* bug#47144: security patching of 'patch' package [not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net> @ 2021-03-14 21:37 ` Mark H Weaver 2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix ` (5 more replies) 0 siblings, 6 replies; 29+ messages in thread From: Mark H Weaver @ 2021-03-14 21:37 UTC (permalink / raw) To: 47144 [-- Attachment #1: Type: text/plain, Size: 315 bytes --] I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten. Mark -------------------- Start of forwarded message -------------------- Subject: security patching of 'patch' package From: Léo Le Bouter <lle-bout@zaclys.net> To: guix-devel@gnu.org Date: Wed, 10 Mar 2021 04:14:35 +0100 [-- Attachment #2.1: Type: text/plain, Size: 614 bytes --] Hello! I could find that the 'patch' package was vulnerable to numerous CVEs that other distros like Debian have patched. Here's the list reported by 'guix lint -c cve patch': patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- 2018-6952 Can I use latest commit from master to build 'patch' then graft original package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you, Léo [-- Attachment #2.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #3: Type: text/plain, Size: 67 bytes --] -------------------- End of forwarded message -------------------- ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver @ 2021-03-15 18:26 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix 2021-04-14 21:54 ` Leo Famulari ` (4 subsequent siblings) 5 siblings, 1 reply; 29+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw) To: 47144; +Cc: Léo Le Bouter I tried something, using patch git repo's master instead of release tarballs, I am not sure the git repo contains all the fixes, we could alternatively just pull patches from Debian. This attempt does not work yet however, it fails on some gnulib source file not being found for some reason: gcc: error: parse-datetime.c: No such file or directory gcc: fatal error: no input files compilation terminated. This file seems to be generated by YACC from earlier log. Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes]. gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) -- 2.30.2 ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. 2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 ` Léo Le Bouter via Bug reports for GNU Guix 2021-03-18 21:58 ` Ludovic Courtès 0 siblings, 1 reply; 29+ messages in thread From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw) To: 47144; +Cc: Léo Le Bouter * gnu/packages/base.scm (patch/fixed): New variable. (patch)[replacement]: Graft. --- gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 9aa69cfe77..a71b47ac4f 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -46,12 +46,14 @@ #:use-module (gnu packages compression) #:use-module (gnu packages perl) #:use-module (gnu packages linux) + #:use-module (gnu packages autotools) #:use-module (gnu packages pcre) #:use-module (gnu packages texinfo) #:use-module (gnu packages hurd) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) #:use-module (gnu packages gettext) + #:use-module (gnu packages version-control) #:use-module (guix i18n) #:use-module (guix utils) #:use-module (guix packages) @@ -228,6 +230,7 @@ standard utility.") (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch")))) + (replacement patch/fixed) (build-system gnu-build-system) (arguments ;; Work around a cross-compilation bug whereby libpatch.a would provide @@ -246,6 +249,42 @@ differences.") (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38")) + (package/inherit patch + (name "patch") + (version "2.7.6") + ;; (version (string-append "2.7.6-" (string-take commit 7))) + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit) + (recursive? #t))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + `(modify-phases ,phases + (replace 'bootstrap + (lambda* (#:key inputs #:allow-other-keys) + (substitute* (list "gnulib/gnulib-tool" + "gnulib/build-aux/git-version-gen") + (("/bin/sh") (which "sh"))) + (invoke "bash" "bootstrap" "--no-git" + "--gnulib-srcdir=gnulib") + #t)))))) + (native-inputs + `(("autoconf" ,autoconf) + ("automake" ,automake) + ("git" ,git-minimal) + ,@(package-native-inputs patch)))))) + (define-public diffutils (package (name "diffutils") -- 2.30.2 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. 2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-18 21:58 ` Ludovic Courtès 2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer 0 siblings, 1 reply; 29+ messages in thread From: Ludovic Courtès @ 2021-03-18 21:58 UTC (permalink / raw) To: 47144 Hi, Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch)[replacement]: Graft. It’s (almost) useless to provide a graft of ‘patch’ because patch is usually a build-time only dependency. (Maybe we can tell it’s not vulnerable to the issues at hand because in that context it’s always given controlled input: the package patches.) What could be useful is to provide a second version of patch so that people running ‘guix install patch’ or similar get the newer version. HTH, Ludo’. ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2021-03-18 21:58 ` Ludovic Courtès @ 2022-03-23 3:03 ` Maxim Cournoyer 0 siblings, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2022-03-23 3:03 UTC (permalink / raw) To: Ludovic Courtès; +Cc: 47144 Hi, Ludovic Courtès <ludo@gnu.org> writes: > Hi, > > Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis: > >> * gnu/packages/base.scm (patch/fixed): New variable. >> (patch)[replacement]: Graft. > > It’s (almost) useless to provide a graft of ‘patch’ because patch is > usually a build-time only dependency. (Maybe we can tell it’s not > vulnerable to the issues at hand because in that context it’s always > given controlled input: the package patches.) > > What could be useful is to provide a second version of patch so that > people running ‘guix install patch’ or similar get the newer version. The latest release of patch is the one we have, v2.7.6, made 4 years ago. Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver 2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-14 21:54 ` Leo Famulari 2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer ` (3 subsequent siblings) 5 siblings, 0 replies; 29+ messages in thread From: Leo Famulari @ 2021-04-14 21:54 UTC (permalink / raw) To: Mark H Weaver; +Cc: 47144 On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote: > patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, > CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- > 2018-6952 I tried building a "fixed" package of patch, cherry-picking bug fix patches from patch.git. Unfortunately, the patches largely don't apply to the most recent release of patch. Since there is no release fixing these bugs, and no clear advice about which patches to apply, I'm going to stop working on this for now. ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0. 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver 2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix 2021-04-14 21:54 ` Leo Famulari @ 2024-05-31 2:59 ` Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer ` (2 subsequent siblings) 5 siblings, 2 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw) To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari * gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: eb4dc1b9ae3779419b047e2f4c7b5879353956a6 -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. 2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-05-31 2:59 ` Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw) To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari Also fix the gnulib-tool command, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0f1ab6669a..5759b508cf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1391,6 +1391,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2021 qblade <qblade@protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer@gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer @ 2024-05-31 2:59 ` Maxim Cournoyer 2024-05-31 16:13 ` Simon Tournier ` (2 more replies) 1 sibling, 3 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw) To: 47144 Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari, Ludovic Courtès * gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw@netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- gnu/packages/base.scm | 44 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..8dcbf4b087 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,45 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + (version (git-version "2.7.6" revision commit)) + (source (origin + (inherit (package-source patch)) + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'update-bootstrap-script + (lambda* (#:key native-inputs inputs #:allow-other-keys) + (copy-file (search-input-file + (or native-inputs inputs) + "src/gnulib/build-aux/bootstrap") + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed gnulib))))) + (define-public diffutils (package (name "diffutils") -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer @ 2024-05-31 16:13 ` Simon Tournier 2024-06-01 1:49 ` Maxim Cournoyer 2024-06-01 11:34 ` Maxim Cournoyer 2024-06-01 14:32 ` Ludovic Courtès 2 siblings, 1 reply; 29+ messages in thread From: Simon Tournier @ 2024-05-31 16:13 UTC (permalink / raw) To: Maxim Cournoyer, 47144 Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari Hi Maxim, On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > + (source (origin > + (inherit (package-source patch)) > + (method git-fetch) > + (uri (git-reference > + (url "https://git.savannah.gnu.org/git/patch.git") > + (commit commit))) > + (file-name (git-file-name name version)) > + (sha256 > + (base32 > + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) If I read correctly, (package-source patch) reads: --8<---------------cut here---------------start------------->8--- (source (origin (method url-fetch) (uri (string-append "mirror://gnu/patch/patch-" version ".tar.xz")) (sha256 (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch")))) --8<---------------cut here---------------end--------------->8--- Therefore the only thing that is copied is the ’patches’ field. Right? I think it would easy the readability to avoid ’inherit’ and plainly write ’patches’. Cheers, simon ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-05-31 16:13 ` Simon Tournier @ 2024-06-01 1:49 ` Maxim Cournoyer 2024-06-04 15:39 ` Simon Tournier 0 siblings, 1 reply; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 1:49 UTC (permalink / raw) To: Simon Tournier Cc: Mark H Weaver, Ludovic Courtès, Leo Famulari, Vivien Kraus, 47144 Hi Simon, Simon Tournier <zimon.toutoune@gmail.com> writes: > Hi Maxim, > > On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > >> + (source (origin >> + (inherit (package-source patch)) >> + (method git-fetch) >> + (uri (git-reference >> + (url "https://git.savannah.gnu.org/git/patch.git") >> + (commit commit))) >> + (file-name (git-file-name name version)) >> + (sha256 >> + (base32 >> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) > > If I read correctly, (package-source patch) reads: > > (source (origin > (method url-fetch) > (uri (string-append "mirror://gnu/patch/patch-" > version ".tar.xz")) > (sha256 > (base32 > "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) > (patches (search-patches "patch-hurd-path-max.patch")))) > > Therefore the only thing that is copied is the ’patches’ field. Right? > > I think it would easy the readability to avoid ’inherit’ and plainly > write ’patches’. I preferred inheritance to avoid having to manually sync things in the long run... (hopefully the graft gets ungrafted before 'patch' amasses new phatces, but we never know...) -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-06-01 1:49 ` Maxim Cournoyer @ 2024-06-04 15:39 ` Simon Tournier 2024-06-05 1:08 ` Maxim Cournoyer 0 siblings, 1 reply; 29+ messages in thread From: Simon Tournier @ 2024-06-04 15:39 UTC (permalink / raw) To: Maxim Cournoyer Cc: Mark H Weaver, Ludovic Courtès, 47144, Vivien Kraus, Leo Famulari Hi Maxim, On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > I preferred inheritance to avoid having to manually sync things in the > long run... (hopefully the graft gets ungrafted before 'patch' amasses > new phatces, but we never know...) What would be the long run? ;-) Well, from my perspective, there is nothing to manually sync in the future. I mean, the only patch applied to release “2.7.6” will be still required for patch/fixed; hence one will need to do what I am proposing if ’patch’ is removed. Else if ’patch’ receives some security fixes, then it seems expected to assume that the fix will be included in the latest patch (here ’patch/fixed’). Last, please note that ’patch’ is barely modified. --8<---------------cut here---------------start------------->8--- $ git log --format="%cd %s" -- gnu/packages/base.scm | grep 'gnu: patch' Thu May 30 11:35:13 2024 -0400 gnu: patch: Fix indentation. Sun Apr 22 22:40:48 2018 +0200 gnu: patch: Work around a cross-compilation issue. Wed Mar 14 22:11:34 2018 +0100 gnu: patch: Update to 2.7.6. Fri Jun 12 15:46:25 2015 +0300 gnu: patch: Set PATH_MAX for Hurd systems. Mon Mar 9 22:56:50 2015 -0400 gnu: patch: Update to 2.7.5. Sat Mar 7 20:34:50 2015 -0500 Revert "gnu: patch: Update to 2.7.5." Sun Mar 8 00:32:11 2015 +0100 gnu: patch: Update to 2.7.5. Wed Feb 11 11:23:46 2015 +0100 gnu: patch: Update to 2.7.4. Fri Feb 6 13:53:28 2015 +0100 gnu: patch: Add 2.7.4 and make it a replacement for the default one. Sat Apr 27 00:23:19 2013 +0200 gnu: patch: Update to 2.7.1. --8<---------------cut here---------------end--------------->8--- I still think that it eases to have the patch close to the source instead of coming from inheritance. Anyway. :-) Cheers, simon ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-06-04 15:39 ` Simon Tournier @ 2024-06-05 1:08 ` Maxim Cournoyer 0 siblings, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-05 1:08 UTC (permalink / raw) To: Simon Tournier Cc: Mark H Weaver, Ludovic Courtès, 47144, Vivien Kraus, Leo Famulari Hi, Simon Tournier <zimon.toutoune@gmail.com> writes: > Hi Maxim, > > On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > >> I preferred inheritance to avoid having to manually sync things in the >> long run... (hopefully the graft gets ungrafted before 'patch' amasses >> new phatces, but we never know...) > > What would be the long run? ;-) > Well, from my perspective, there is nothing to manually sync in the > future. You're probably right. > I mean, the only patch applied to release “2.7.6” will be still required > for patch/fixed; hence one will need to do what I am proposing if > ’patch’ is removed. Else if ’patch’ receives some security fixes, then > it seems expected to assume that the fix will be included in the latest > patch (here ’patch/fixed’). Last, please note that ’patch’ is barely > modified. OK. I don't mind to do this change. I'll send e revised version with that done. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-05-31 16:13 ` Simon Tournier @ 2024-06-01 11:34 ` Maxim Cournoyer 2024-06-01 14:32 ` Ludovic Courtès 2 siblings, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 11:34 UTC (permalink / raw) To: 47144; +Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus, Leo Famulari Hi, Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch) [replacement]: Graft with the above. > > Fixes: https://issues.guix.gnu.org/47144 > Reported-by: Mark H Weaver <mhw@netris.org> > Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 [...] > (define-public patch > (package > + (replacement patch/fixed) > (name "patch") > (version "2.7.6") > (source (origin > @@ -291,6 +294,45 @@ (define-public patch > (license gpl3+) > (home-page "https://savannah.gnu.org/projects/patch/"))) > > +(define patch/fixed > + ;; The latest release is from 2018, and lacks multiple security related > + ;; patches. Since Fedora carries 23 patches, simply use the latest commit > + ;; until a proper release is made. > + (let ((revision "0") > + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) > + (package > + (inherit patch) > + (name "patch") > + (version (git-version "2.7.6" revision commit)) I just realized that since this is for grafting purposes, I shouldn't touch the version field (they need to match in length...). Will send a v2. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-05-31 16:13 ` Simon Tournier 2024-06-01 11:34 ` Maxim Cournoyer @ 2024-06-01 14:32 ` Ludovic Courtès 2024-06-01 15:02 ` Maxim Cournoyer 2 siblings, 1 reply; 29+ messages in thread From: Ludovic Courtès @ 2024-06-01 14:32 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144 Hi Maxim, Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > (define-public patch > (package > + (replacement patch/fixed) Unless I’m mistaken, this will have practically no effect because Patch is a build-time-only dependency. My recommendation would be to not add a ‘replacement’ field at all. Instead, you could add a new ‘patch/latest’ public variable pointing to that commit that you picked. That way, users running ‘guix install patch’ or similar will get the latest version of Patch. On the next ‘core-packages-team’ cycle, we’d update Patch to refer to that commit. WDYT? Ludo’. ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-06-01 14:32 ` Ludovic Courtès @ 2024-06-01 15:02 ` Maxim Cournoyer 2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès 0 siblings, 1 reply; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 15:02 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144 Hi Ludovic, Ludovic Courtès <ludo@gnu.org> writes: > Hi Maxim, > > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > >> (define-public patch >> (package >> + (replacement patch/fixed) > > Unless I’m mistaken, this will have practically no effect because Patch > is a build-time-only dependency. > > My recommendation would be to not add a ‘replacement’ field at all. > Instead, you could add a new ‘patch/latest’ public variable pointing to > that commit that you picked. That way, users running ‘guix install > patch’ or similar will get the latest version of Patch. I see what you mean, but for all practical purposes, using a graft seems a more thorough (because it affects the original 'patch' *variable* as well) means that have the same effect for users, so I'd seems like a slightly better option to me. So e.g. someone using the Guix API referencing exactly to the 'patch' package variable would get a secure version, but would otherwise need to know to adjust their code to use 'patch/latest'. Does that make sense? -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2024-06-01 15:02 ` Maxim Cournoyer @ 2024-06-05 16:04 ` Ludovic Courtès 2024-06-05 16:44 ` Simon Tournier 0 siblings, 1 reply; 29+ messages in thread From: Ludovic Courtès @ 2024-06-05 16:04 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: Mark H Weaver, 47144, Vivien Kraus, Leo Famulari Hi Maxim, Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > Ludovic Courtès <ludo@gnu.org> writes: [...] >> Unless I’m mistaken, this will have practically no effect because Patch >> is a build-time-only dependency. >> >> My recommendation would be to not add a ‘replacement’ field at all. >> Instead, you could add a new ‘patch/latest’ public variable pointing to >> that commit that you picked. That way, users running ‘guix install >> patch’ or similar will get the latest version of Patch. > > I see what you mean, but for all practical purposes, using a graft seems > a more thorough (because it affects the original 'patch' *variable* as > well) means that have the same effect for users, so I'd seems like a > slightly better option to me. Strictly speaking, yes, but in practice the benefit are largely theoretical IMO, and the cost of having a graft this deep in the dependency graph. What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point to the new version? Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user code etc. would refer to ‘patch’ and thus get the latest version. Ludo’. ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès @ 2024-06-05 16:44 ` Simon Tournier 2024-06-06 0:49 ` Maxim Cournoyer 0 siblings, 1 reply; 29+ messages in thread From: Simon Tournier @ 2024-06-05 16:44 UTC (permalink / raw) To: Ludovic Courtès, Maxim Cournoyer Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144 Hi, On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote: > What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point > to the new version? > > Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user > code etc. would refer to ‘patch’ and thus get the latest version. I agree; it appears to me “safer” than the graft. However, the cost is to identify which package needs ’patch/pinned’ and which needs new ’patch’. Then once upstream Patch upgrades, there is also the question to unpin all the packages. Somehow, your previous suggestion ’patch-latest’ for this new package appears to me the best solution. Because it does not require any update here and there, and since the source field follows the Git upstream latest instead of the released tarball, this solution of ’patch-latest’ seems appropriated. Cheers, simon ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2024-06-05 16:44 ` Simon Tournier @ 2024-06-06 0:49 ` Maxim Cournoyer 0 siblings, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-06 0:49 UTC (permalink / raw) To: Simon Tournier Cc: Mark H Weaver, Ludovic Courtès, Leo Famulari, Vivien Kraus, 47144 Hi Simon, Simon Tournier <zimon.toutoune@gmail.com> writes: > Hi, > > On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote: > >> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point >> to the new version? >> >> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user >> code etc. would refer to ‘patch’ and thus get the latest version. > > I agree; it appears to me “safer” than the graft. > > However, the cost is to identify which package needs ’patch/pinned’ and > which needs new ’patch’. Then once upstream Patch upgrades, there is > also the question to unpin all the packages. Indeed. It'll be easy though to grep for 'patch/pinned', which are far and few in between, compared to grepping for 'patch'... I've implemented Ludovic's suggestion in v4, before I actually read this reply of yours... I think it's OK; it goes a bit further than 'patch-latest' to protect users in case they refer to the 'patch' package variable directly. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0. 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver ` (2 preceding siblings ...) 2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-01 12:56 ` Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 5 siblings, 2 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw) To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari * gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. 2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-01 12:56 ` Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw) To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2021 qblade <qblade@protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer@gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer @ 2024-06-01 12:56 ` Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw) To: 47144 Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari, Ludovic Courtès * gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw@netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..45dbf77817 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,53 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + ;; TODO: Uncomment when ungrafting. + ;;(version (git-version "2.7.6" revision commit)) + (source (origin + (inherit (package-source patch)) + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + ;; TODO: Uncomment when ungrafting and using the above + ;; 'git-version'-computed version. + ;;(file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle with. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed))))) + (define-public diffutils (package (name "diffutils") -- 2.41.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0. 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver ` (3 preceding siblings ...) 2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-05 1:24 ` Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 5 siblings, 2 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw) To: 47144 Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier * gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. 2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-05 1:24 ` Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw) To: 47144 Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2021 qblade <qblade@protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer@gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes]. 2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer @ 2024-06-05 1:24 ` Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw) To: 47144 Cc: Mark H Weaver, Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier * gnu/packages/base.scm (patch/fixed): New variable. (patch) [replacement]: Graft with the above. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw@netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v3: - Do not use inheritance for patch/fixed origin Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..3246b7bd0a 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -263,6 +265,7 @@ (define-public tar (define-public patch (package + (replacement patch/fixed) (name "patch") (version "2.7.6") (source (origin @@ -291,6 +294,53 @@ (define-public patch (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")) + (package + (inherit patch) + (name "patch") + ;; TODO: Uncomment when ungrafting. + ;;(version (git-version "2.7.6" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + ;; TODO: Uncomment when ungrafting and using the above + ;; 'git-version'-computed version. + ;;(file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle with. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed))))) + (define-public diffutils (package (name "diffutils") -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0. 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver ` (4 preceding siblings ...) 2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-06 0:46 ` Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer 5 siblings, 2 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw) To: 47144 Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier * gnu/packages/unicode.scm (ucd): Update to 15.1.0. Change-Id: I0828544c35eef90a8f76c2084362ee4594189244 --- (no changes since v1) gnu/packages/unicode.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm index 23f08a2aab..fe188ed71d 100644 --- a/gnu/packages/unicode.scm +++ b/gnu/packages/unicode.scm @@ -77,14 +77,14 @@ (define-public libunibreak (define-public ucd (package (name "ucd") - (version "15.0.0") + (version "15.1.0") (source (origin (method url-fetch/zipbomb) (uri (string-append "https://www.unicode.org/Public/zipped/" version "/UCD.zip")) (sha256 - (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz")))) + (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b")))) (build-system copy-build-system) (arguments '(#:install-plan base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0 -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301. 2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer @ 2024-06-06 0:46 ` Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer 1 sibling, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw) To: 47144 Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier Also fix the commands, which would fail due to not finding their implementation scripts. * gnu/packages/patches/gnulib-bootstrap.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301. [source]: Apply patch. [phases] {patch-source-shebangs, patch-generated-file-shebangs} {patch-usr-bin-file, restore-shebangs}: Delete phases. {disable-failing-tests}: Disable sc_error_message_warn_fatal, sc_prefer_angle_bracket_headers, sc_check_config_h_reminder, sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install, sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short checks. {regenerate-unicode}: Register BidiMirroring.txt unicode data file. Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0 --- (no changes since v1) gnu/local.mk | 1 + gnu/packages/build-tools.scm | 55 ++++++++------- gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6934d5ccc7..b369127194 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1393,6 +1393,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-session-support-elogind.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ + %D%/packages/patches/gnulib-bootstrap.patch \ %D%/packages/patches/gnumach-support-noide.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnupg-1-build-with-gcc10.patch \ diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm index daaf450e70..82abf5b9f1 100644 --- a/gnu/packages/build-tools.scm +++ b/gnu/packages/build-tools.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2021 qblade <qblade@protonmail.com> -;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org> ;;; ;;; This file is part of GNU Guix. @@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key ;; FIXME: tests/uniname/HangulSyllableNames.txt ;; seems like a UCD file but it is not distributed ;; with UCD. - "tests/uniwbrk/WordBreakTest.txt"))))))) + "tests/uniwbrk/WordBreakTest.txt"))))) + (patches (search-patches "gnulib-bootstrap.patch")))) (build-system copy-build-system) (arguments (list #:install-plan #~'(("./gnulib-tool" "bin/") + ("./gnulib-tool.py" "bin/") + ("./gnulib-tool.sh" "bin/") ("." "src/gnulib" #:exclude-regexp ("\\.git.*"))) #:modules '((ice-9 match) (guix build utils) @@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key ((guix build gnu-build-system) #:prefix gnu:)) #:phases #~(modify-phases %standard-phases + ;; Since this package is intended to be used in source form, it + ;; should not retain references to tools (with the exception for the + ;; commands we install, which should be wrapper for proper + ;; execution). + (delete 'patch-source-shebangs) + (delete 'patch-generated-file-shebangs) + (delete 'patch-usr-bin-file) (add-before 'install 'check (assoc-ref gnu:%standard-phases 'check)) (add-before 'check 'fix-tests @@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key sc_Wundef_boolean \\ sc_copyright_check \\ sc_file_system \\ + sc_error_message_warn_fatal \\ sc_indent \\ sc_keep_gnulib_texi_files_mostly_ascii \\ + sc_prefer_angle_bracket_headers \\ sc_prohibit_assert_without_use \\ sc_prohibit_close_stream_without_use \\ sc_prohibit_defined_have_decl_tests \\ @@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key sc_prohibit_intprops_without_use \\ sc_prohibit_openat_without_use \\ sc_prohibit_test_minus_ao \\ - sc_unportable_grep_q")) + sc_readme_link_copying \\ + sc_readme_link_install \\ + sc_unportable_grep_q \\ + sc_unsigned_char \\ + sc_unsigned_int \\ + sc_unsigned_long \\ + sc_unsigned_short")) (substitute* "Makefile" - (("sc_check_(sym_list|copyright)" rule) + (("sc_check_(sym_list|copyright|config_h_reminder)" rule) (string-append "disabled_check_" rule)) (("sc_cpp_indent_check") "disabled_cpp_indent_check") (("sc_prefer_ac_check_funcs_once") "disabled_prefer_ac_check_funcs_once") - (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule) + (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\ +|sc_omitted_at)" rule) (string-append "disabled_prohibit_" rule))))) (add-before 'check 'regenerate-unicode (lambda* (#:key inputs #:allow-other-keys) @@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key (sha256 (base32 "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh")))) - (find-ucd-files "EastAsianWidth.txt" + (find-ucd-files "BidiMirroring.txt" + "EastAsianWidth.txt" "LineBreak.txt" "auxiliary/WordBreakProperty.txt" "auxiliary/GraphemeBreakProperty.txt" @@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key ("NormalizationTest.txt" . "uninorm") ("auxiliary/GraphemeBreakTest.txt" . "unigbrk") ("auxiliary/WordBreakTest.txt" . "uniwbrk"))) - (delete-file "gen-uni-tables")))) - (add-after 'install 'restore-shebangs - (lambda _ - (substitute* (find-files - (string-append #$output "/src/gnulib") - (lambda (fname stat) - (and (not (string-suffix? "/lib/javaversion.class" fname)) - (not (string-suffix? ".mo" fname))))) - (("^#! ?(.*)/bin/sh" _ prefix) - "#!/bin/sh") - (("^#! ?(.*)/bin/python3" _ prefix) - "#!/usr/bin/env python3") - (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program) - (string-append "#!/usr/bin/" program)))))))) + (delete-file "gen-uni-tables"))))))) (inputs - (list bash-minimal)) ;shebang for gnulib-tool + (list bash-minimal)) ;shebang for gnulib-tool (native-inputs (list bash-minimal python perl clisp @@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key (define-public gnulib (gnulib-checkout - #:version "2022-12-31" - #:commit "875461ffdf58ac04677957b4ae4160465b83b940" - #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c"))) + #:version "2024-05-30" + #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b" + #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs"))) (define-public pdpmake (package diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch new file mode 100644 index 0000000000..c0c9a5e732 --- /dev/null +++ b/gnu/packages/patches/gnulib-bootstrap.patch @@ -0,0 +1,75 @@ +From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer <maxim.cournoyer@gmail.com> +Date: Thu, 30 May 2024 14:48:04 -0400 +Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available. + +Some distributions such as GNU Guix include in their package for +gnulib a 'gnulib-tool' command under their $bindir +prefix (e.g. '/bin') for users to use, along the unmodified full +sources. The idea is that any wrapping or distribution modifications +for the *execution* of the script at run time is done on these +commands, while the rest of the source should be in their +pristine (unmodified) version. Adjust the 'gnulib-tool' discovery +mechanism to support such installation layout. + +* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from +PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from +$GNULIB_SRCDIR/gnulib-tool. +* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate +gnulib's main directory. +--- + build-aux/bootstrap | 11 +++++++++-- + gnulib-tool.sh | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/build-aux/bootstrap b/build-aux/bootstrap +index 6295b8a128..06271eea8b 100755 +--- a/build-aux/bootstrap ++++ b/build-aux/bootstrap +@@ -3,7 +3,7 @@ + + # Bootstrap this package from checked-out sources. + +-scriptversion=2024-04-13.15; # UTC ++scriptversion=2024-05-30.20; # UTC + + # Copyright (C) 2003-2024 Free Software Foundation, Inc. + # +@@ -1164,7 +1164,14 @@ autogen() + fi + + if $use_gnulib; then +- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ gnulib_tool=$(command -v gnulib-tool) ++ if test -x "$gnulib_tool"; then ++ : # done ++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then ++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool ++ else ++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool ++ fi + <$gnulib_tool || return + fi + +diff --git a/gnulib-tool.sh b/gnulib-tool.sh +index 12f0b82461..0aefbe2b2b 100755 +--- a/gnulib-tool.sh ++++ b/gnulib-tool.sh +@@ -518,7 +518,11 @@ func_gnulib_dir () + * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;; + esac + done +- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ if test -n "$GNULIB_SRCDIR"; then ++ gnulib_dir=$GNULIB_SRCDIR ++ else ++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'` ++ fi + } + + # func_tmpdir + +base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b +-- +2.41.0 + -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes]. 2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer @ 2024-06-06 0:46 ` Maxim Cournoyer 2024-06-24 4:43 ` bug#47144: security patching of 'patch' package Maxim Cournoyer 1 sibling, 1 reply; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw) To: 47144 Cc: Mark H Weaver, Maxim Cournoyer, Mark H Weaver, Ludovic Courtès, Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier, Christopher Baines, Efraim Flashner, Ekaitz Zarraga, Guillaume Le Vaillant, Josselin Poiret, Katherine Cox-Buday, Mathieu Othacehe, Munyoki Kilyungi, Ricardo Wurmus, Sharlatan Hellseher, Tobias Geerinckx-Rice, jgart * gnu/packages/base.scm (patch): Rename to... (patch/pinned): ... this. Hide package. (patch): New variable. * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned. (patch-boot0): Likewise. (%final-inputs): Replace patch with patch/pinned. * gnu/packages/lisp.scm (cl-asdf): Likewise. * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned. Fixes: https://issues.guix.gnu.org/47144 Reported-by: Mark H Weaver <mhw@netris.org> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 --- Changes in v4: - Use a hidden patch/pinned and patch variables instead of a graft Changes in v3: - Do not use inheritance for patch/fixed origin Changes in v2: - Use same version to have the same store length, a graft requirement - Copy the gnulib source in a phase to avoid introducing a dependency cycle gnu/packages/base.scm | 102 +++++++++++++++++++++++++--------- gnu/packages/commencement.scm | 8 +-- gnu/packages/lisp.scm | 2 +- guix/packages.scm | 2 +- 4 files changed, 82 insertions(+), 32 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bbe5b8cf57..66c5b7d237 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> -;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> @@ -46,8 +46,10 @@ (define-module (gnu packages base) #:use-module (gnu packages acl) #:use-module (gnu packages algebra) #:use-module (gnu packages attr) + #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) + #:use-module (gnu packages build-tools) #:use-module (gnu packages gcc) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -261,35 +263,83 @@ (define-public tar (license gpl3+) (home-page "https://www.gnu.org/software/tar/"))) -(define-public patch - (package - (name "patch") - (version "2.7.6") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnu/patch/patch-" - version ".tar.xz")) - (sha256 - (base32 - "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) - (patches (search-patches "patch-hurd-path-max.patch")))) - (build-system gnu-build-system) - (arguments - ;; Work around a cross-compilation bug whereby libpatch.a would provide - ;; '__mktime_internal', which conflicts with the one in libc.a. - (if (%current-target-system) - `(#:configure-flags '("gl_cv_func_working_mktime=yes")) - '())) - (native-inputs (list ed)) - (synopsis "Apply differences to originals, with optional backups") - (description - "Patch is a program that applies changes to files based on differences +;;; TODO: Replace/merge with 'patch' on core-updates. +(define-public patch/pinned + (hidden-package + (package + (name "patch") + (version "2.7.6") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnu/patch/patch-" + version ".tar.xz")) + (sha256 + (base32 + "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (build-system gnu-build-system) + (arguments + ;; Work around a cross-compilation bug whereby libpatch.a would provide + ;; '__mktime_internal', which conflicts with the one in libc.a. + (if (%current-target-system) + `(#:configure-flags '("gl_cv_func_working_mktime=yes")) + '())) + (native-inputs (list ed)) + (synopsis "Apply differences to originals, with optional backups") + (description + "Patch is a program that applies changes to files based on differences laid out as by the program \"diff\". The changes may be applied to one or more files depending on the contents of the diff file. It accepts several different diff formats. It may also be used to revert previously applied differences.") - (license gpl3+) - (home-page "https://savannah.gnu.org/projects/patch/"))) + (license gpl3+) + (home-page "https://savannah.gnu.org/projects/patch/")))) + +(define-public patch + ;; The latest release is from 2018, and lacks multiple security related + ;; patches. Since Fedora carries 23 patches, simply use the latest commit + ;; until a proper release is made. + (let ((revision "0") + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92") + (base patch/pinned)) + (package + (inherit base) + (name "patch") + (version (git-version "2.7.6" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments base) + ((#:phases phases '%standard-phases) + #~(modify-phases #$phases + (add-after 'unpack 'copy-gnulib-sources + (lambda _ + ;; XXX: We copy the source instead of using 'gnulib' as a + ;; native input to avoid introducing a dependency cycle. + (copy-recursively #+gnulib "gnulib") + (setenv "GNULIB_SRCDIR" + (string-append (getcwd) "/gnulib/src/gnulib")))) + (add-after 'copy-gnulib-sources 'update-bootstrap-script + (lambda _ + (copy-file "gnulib/src/gnulib/build-aux/bootstrap" + "bootstrap"))) + (add-after 'unpack 'patch-configure.ac + (lambda _ + (substitute* "configure.ac" + ;; The gnulib-provided git-version-gen script has a plain + ;; shebang of #!/bin/sh; avoid using it. + (("build-aux/git-version-gen" all) + (string-append "sh " all))))))))) + (native-inputs (list autoconf automake bison ed)) + (properties '())))) (define-public diffutils (package diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index b4d236c35b..0433059493 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -878,7 +878,7 @@ (define tcc-boot (define patch-mesboot ;; The initial patch. (package - (inherit patch) + (inherit patch/pinned) (name "patch-mesboot") (version "2.5.9") (source (origin @@ -2167,8 +2167,8 @@ (define gawk-boot0 (define patch-boot0 (package - (inherit patch) - (source (bootstrap-origin (package-source patch))) + (inherit patch/pinned) + (source (bootstrap-origin (package-source patch/pinned))) (name "patch-boot0") (native-inputs '()) (inputs @@ -3482,7 +3482,7 @@ (define-public %final-inputs ("bzip2" ,bzip2) ("file" ,file) ("diffutils" ,diffutils) - ("patch" ,patch) + ("patch" ,patch/pinned) ("findutils" ,findutils) ("gawk" ,gawk))) ("sed" ,sed-final) diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm index 6bf93d83c7..6f3bd126cc 100644 --- a/gnu/packages/lisp.scm +++ b/gnu/packages/lisp.scm @@ -121,7 +121,7 @@ (define-public cl-asdf (build-system trivial-build-system) (native-inputs `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch")) - ("patch" ,patch))) + ("patch" ,patch/pinned))) (arguments `(#:modules ((guix build utils) (guix build lisp-utils)) diff --git a/guix/packages.scm b/guix/packages.scm index abe89cdb07..f3a9a61785 100644 --- a/guix/packages.scm +++ b/guix/packages.scm @@ -899,7 +899,7 @@ (define (%standard-patch-inputs system) ("gzip" ,(ref '(gnu packages compression) 'gzip)) ("lzip" ,(ref '(gnu packages compression) 'lzip)) ("unzip" ,(ref '(gnu packages compression) 'unzip)) - ("patch" ,(ref '(gnu packages base) 'patch)) + ("patch" ,(ref '(gnu packages base) 'patch/pinned)) ("locales" ,(parameterize ((%current-target-system #f) (%current-system system)) -- 2.45.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package 2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer @ 2024-06-24 4:43 ` Maxim Cournoyer 0 siblings, 0 replies; 29+ messages in thread From: Maxim Cournoyer @ 2024-06-24 4:43 UTC (permalink / raw) To: 47144-done Cc: Josselin Poiret, Tobias Geerinckx-Rice, Sharlatan Hellseher, Ekaitz Zarraga, Simon Tournier, Guillaume Le Vaillant, Mark H Weaver, Ludovic Courtès, Katherine Cox-Buday, Efraim Flashner, Leo Famulari, Ricardo Wurmus, Munyoki Kilyungi, jgart, Mathieu Othacehe, Christopher Baines, Léo Le Bouter Hi, Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > * gnu/packages/base.scm (patch): Rename to... > (patch/pinned): ... this. Hide package. > (patch): New variable. > * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned. > (patch-boot0): Likewise. > (%final-inputs): Replace patch with patch/pinned. > * gnu/packages/lisp.scm (cl-asdf): Likewise. > * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned. > > Fixes: https://issues.guix.gnu.org/47144 > Reported-by: Mark H Weaver <mhw@netris.org> > Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873 Applied locally and will push shortly. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2024-06-24 5:17 UTC | newest] Thread overview: 29+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net> 2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver 2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix 2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix 2021-03-18 21:58 ` Ludovic Courtès 2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer 2021-04-14 21:54 ` Leo Famulari 2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-05-31 16:13 ` Simon Tournier 2024-06-01 1:49 ` Maxim Cournoyer 2024-06-04 15:39 ` Simon Tournier 2024-06-05 1:08 ` Maxim Cournoyer 2024-06-01 11:34 ` Maxim Cournoyer 2024-06-01 14:32 ` Ludovic Courtès 2024-06-01 15:02 ` Maxim Cournoyer 2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès 2024-06-05 16:44 ` Simon Tournier 2024-06-06 0:49 ` Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer 2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer 2024-06-24 4:43 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).