in ‘/etc/guix/acl’ so it is accepted by
your own daemon.  *Note Invoking guix archive::, for more information
about store item authentication.

   The general syntax is:

 guix copy [--to=SPEC|--from=SPEC] ITEMS...

   You must always specify one of the following options:

‘--to=SPEC’
‘--from=SPEC’
 Specify the host to send to or receive from.  SPEC must be an SSH
 spec such as ‘example.org’, ‘char...@example.org’, or
 ‘char...@example.org:’.

   The ITEMS can be either package names, such as ‘gimp’, or store
items, such as ‘/gnu/store/...-idutils-4.6’.

   When specifying the name of a package to send, it is first built if
needed, unless ‘--dry-run’ was specified.  Common build options are
supported (*note Common Build Options::).

   -- Footnotes --

   (1) This command is available only when Guile-SSH was found.  *Note
Requirements::, for details.

Re: [PATCH 02/10] gnu: Add propeller-binutils.

[Ricardo Wurmus]

Ludovic Courtès  writes:

> Ricardo Wurmus  skribis:
>
>> * gnu/packages/embedded.scm (propeller-binutils): New variable.
>
> [...]
>
>> + ,@(substitute-keyword-arguments (package-arguments xbinutils)
>> + ((#:configure-flags flags)
>> +  `(cons "--disable-nls" ,flags)
>
> That shouldn't be needed.

Okay.

>> +  (native-inputs
>> +   `(("bison" ,bison)
>> + ("flex" ,flex)
>> + ("texinfo" ,texinfo)
>> + ("dejagnu" ,dejagnu)
>
> The test failures you see are because you added DejaGNU here.  The other
> Binutils instances don’t have it, so few tests are run I guess.  :-)
>
> If this is not needed for bootstrapping, I’d suggest removing it.

I added DejaGNU because it provides “runtest”, which is needed by the
tests.  Without DejaGNU the check phase fails trying to execute
“runtest”.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
http://elephly.net

Re: Shutdown of googlecode end of the year - we have affected packages!

[ng0]

I am trying to add mp4v2, and while it's functional, I'm in
contact with upstream to figure out where (if at all) it moved.

So far the (anonymous) opinion, which I do share, is that the
situation is chaotic with so many forks out there. Depending on
how the discussion(s) end, I will suggest (or will not) suggest
doing a fork on the side of the GNU project or at our side (of
GNUnet eV). There has been no official statement so far which I
could forward or quote, so this opinion is only in here because
it's a view I share and had before I started reaching out to
upstream.

-- 
♥Ⓐ  ng0
PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org

Re: [PATCH] gnu: tar: Fix CVE-2016-6321.

[Alex Vong]

This is an updated version of the patch. There is only a minor stylish
change, spaces in local.mk are changed to tabs.

From 0cf96ac1167906565c560a12ab730d2192779315 Mon Sep 17 00:00:00 2001
From: Alex Vong 
Date: Sat, 31 Dec 2016 00:05:49 +0800
Subject: [PATCH] gnu: tar: Fix CVE-2016-6321.

* gnu/packages/patches/tar-CVE-2016-6321.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/base.scm (tar)[source]: Add it.
---
 gnu/local.mk |  1 +
 gnu/packages/base.scm|  3 +-
 gnu/packages/patches/tar-CVE-2016-6321.patch | 51 
 3 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 69633131e..9137a466e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -862,6 +862,7 @@ dist_patch_DATA =		\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch		\
+  %D%/packages/patches/tar-CVE-2016-6321.patch			\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 50c306009..ce6e3782c 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -162,7 +162,8 @@ implementation offers several extensions over the standard utility.")
 (sha256
  (base32
   "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-(patches (search-patches "tar-skip-unreliable-tests.patch"
+(patches (search-patches "tar-CVE-2016-6321.patch"
+ "tar-skip-unreliable-tests.patch"
(build-system gnu-build-system)
;; Note: test suite requires ~1GiB of disk space.
(arguments
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 0..9e6ee653d
--- /dev/null
+++ b/gnu/packages/patches/tar-CVE-2016-6321.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6321:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
+https://security-tracker.debian.org/tracker/CVE-2016-6321
+
+Patches copied from upstream source repository
+(with modification to NEWS removed since it hunks out to a reject file):
+
+http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert 
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS  | 8 +++-
+ src/extract.c | 8 
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
 b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		  && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++ERROR ((0, 0, _("%s: Member name contains '..'"),
++	quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++  || skip_dotdot_name
+   || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+ {
+-- 
+2.11.0
+
-- 
2.11.0



signature.asc
Description: PGP signature

[PATCH] gnu: Add tipp10 touch typing tutor.

[Hartmut Goebel]

* gnu/packages/education.scm (touch10): New variable.
* gnu/packages/patches/tipp10-fix-compiling.patch,
  gnu/packages/patches/tipp10-remove-license-code.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk   |   2 +
 gnu/packages/education.scm |  58 
 gnu/packages/patches/tipp10-fix-compiling.patch| 213 +
 .../patches/tipp10-remove-license-code.patch   | 332 +
 4 files changed, 605 insertions(+)
 create mode 100644 gnu/packages/patches/tipp10-fix-compiling.patch
 create mode 100644 gnu/packages/patches/tipp10-remove-license-code.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b7c182f..ee2014e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -873,6 +873,8 @@ dist_patch_DATA =   
\
   %D%/packages/patches/texi2html-i18n.patch\
   %D%/packages/patches/tidy-CVE-2015-5522+5523.patch   \
   %D%/packages/patches/tinyxml-use-stl.patch   \
+  %D%/packages/patches/tipp10-fix-compiling.patch  \
+  %D%/packages/patches/tipp10-remove-license-code.patch\
   %D%/packages/patches/tk-find-library.patch   \
   %D%/packages/patches/ttf2eot-cstddef.patch   \
   %D%/packages/patches/ttfautohint-source-date-epoch.patch \
diff --git a/gnu/packages/education.scm b/gnu/packages/education.scm
index 3a88307..43e73a0 100644
--- a/gnu/packages/education.scm
+++ b/gnu/packages/education.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Danny Milosavljevic 
 ;;; Copyright © 2016 Ricardo Wurmus 
+;;; Copyright © 2016 Hartmut Goebel 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -138,3 +139,60 @@ of categories with some of the activities available in 
that category.
 @end enumerate
 ")
 (license license:gpl3+)))
+
+(define-public tipp10
+  (package
+(name "tipp10")
+(version "2.1.0")
+(source (origin
+  (method url-fetch)
+  ;; guix download is not able to handle the download links on the
+  ;; home-page, which use ''
+  (uri (string-append "mirror://debian/pool/main/"
+  "t/tipp10/tipp10_2.1.0.orig.tar.gz"))
+  (sha256
+   (base32
+"0d387b404j88gsv6kv0rb7wxr23v5g5vl6s5l7602x8pxf7slbbx"))
+  (patches (search-patches "tipp10-fix-compiling.patch"
+   "tipp10-remove-license-code.patch"
+(build-system cmake-build-system)
+(arguments
+ `(#:tests? #f ; packages has no tests
+   #:phases
+   (modify-phases %standard-phases
+ (add-after 'unpack 'disable-new-version-check
+  (lambda _
+;; Make new version check to default to false.
+;; TODO: Remove the checkbox from the dialog and the check itself
+(substitute* '("widget/settingspages.cpp" "widget/mainwindow.cpp")
+  (("settings.value(\"check_new_version\", true)")
+   "settings.value(\"check_new_version\", false)"
+ (replace 'configure
+  (lambda* (#:key outputs #:allow-other-keys)
+(let ((out (assoc-ref outputs "out")))
+  ;; Make program honor $PREFIX
+  (substitute* "tipp10.pro"
+(("\\.path = /usr/") (string-append ".path = " out "/")))
+  (substitute* "def/defines.h"
+(("\"/usr/") (string-append "\"" out "/")))
+  ;; Recreate Makefile
+  (zero? (system* "qmake"
+(inputs
+ `(("qt4" ,qt-4)
+   ("sqlite" ,sqlite)))
+(home-page "https://www.tipp10.com/;)
+(synopsis "Touch typing tutor")
+(description "Tipp10 is a touch typing tutor for Windows, Mac OS and
+Linux.  The ingenious thing about the software is its intelligence feature:
+Characters that are mistyped are repeated more frequently.  Beginners will
+find their way around right away so they can start practicing without a hitch.
+
+Useful support functions and an extensive progress tracker, topical lessons
+and the ability to create your own practice lessons make learning to type
+easy.
+
+Note: To change the language settings choose Datei (File) →
+Grundeinstellungen (Generell Settings) → Sprache (Language) and change from
+Deutsch to English. The you have restart the program to have the change take
+effect.")
+(license license:gpl2)))
diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch 
b/gnu/packages/patches/tipp10-fix-compiling.patch
new file mode 100644
index 000..4c206d4
--- /dev/null
+++ b/gnu/packages/patches/tipp10-fix-compiling.patch
@@ -0,0 +1,213 @@
+Description: Debian patches to make tipp10 compile
+Author: Christoph Martin 
+Last-Update: 2016-07-20
+

Re: [PATCH] gnu: Add tipp10 touch typing tutor.

[Hartmut Goebel]

Am 19.12.2016 um 22:39 schrieb Ludovic Courtès:
>
>> +  (uri (string-append "mirror://debian/pool/main/"
>> +  "t/tipp10/tipp10_2.1.0.orig.tar.gz"))
> Is there really no upstream for this program?  tipp10.com seems to be
> live, no?

There is, but guix is not able to handle the download URL, which is
 or
.This page
uses  "". I asked the
author for a different URL, but he did not answer.


>
>> +  (patches (search-patches "tipp10-FixCompiling.patch"
>> +   "tipp10-RemoveLicenseCode.patch"
> Please use lowercase and hyphens for file names.  :-)

Anything else unimportant I can waste my time on? These are the
file-names of the patches at debian. I see absolutely no benefit in
changing them.


>
>> +(description " TIPP10 is a free touch typing tutor for Windows, Mac OS 
>> and
>  ^
> Extra space.
>
> Please don’t mention supported operating systems; what matters is that
> it works on GNU.

IMO this is interesting for users and for spreading free software. If
one reads this i might think: "O, coll, I can recommend this to some
friend still using Windooze and ma convince her about free software."

>
>> +Linux.  The ingenious thing about the software is its intelligence feature.
> “Intelligence feature” sounds vague; could it be rephrased in more
> precise terms?
>
>> +Note: To change the language settings choose Datei (File) →
>> +Grundeinstellungen (Generell Settings) → Sprache (Language) and change from
>> +Deutsch to English. The you have restart the program to have the change take
>> +effect.")
> This information doesn’t belong here.
>
> Does Debian have patches to make this program honor the current locale?
> That would be the best option.

No, there are not patches, this is why I put this information there. If
ou dislike, please recommend a better place.

>
>> +(license license:gpl2)))
> Version 2 only?

This is what https://www.tipp10.com/en/download/ says.

>
>> +-Exec=tipp10
>> ++Exec=/usr/bin/tipp10
> This doesn’t look useful.

Yes, but this is part of the original Debian patch. I'd prefer to keep
this patch unchanged to make it easier to follow any changes or fixes
Debian incorporates. Since guix is fixing this path anyway, there is no
use in maintaining a own set of patches.

To be frank, some of your comment on this patch are nitpicking at its
best. I have the impression that you did not trust me to have spend only
a little thought on what I'm doing. And you are demanding things (patch
filenames, change to upstream patches) which have no or negligible
benefit – even if seen in the long run. This *very* discouraging!

-- 
Regards
Hartmut Goebel

| Hartmut Goebel  | h.goe...@crazy-compilers.com   |
| www.crazy-compilers.com | compilers which you thought are impossible |

[PATCH 4/4] gnu: Add python-bpython.

[Hartmut Goebel]

* gnu/packages/python.scm (python-bpython, python2-bpython): New
  variables.
---
 gnu/packages/python.scm | 41 +
 1 file changed, 41 insertions(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 75f5fba..af6ab2f 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -12387,3 +12387,44 @@ fullscreen terminal rendering, and keyboard input 
event reporting. ")
 
 (define-public python2-curtsies-0.1
   (package-with-python2 python-curtsies-0.1))
+
+(define-public python-bpython
+  (package
+(name "bpython")
+(version "0.16")
+(source
+  (origin
+(method url-fetch)
+(uri (pypi-uri "bpython" version))
+(sha256
+  (base32
+   "0pv5dy84idh0l8kxy01ipkpxrf9kcfb7h5q16gqxg2mx0bvdvwzs"))
+(file-name (string-append name "-" version ".tar.gz"
+(build-system python-build-system)
+(propagated-inputs
+ `(("python-pygments" ,python-pygments)
+   ("python-requests", python-requests)
+   ("python-babel" ,python-babel) ;; optional, for internationalization
+   ("python-curtsies" ,python-curtsies-0.1) ;; >= 0.1.18,< 0.2
+   ("python-greenlet" ,python-greenlet)
+   ("python-urwid" ,python-urwid))) ;; for bpython-urwid only
+(native-inputs
+ `(("python-sphinx" ,python-sphinx)
+   ("python-mock" ,python-mock)))
+(home-page "https://bpython-interpreter.org/;)
+(synopsis "Fancy interface to the Python interpreter")
+(description "bpython's main features are
+@enumerate
+@item in-line syntax highlighting,
+@item readline-like autocomplete with suggestions displayed as you type,
+@item expected parameter list for any Python function,
+@item \"rewind\" function to pop the last line of code from memory and
+  re-evaluate,
+@item send the code you've entered off to a pastebin,
+@item save the code you've entered to a file, and
+@item auto-indentation.
+@end enumerate")
+(license license:expat)))
+
+(define-public python2-bpython
+  (package-with-python2 python-bpython))
-- 
2.7.4

[PATCH 2/4] gnu: Add python-blessings.

[Hartmut Goebel]

* gnu/packages/python.scm (python-blessings, python2-blessings): New
  variables.
---
 gnu/packages/python.scm | 29 +
 1 file changed, 29 insertions(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 2dea03b..8dbd64a 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -12307,3 +12307,32 @@ emulators. pyte follows the suit.")
 
 (define-public python2-pyte
   (package-with-python2 python-pyte))
+
+(define-public python-blessings
+  (package
+(name "python-blessings")
+(version "1.6")
+(source
+  (origin
+(method url-fetch)
+(uri (pypi-uri "blessings" version))
+(sha256
+  (base32
+   "01rhgn2c3xjf9h1lxij9m05iwf2ba6d0vd7nic26c2gic4q73igd"
+(build-system python-build-system)
+(arguments
+ ;; TODO: For py3, 2to2 is used to convert the code, but test-suite fails
+ `(#:tests? #f))
+(native-inputs
+ `(("python-nose" ,python-nose)))
+(home-page "https://pypi.python.org/pypi/blessings;)
+(synopsis "Simple but powerful module to manage terminal color, styling,
+and positioning")
+(description "Blessings is a pythonic API to manipulate terminal.  It
+provides similar features to curses but beating some of their limitations: it
+does not require clearing the whole screen for little changes, scrollback
+buffer after program exits, avoid styling when on output redirection, etc.")
+(license license:expat)))
+
+(define-public python2-blessings
+  (package-with-python2 python-blessings))
-- 
2.7.4

[PATCH 3/4] gnu: Add python-curtsies.

[Hartmut Goebel]

* gnu/packages/python.scm (python-curtsies, python2-curtsies,
  python-curtsies-0.1, python2-curtsies-0.1): New variables.
---
 gnu/packages/python.scm | 51 +
 1 file changed, 51 insertions(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 8dbd64a..75f5fba 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -12336,3 +12336,54 @@ buffer after program exits, avoid styling when on 
output redirection, etc.")
 
 (define-public python2-blessings
   (package-with-python2 python-blessings))
+
+(define-public python-curtsies
+  (package
+(name "python-curtsies")
+(version "0.2.11")
+(source
+  (origin
+(method url-fetch)
+(uri (pypi-uri "curtsies" version))
+(sha256
+  (base32
+   "1vljmw3sy6lrqahhpyg4gk13mzcx3mwhvg8s41698ms3cpgkjipc"
+(build-system python-build-system)
+   (arguments
+`(#:phases
+  (modify-phases %standard-phases
+(replace 'check
+  (lambda _
+(zero? (system* "nosetests" "-v")))
+(propagated-inputs
+ `(("python-blessings" ,python-blessings)
+   ("python-wcwidth", python-wcwidth)))
+(native-inputs
+ `(("python-mock" ,python-mock)
+   ("python-pyte" ,python-pyte)
+   ("python-nose" ,python-nose)))
+(home-page "https://github.com/thomasballinger/curtsies;)
+(synopsis "Library for curses-like terminal interaction with colored
+strings")
+(description "Curtsies is a library for interacting with the terminal.
+It features string-like objects which carry formatting information, per-line
+fullscreen terminal rendering, and keyboard input event reporting. ")
+(license license:expat)))
+
+(define-public python2-curtsies
+  (package-with-python2 python-curtsies))
+
+(define-public python-curtsies-0.1
+  (package
+(inherit python-curtsies)
+(version "0.1.23")
+(source
+  (origin
+(method url-fetch)
+(uri (pypi-uri "curtsies" version))
+(sha256
+  (base32
+   "1lv5zmca18157d69h4hqm34wbiblimd8h4gzzic2vkw3l61j622a"))
+
+(define-public python2-curtsies-0.1
+  (package-with-python2 python-curtsies-0.1))
-- 
2.7.4

[PATCH 1/4] gnu: Add python-pyte.

[Hartmut Goebel]

* gnu/packages/python.scm (python-pyte, python2-pyte): New variables.
---
 gnu/packages/python.scm | 29 +
 1 file changed, 29 insertions(+)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index a0542a5..2dea03b 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -12278,3 +12278,32 @@ possible on all supported Python versions.")
 
 (define-public python2-xopen
   (package-with-python2 python-xopen))
+
+(define-public python-pyte
+  (package
+(name "python-pyte")
+(version "0.5.2")
+(source
+  (origin
+(method url-fetch)
+(uri (pypi-uri "pyte" version))
+(sha256
+  (base32
+   "0abmxrjlibplzzz7qm7dyphhdp171ssf2lqqllig4p83450cyd6p"
+(build-system python-build-system)
+(propagated-inputs
+ `(("python-wcwidth", python-wcwidth)))
+(native-inputs
+ `(("python-pytest-runner" ,python-pytest-runner)
+   ("python-pytest" ,python-pytest)))
+(home-page "https://pyte.readthedocs.io/;)
+(synopsis "Simple VTXXX-compatible terminal emulator")
+(description "@code{pyte} is an in memory VTxxx-compatible terminal
+emulator.  @code{xxx} stands for a series of video terminals, developed by DEC
+between 1970 and 1995.  The first, and probably the most famous one, was VT100
+terminal, which is now a de-facto standard for all virtual terminal
+emulators. pyte follows the suit.")
+(license license:lgpl3)))
+
+(define-public python2-pyte
+  (package-with-python2 python-pyte))
-- 
2.7.4

Thoughts on GuixSD and IDS like AIDE and Tripwire

[dian_cecht]

Hello everyone,

 I have been giving GuixSD some thought as the holiday's pass and I had a
question I wanted to ask. During a recent scare with a computer on my LAN being
compromised (a Windows system), I've been giving thought to some issues with
securing desktops, and one of those is file integrity wrt unsolicited/undesired
modification. Naturally (which may point out my general inexperience with this
kind of thing) I thought of things like AIDE and Tripwire, and gave some thought
to how such system (which are hash-based, iirc) could possibly be useful to help
recover a system from a break-in (given the hash records aren't available
locally), which brings us back to one of GuixSD's goals of deterministic builds.

 I seem to recall that there was some goal to be able to check each other's
builds by comparing hashes of builds via some currently unknown method (I think
GNUnet was going to be the transport medium, but I'm not entirely sure if that
was a serious plan or what), and while that is certainly interesting for
checking to make sure a build completed properly or that a build is in fact
deterministic (and, by extension, that there isn't an obscure bug in someone's
CPU ala Pentium Floating Point bug from ages past), I had given some thought
about all of this in relation to IDSs. Has anyone given any thought to possibly
compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
(GPL as well) for use with GuixSD systems. While this certainly isn't a complete
solution for an IDS (in fact, I havn't even looked yet to see how feasible this
is with the aforementioned software; this is more a thought experiment than
anything), if feels like it might be something useful, which is why I'm
mentioning it here.

Re: [PATCH] gnu: Add php-hello-world.

[Hartmut Goebel]

Am 31.12.2016 um 12:16 schrieb Ludovic Courtès:
> after all.  However, as a distro, I think we should refrain from
> providing packages unrelated to Guix/Guile that have no upstream.

So this package will not happen, since *I* will not spend my time to
create such a project. As a consequences, there will be not "php-fpm" OS
example.

I already spent quite some time on this topic, so this is quite
disencouraging. :-(

-- 
Regards
Hartmut Goebel

| Hartmut Goebel  | h.goe...@crazy-compilers.com   |
| www.crazy-compilers.com | compilers which you thought are impossible |

Auxiliary files

[Ludovic Courtès]

Hi Alex,

Alex Kost  skribis:

> Ludovic Courtès (2016-12-29 18:40 +0100) wrote:
>
>> Hi!
>>
>> Alex Kost  skribis:

[...]

>>> What about making "gnu/packages/files" (or another dirname) directory,
>>> and putting "guix-emacs.el" and kernel configs ("linux-libre-*.conf")
>>> there?
>>>
>>> I mean "gnu/packages/patches" is not always enough, sometimes we want to
>>> use real files in the package recipes (configs for 'linux-libre' or
>>> "guix-emacs.el" for 'emacs'), so having "gnu/packages/files" seems
>>> reasonable to me, WDYT?
>>
>> Sounds good.
>>
>> In general, we can create other subdirectories alongside patches/ and
>> bootstrap/.  So we could have linux-conf/ and emacs/ there.
>
> But we keep all patches in a single directory, why should there be
> multiple dirs for auxiliary files?

I imagine linux-conf/ would contain several files (all the configuration
files), and so on.  IOW, we can create directories anytime there’s a
category of files that go together well.  텠

>> We can also
>> add regular files like guix-emacs.el directly under gnu/packages (like
>> ld-wrapper.in, linux-conf.*, etc.)
>>
>> All this is fine as long as the files get installed in the right place
>> wrt. %load-path.
>>
>> I’m not sure a catch-all files/ (or aux-files/?) directory is helpful
>> though.  There’s a case for having a linux-conf/ subdirectory now; for
>> guix-emacs.el, I am slightly inclined to put it directly in
>> gnu/packages, but no strong opinion.
>>
>> Thoughts?
>
> I don't like keeping such files in "gnu/packages" the most!  My opinion
> is that only .scm files should be placed there.
>
> I vote either for a single "aux-files" (I like this name) directory, or
> for its sub-directories ("aux-files/emacs", "aux-files/linux").

OK, sounds good.  We’ll also need a ‘search-auxiliary-file’ procedure
(or similar) just like we have ‘search-patch’, to facilitate things.

Thanks!

Ludo’.

Re: [PATCH] gnu: Add php-hello-world.

[Ludovic Courtès]

Hello,

Hartmut Goebel  skribis:

> Am 29.12.2016 um 18:44 schrieb Ludovic Courtès:
>> Given the popularity of PHP, I would expect tutorials and examples to
>> abound already, no?
>>
>> You can of course roll your own and Guix could distribute it, that’s
>> fine.  I’m just surprised we even have to do that in the first place.
>
> I was surprised, too. Otherwise I'd not write a own package.
>
> But I see no benefit of putting a project to github, just do not have a
> "home grown" package at guix. IMHO implementing this is just a waste of
> time.

I can understand why you’d feel this way, it’s just a few lines of code
after all.  However, as a distro, I think we should refrain from
providing packages unrelated to Guix/Guile that have no upstream.

Ludo’.

Re: Staging freeze

[Ludovic Courtès]

Leo Famulari  skribis:

> On Thu, Dec 29, 2016 at 06:51:46PM +0100, Ludovic Courtès wrote:
>> Hi!
>> 
>> John Darrington  skribis:
>> 
>> > For what it's worth, I find that building *anything* related to qemu fails
>> > for different reasons in about 2/3 attempts. So I think there is a 
>> > fundamental, yet to be diagnosed problem.
>> 
>> Yet to be diagnosed… and yet to be reported?  :-)
>> 
>> This ‘qemu-image’ job has been failing since Dec. 11, apparently because
>> the closure of the OS in build-aux/hydra/demo-os.scm has become more
>> than 1.4G (the size specified in build-aux/hydra/gnu-system.scm):
>> 
>>   https://hydra.gnu.org/job/gnu/master/qemu-image.x86_64-linux
>> 
>> I’m tempted to simply remove this job because it doesn’t buy us anything
>> compared to the system tests.
>
> Okay!
>
>> Objections?
>
> None here :)

Done in a3a27745013f3e5a287de3bf0187b2f72beb6965.

Ludo’.

[PATCH] gnu: tar: Fix CVE-2016-6321.

[Alex Vong]

Hi Guix,

This patch fixes CVE-2016-6321 for GNU Tar. The patch is basically
directly copied from upstream with the modification to the NEWS file
removed since it hunks out to a reject file. The message below is for
your reference.

From 934e7d752bdd04521c8d0bc2c6cde4a66bf074b4 Mon Sep 17 00:00:00 2001
From: Alex Vong 
Date: Sat, 31 Dec 2016 00:05:49 +0800
Subject: [PATCH] gnu: tar: Fix CVE-2016-6321.

* gnu/packages/patches/tar-CVE-2016-6321.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/base.scm (tar)[source]: Add it.
---
 gnu/local.mk |  1 +
 gnu/packages/base.scm|  3 +-
 gnu/packages/patches/tar-CVE-2016-6321.patch | 51 
 3 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b7c182fbf..5a7cedbe2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -862,6 +862,7 @@ dist_patch_DATA =		\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch		\
+  %D%/packages/patches/tar-CVE-2016-6321.patch \
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 50c306009..ce6e3782c 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -162,7 +162,8 @@ implementation offers several extensions over the standard utility.")
 (sha256
  (base32
   "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-(patches (search-patches "tar-skip-unreliable-tests.patch"
+(patches (search-patches "tar-CVE-2016-6321.patch"
+ "tar-skip-unreliable-tests.patch"
(build-system gnu-build-system)
;; Note: test suite requires ~1GiB of disk space.
(arguments
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 0..9e6ee653d
--- /dev/null
+++ b/gnu/packages/patches/tar-CVE-2016-6321.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6321:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
+https://security-tracker.debian.org/tracker/CVE-2016-6321
+
+Patches copied from upstream source repository
+(with modification to NEWS removed since it hunks out to a reject file):
+
+http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert 
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS  | 8 +++-
+ src/extract.c | 8 
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
 b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		  && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++ERROR ((0, 0, _("%s: Member name contains '..'"),
++	quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++  || skip_dotdot_name
+   || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+ {
+-- 
+2.11.0
+
-- 
2.11.0


Happy New Year!

Cheers,
Alex

--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3702-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 01, 2016 https://www.debian.org/security/faq
- -

Package: tar
CVE ID : CVE-2016-6321
Debian Bug : 842339

Harry Sintonen discovered that GNU tar does not properly handle member
names containing '..', thus allowing an attacker to bypass the path
names specified on the command line and replace files and directories in
the target directory.

For the stable distribution (jessie), this problem has been fixed in
version 1.27.1-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.29b-1.1.

We recommend that you upgrade your tar packages.

Further information about Debian