bug#47144: security patching of 'patch' package

bug#47144: security patching of 'patch' package

[Mark H Weaver]

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100


[-- Attachment #2.1: Type: text/plain, Size: 614 bytes --]

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time: 
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
Léo

[-- Attachment #2.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #3: Type: text/plain, Size: 67 bytes --]

-------------------- End of forwarded message --------------------

bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].

[Léo Le Bouter via Bug reports for GNU Guix]

I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.

This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:

gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

This file seems to be generated by YACC from earlier log.

Léo Le Bouter (1):
  gnu: patch: Update to 2.7.6-7623b2d [security fixes].

 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

-- 
2.30.2

bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].

[Léo Le Bouter via Bug reports for GNU Guix]

* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages version-control)
   #:use-module (guix i18n)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
                (base32
                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
               (patches (search-patches "patch-hurd-path-max.patch"))))
+   (replacement patch/fixed)
    (build-system gnu-build-system)
    (arguments
     ;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
    (license gpl3+)
    (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+    (package/inherit patch
+      (name "patch")
+      (version "2.7.6")
+      ;; (version (string-append "2.7.6-" (string-take commit 7)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://git.savannah.gnu.org/git/patch.git")
+               (commit commit)
+               (recursive? #t)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32
+           "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+         (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+           `(modify-phases ,phases
+             (replace 'bootstrap
+               (lambda* (#:key inputs #:allow-other-keys)
+                 (substitute* (list "gnulib/gnulib-tool"
+                                    "gnulib/build-aux/git-version-gen")
+                   (("/bin/sh") (which "sh")))
+                 (invoke "bash" "bootstrap" "--no-git"
+                         "--gnulib-srcdir=gnulib")
+                 #t))))))
+      (native-inputs
+       `(("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("git" ,git-minimal)
+         ,@(package-native-inputs patch))))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.30.2

bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].

[Ludovic Courtès]

Hi,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:

> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency.  (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.

HTH,
Ludo’.

bug#47144: security patching of 'patch' package

[Maxim Cournoyer]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency.  (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.

The latest release of patch is the one we have, v2.7.6, made 4 years
ago.

Thanks,

Maxim

bug#47144: security patching of 'patch' package

[Leo Famulari]

On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952

I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.

Unfortunately, the patches largely don't apply to the most recent
release of patch.

Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.

bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0.

[Maxim Cournoyer]

* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

 gnu/packages/unicode.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
 (define-public ucd
   (package
     (name "ucd")
-    (version "15.0.0")
+    (version "15.1.0")
     (source
      (origin
        (method url-fetch/zipbomb)
        (uri (string-append "https://www.unicode.org/Public/zipped/" version
                            "/UCD.zip"))
        (sha256
-        (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+        (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
     (build-system copy-build-system)
     (arguments
      '(#:install-plan

base-commit: eb4dc1b9ae3779419b047e2f4c7b5879353956a6
-- 
2.41.0

bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.

[Maxim Cournoyer]

Also fix the gnulib-tool command, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int,  sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

 gnu/local.mk                                |  1 +
 gnu/packages/build-tools.scm                | 55 ++++++++-------
 gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
 3 files changed, 107 insertions(+), 24 deletions(-)
 create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0f1ab6669a..5759b508cf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1391,6 +1391,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnome-settings-daemon-gc.patch		\
   %D%/packages/patches/gnome-session-support-elogind.patch	\
   %D%/packages/patches/gnome-tweaks-search-paths.patch		\
+  %D%/packages/patches/gnulib-bootstrap.patch			\
   %D%/packages/patches/gnumach-support-noide.patch		\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
                           ;; FIXME: tests/uniname/HangulSyllableNames.txt
                           ;; seems like a UCD file but it is not distributed
                           ;; with UCD.
-                          "tests/uniwbrk/WordBreakTest.txt")))))))
+                          "tests/uniwbrk/WordBreakTest.txt")))))
+       (patches (search-patches "gnulib-bootstrap.patch"))))
     (build-system copy-build-system)
     (arguments
      (list
       #:install-plan
       #~'(("./gnulib-tool" "bin/")
+          ("./gnulib-tool.py" "bin/")
+          ("./gnulib-tool.sh" "bin/")
           ("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
       #:modules '((ice-9 match)
                   (guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
                   ((guix build gnu-build-system) #:prefix gnu:))
       #:phases
       #~(modify-phases %standard-phases
+          ;; Since this package is intended to be used in source form, it
+          ;; should not retain references to tools (with the exception for the
+          ;; commands we install, which should be wrapper for proper
+          ;; execution).
+          (delete 'patch-source-shebangs)
+          (delete 'patch-generated-file-shebangs)
+          (delete 'patch-usr-bin-file)
           (add-before 'install 'check
             (assoc-ref gnu:%standard-phases 'check))
           (add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
   sc_Wundef_boolean \\
   sc_copyright_check \\
   sc_file_system \\
+  sc_error_message_warn_fatal \\
   sc_indent \\
   sc_keep_gnulib_texi_files_mostly_ascii \\
+  sc_prefer_angle_bracket_headers \\
   sc_prohibit_assert_without_use \\
   sc_prohibit_close_stream_without_use \\
   sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
   sc_prohibit_intprops_without_use \\
   sc_prohibit_openat_without_use \\
   sc_prohibit_test_minus_ao \\
-  sc_unportable_grep_q"))
+  sc_readme_link_copying \\
+  sc_readme_link_install \\
+  sc_unportable_grep_q \\
+  sc_unsigned_char \\
+  sc_unsigned_int \\
+  sc_unsigned_long \\
+  sc_unsigned_short"))
               (substitute* "Makefile"
-                (("sc_check_(sym_list|copyright)" rule)
+                (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
                  (string-append "disabled_check_" rule))
                 (("sc_cpp_indent_check")
                  "disabled_cpp_indent_check")
                 (("sc_prefer_ac_check_funcs_once")
                  "disabled_prefer_ac_check_funcs_once")
-                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
                  (string-append "disabled_prohibit_" rule)))))
           (add-before 'check 'regenerate-unicode
             (lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
                              (sha256
                               (base32
                                "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
-                        (find-ucd-files "EastAsianWidth.txt"
+                        (find-ucd-files "BidiMirroring.txt"
+                                        "EastAsianWidth.txt"
                                         "LineBreak.txt"
                                         "auxiliary/WordBreakProperty.txt"
                                         "auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
                    ("NormalizationTest.txt" . "uninorm")
                    ("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
                    ("auxiliary/WordBreakTest.txt" . "uniwbrk")))
-                (delete-file "gen-uni-tables"))))
-          (add-after 'install 'restore-shebangs
-            (lambda _
-              (substitute* (find-files
-                            (string-append #$output "/src/gnulib")
-                            (lambda (fname stat)
-                              (and (not (string-suffix? "/lib/javaversion.class" fname))
-                                   (not (string-suffix? ".mo" fname)))))
-                (("^#! ?(.*)/bin/sh" _ prefix)
-                 "#!/bin/sh")
-                (("^#! ?(.*)/bin/python3" _ prefix)
-                 "#!/usr/bin/env python3")
-                (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
-                 (string-append "#!/usr/bin/" program))))))))
+                (delete-file "gen-uni-tables")))))))
     (inputs
-     (list bash-minimal))                         ;shebang for gnulib-tool
+     (list bash-minimal)) ;shebang for gnulib-tool
     (native-inputs
      (list
       bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
 
 (define-public gnulib
   (gnulib-checkout
-   #:version "2022-12-31"
-   #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
-   #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+   #:version "2024-05-30"
+   #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+   #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
 
 (define-public pdpmake
   (package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources.  The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version.  Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+ 
+ # Bootstrap this package from checked-out sources.
+ 
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+ 
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+   fi
+ 
+   if $use_gnulib; then
+-    gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    gnulib_tool=$(command -v gnulib-tool)
++    if test -x "$gnulib_tool"; then
++      :                         # done
++    elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++      gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++    else
++      gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    fi
+     <$gnulib_tool || return
+   fi
+ 
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+       * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+     esac
+   done
+-  gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  if test -n "$GNULIB_SRCDIR"; then
++    gnulib_dir=$GNULIB_SRCDIR
++  else
++    gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  fi
+ }
+ 
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+-- 
+2.41.0
+
-- 
2.41.0

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

 gnu/packages/base.scm | 44 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..8dcbf4b087 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
 
 (define-public patch
   (package
+    (replacement patch/fixed)
     (name "patch")
     (version "2.7.6")
     (source (origin
@@ -291,6 +294,45 @@ (define-public patch
     (license gpl3+)
     (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+    (package
+      (inherit patch)
+      (name "patch")
+      (version (git-version "2.7.6" revision commit))
+      (source (origin
+                (inherit (package-source patch))
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'update-bootstrap-script
+                (lambda* (#:key native-inputs inputs #:allow-other-keys)
+                  (copy-file (search-input-file
+                              (or native-inputs inputs)
+                              "src/gnulib/build-aux/bootstrap")
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed gnulib)))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.41.0

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Simon Tournier]

Hi Maxim,

On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

> +      (source (origin
> +                (inherit (package-source patch))
> +                (method git-fetch)
> +                (uri (git-reference
> +                      (url "https://git.savannah.gnu.org/git/patch.git")
> +                      (commit commit)))
> +                (file-name (git-file-name name version))
> +                (sha256
> +                 (base32
> +                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))

If I read correctly, (package-source patch) reads:

--8<---------------cut here---------------start------------->8---
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/patch/patch-"
                                  version ".tar.xz"))
              (sha256
               (base32
                "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
              (patches (search-patches "patch-hurd-path-max.patch"))))
--8<---------------cut here---------------end--------------->8---

Therefore the only thing that is copied is the ’patches’ field.  Right?

I think it would easy the readability to avoid ’inherit’ and plainly
write ’patches’.


Cheers,
simon

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

> Hi Maxim,
>
> On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> +      (source (origin
>> +                (inherit (package-source patch))
>> +                (method git-fetch)
>> +                (uri (git-reference
>> +                      (url "https://git.savannah.gnu.org/git/patch.git")
>> +                      (commit commit)))
>> +                (file-name (git-file-name name version))
>> +                (sha256
>> +                 (base32
>> +                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
>
> If I read correctly, (package-source patch) reads:
>
>     (source (origin
>               (method url-fetch)
>               (uri (string-append "mirror://gnu/patch/patch-"
>                                   version ".tar.xz"))
>               (sha256
>                (base32
>                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
>               (patches (search-patches "patch-hurd-path-max.patch"))))
>
> Therefore the only thing that is copied is the ’patches’ field.  Right?
>
> I think it would easy the readability to avoid ’inherit’ and plainly
> write ’patches’.

I preferred inheritance to avoid having to manually sync things in the
long run... (hopefully the graft gets ungrafted before 'patch' amasses
new phatces, but we never know...)

-- 
Thanks,
Maxim

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Simon Tournier]

Hi Maxim,

On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

> I preferred inheritance to avoid having to manually sync things in the
> long run... (hopefully the graft gets ungrafted before 'patch' amasses
> new phatces, but we never know...)

What would be the long run? ;-)

Well, from my perspective, there is nothing to manually sync in the
future.

I mean, the only patch applied to release “2.7.6” will be still required
for patch/fixed; hence one will need to do what I am proposing if
’patch’ is removed.  Else if ’patch’ receives some security fixes, then
it seems expected to assume that the fix will be included in the latest
patch (here ’patch/fixed’).  Last, please note that ’patch’ is barely
modified.

--8<---------------cut here---------------start------------->8---
$ git log --format="%cd %s" -- gnu/packages/base.scm | grep 'gnu: patch'
Thu May 30 11:35:13 2024 -0400 gnu: patch: Fix indentation.
Sun Apr 22 22:40:48 2018 +0200 gnu: patch: Work around a cross-compilation issue.
Wed Mar 14 22:11:34 2018 +0100 gnu: patch: Update to 2.7.6.
Fri Jun 12 15:46:25 2015 +0300 gnu: patch: Set PATH_MAX for Hurd systems.
Mon Mar 9 22:56:50 2015 -0400 gnu: patch: Update to 2.7.5.
Sat Mar 7 20:34:50 2015 -0500 Revert "gnu: patch: Update to 2.7.5."
Sun Mar 8 00:32:11 2015 +0100 gnu: patch: Update to 2.7.5.
Wed Feb 11 11:23:46 2015 +0100 gnu: patch: Update to 2.7.4.
Fri Feb 6 13:53:28 2015 +0100 gnu: patch: Add 2.7.4 and make it a replacement for the default one.
Sat Apr 27 00:23:19 2013 +0200 gnu: patch: Update to 2.7.1.
--8<---------------cut here---------------end--------------->8---

I still think that it eases to have the patch close to the source
instead of coming from inheritance. Anyway. :-)

Cheers,
simon

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

Hi,

Simon Tournier <zimon.toutoune@gmail.com> writes:

> Hi Maxim,
>
> On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> I preferred inheritance to avoid having to manually sync things in the
>> long run... (hopefully the graft gets ungrafted before 'patch' amasses
>> new phatces, but we never know...)
>
> What would be the long run? ;-)

> Well, from my perspective, there is nothing to manually sync in the
> future.

You're probably right.

> I mean, the only patch applied to release “2.7.6” will be still required
> for patch/fixed; hence one will need to do what I am proposing if
> ’patch’ is removed.  Else if ’patch’ receives some security fixes, then
> it seems expected to assume that the fix will be included in the latest
> patch (here ’patch/fixed’).  Last, please note that ’patch’ is barely
> modified.

OK.  I don't mind to do this change.  I'll send e revised version with
that done.

-- 
Thanks,
Maxim

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch) [replacement]: Graft with the above.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

[...]

>  (define-public patch
>    (package
> +    (replacement patch/fixed)
>      (name "patch")
>      (version "2.7.6")
>      (source (origin
> @@ -291,6 +294,45 @@ (define-public patch
>      (license gpl3+)
>      (home-page "https://savannah.gnu.org/projects/patch/")))
>  
> +(define patch/fixed
> +  ;; The latest release is from 2018, and lacks multiple security related
> +  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
> +  ;; until a proper release is made.
> +  (let ((revision "0")
> +        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
> +    (package
> +      (inherit patch)
> +      (name "patch")
> +      (version (git-version "2.7.6" revision commit))

I just realized that since this is for grafting purposes, I shouldn't
touch the version field (they need to match in length...).  Will send a v2.

-- 
Thanks,
Maxim

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Ludovic Courtès]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>  (define-public patch
>    (package
> +    (replacement patch/fixed)

Unless I’m mistaken, this will have practically no effect because Patch
is a build-time-only dependency.

My recommendation would be to not add a ‘replacement’ field at all.
Instead, you could add a new ‘patch/latest’ public variable pointing to
that commit that you picked.  That way, users running ‘guix install
patch’ or similar will get the latest version of Patch.

On the next ‘core-packages-team’ cycle, we’d update Patch to refer to
that commit.

WDYT?

Ludo’.

bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>>  (define-public patch
>>    (package
>> +    (replacement patch/fixed)
>
> Unless I’m mistaken, this will have practically no effect because Patch
> is a build-time-only dependency.
>
> My recommendation would be to not add a ‘replacement’ field at all.
> Instead, you could add a new ‘patch/latest’ public variable pointing to
> that commit that you picked.  That way, users running ‘guix install
> patch’ or similar will get the latest version of Patch.

I see what you mean, but for all practical purposes, using a graft seems
a more thorough (because it affects the original 'patch' *variable* as
well) means that have the same effect for users, so I'd seems like a
slightly better option to me.

So e.g. someone using the Guix API referencing exactly to the 'patch'
package variable would get a secure version, but would otherwise need to
know to adjust their code to use 'patch/latest'.

Does that make sense?

-- 
Thanks,
Maxim

bug#47144: security patching of 'patch' package

[Ludovic Courtès]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> Unless I’m mistaken, this will have practically no effect because Patch
>> is a build-time-only dependency.
>>
>> My recommendation would be to not add a ‘replacement’ field at all.
>> Instead, you could add a new ‘patch/latest’ public variable pointing to
>> that commit that you picked.  That way, users running ‘guix install
>> patch’ or similar will get the latest version of Patch.
>
> I see what you mean, but for all practical purposes, using a graft seems
> a more thorough (because it affects the original 'patch' *variable* as
> well) means that have the same effect for users, so I'd seems like a
> slightly better option to me.

Strictly speaking, yes, but in practice the benefit are largely
theoretical IMO, and the cost of having a graft this deep in the
dependency graph.

What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
to the new version?

Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
code etc. would refer to ‘patch’ and thus get the latest version.

Ludo’.

bug#47144: security patching of 'patch' package

[Simon Tournier]

Hi,

On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:

> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.

I agree; it appears to me “safer” than the graft.

However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’.  Then once upstream Patch upgrades, there is
also the question to unpin all the packages.

Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution.  Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.

Cheers,
simon

bug#47144: security patching of 'patch' package

[Maxim Cournoyer]

Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’.  Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.

Indeed.  It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'...  I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.

-- 
Thanks,
Maxim

bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0.

[Maxim Cournoyer]

* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

 gnu/packages/unicode.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
 (define-public ucd
   (package
     (name "ucd")
-    (version "15.0.0")
+    (version "15.1.0")
     (source
      (origin
        (method url-fetch/zipbomb)
        (uri (string-append "https://www.unicode.org/Public/zipped/" version
                            "/UCD.zip"))
        (sha256
-        (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+        (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
     (build-system copy-build-system)
     (arguments
      '(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
-- 
2.41.0

bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.

[Maxim Cournoyer]

Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int,  sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

 gnu/local.mk                                |  1 +
 gnu/packages/build-tools.scm                | 55 ++++++++-------
 gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
 3 files changed, 107 insertions(+), 24 deletions(-)
 create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnome-settings-daemon-gc.patch		\
   %D%/packages/patches/gnome-session-support-elogind.patch	\
   %D%/packages/patches/gnome-tweaks-search-paths.patch		\
+  %D%/packages/patches/gnulib-bootstrap.patch			\
   %D%/packages/patches/gnumach-support-noide.patch		\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
                           ;; FIXME: tests/uniname/HangulSyllableNames.txt
                           ;; seems like a UCD file but it is not distributed
                           ;; with UCD.
-                          "tests/uniwbrk/WordBreakTest.txt")))))))
+                          "tests/uniwbrk/WordBreakTest.txt")))))
+       (patches (search-patches "gnulib-bootstrap.patch"))))
     (build-system copy-build-system)
     (arguments
      (list
       #:install-plan
       #~'(("./gnulib-tool" "bin/")
+          ("./gnulib-tool.py" "bin/")
+          ("./gnulib-tool.sh" "bin/")
           ("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
       #:modules '((ice-9 match)
                   (guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
                   ((guix build gnu-build-system) #:prefix gnu:))
       #:phases
       #~(modify-phases %standard-phases
+          ;; Since this package is intended to be used in source form, it
+          ;; should not retain references to tools (with the exception for the
+          ;; commands we install, which should be wrapper for proper
+          ;; execution).
+          (delete 'patch-source-shebangs)
+          (delete 'patch-generated-file-shebangs)
+          (delete 'patch-usr-bin-file)
           (add-before 'install 'check
             (assoc-ref gnu:%standard-phases 'check))
           (add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
   sc_Wundef_boolean \\
   sc_copyright_check \\
   sc_file_system \\
+  sc_error_message_warn_fatal \\
   sc_indent \\
   sc_keep_gnulib_texi_files_mostly_ascii \\
+  sc_prefer_angle_bracket_headers \\
   sc_prohibit_assert_without_use \\
   sc_prohibit_close_stream_without_use \\
   sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
   sc_prohibit_intprops_without_use \\
   sc_prohibit_openat_without_use \\
   sc_prohibit_test_minus_ao \\
-  sc_unportable_grep_q"))
+  sc_readme_link_copying \\
+  sc_readme_link_install \\
+  sc_unportable_grep_q \\
+  sc_unsigned_char \\
+  sc_unsigned_int \\
+  sc_unsigned_long \\
+  sc_unsigned_short"))
               (substitute* "Makefile"
-                (("sc_check_(sym_list|copyright)" rule)
+                (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
                  (string-append "disabled_check_" rule))
                 (("sc_cpp_indent_check")
                  "disabled_cpp_indent_check")
                 (("sc_prefer_ac_check_funcs_once")
                  "disabled_prefer_ac_check_funcs_once")
-                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
                  (string-append "disabled_prohibit_" rule)))))
           (add-before 'check 'regenerate-unicode
             (lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
                              (sha256
                               (base32
                                "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
-                        (find-ucd-files "EastAsianWidth.txt"
+                        (find-ucd-files "BidiMirroring.txt"
+                                        "EastAsianWidth.txt"
                                         "LineBreak.txt"
                                         "auxiliary/WordBreakProperty.txt"
                                         "auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
                    ("NormalizationTest.txt" . "uninorm")
                    ("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
                    ("auxiliary/WordBreakTest.txt" . "uniwbrk")))
-                (delete-file "gen-uni-tables"))))
-          (add-after 'install 'restore-shebangs
-            (lambda _
-              (substitute* (find-files
-                            (string-append #$output "/src/gnulib")
-                            (lambda (fname stat)
-                              (and (not (string-suffix? "/lib/javaversion.class" fname))
-                                   (not (string-suffix? ".mo" fname)))))
-                (("^#! ?(.*)/bin/sh" _ prefix)
-                 "#!/bin/sh")
-                (("^#! ?(.*)/bin/python3" _ prefix)
-                 "#!/usr/bin/env python3")
-                (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
-                 (string-append "#!/usr/bin/" program))))))))
+                (delete-file "gen-uni-tables")))))))
     (inputs
-     (list bash-minimal))                         ;shebang for gnulib-tool
+     (list bash-minimal)) ;shebang for gnulib-tool
     (native-inputs
      (list
       bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
 
 (define-public gnulib
   (gnulib-checkout
-   #:version "2022-12-31"
-   #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
-   #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+   #:version "2024-05-30"
+   #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+   #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
 
 (define-public pdpmake
   (package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources.  The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version.  Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+ 
+ # Bootstrap this package from checked-out sources.
+ 
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+ 
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+   fi
+ 
+   if $use_gnulib; then
+-    gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    gnulib_tool=$(command -v gnulib-tool)
++    if test -x "$gnulib_tool"; then
++      :                         # done
++    elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++      gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++    else
++      gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    fi
+     <$gnulib_tool || return
+   fi
+ 
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+       * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+     esac
+   done
+-  gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  if test -n "$GNULIB_SRCDIR"; then
++    gnulib_dir=$GNULIB_SRCDIR
++  else
++    gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  fi
+ }
+ 
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+-- 
+2.41.0
+
-- 
2.41.0

bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v2:
 - Use same version to have the same store length, a graft requirement
 - Copy the gnulib source in a phase to avoid introducing a dependency cycle

 gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..45dbf77817 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
 
 (define-public patch
   (package
+    (replacement patch/fixed)
     (name "patch")
     (version "2.7.6")
     (source (origin
@@ -291,6 +294,53 @@ (define-public patch
     (license gpl3+)
     (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+    (package
+      (inherit patch)
+      (name "patch")
+      ;; TODO: Uncomment when ungrafting.
+      ;;(version (git-version "2.7.6" revision commit))
+      (source (origin
+                (inherit (package-source patch))
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                ;; TODO: Uncomment when ungrafting and using the above
+                ;; 'git-version'-computed version.
+                ;;(file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle with.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed)))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.41.0

bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0.

[Maxim Cournoyer]

* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

 gnu/packages/unicode.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
 (define-public ucd
   (package
     (name "ucd")
-    (version "15.0.0")
+    (version "15.1.0")
     (source
      (origin
        (method url-fetch/zipbomb)
        (uri (string-append "https://www.unicode.org/Public/zipped/" version
                            "/UCD.zip"))
        (sha256
-        (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+        (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
     (build-system copy-build-system)
     (arguments
      '(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
-- 
2.45.1

bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.

[Maxim Cournoyer]

Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int,  sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

 gnu/local.mk                                |  1 +
 gnu/packages/build-tools.scm                | 55 ++++++++-------
 gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
 3 files changed, 107 insertions(+), 24 deletions(-)
 create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnome-settings-daemon-gc.patch		\
   %D%/packages/patches/gnome-session-support-elogind.patch	\
   %D%/packages/patches/gnome-tweaks-search-paths.patch		\
+  %D%/packages/patches/gnulib-bootstrap.patch			\
   %D%/packages/patches/gnumach-support-noide.patch		\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
                           ;; FIXME: tests/uniname/HangulSyllableNames.txt
                           ;; seems like a UCD file but it is not distributed
                           ;; with UCD.
-                          "tests/uniwbrk/WordBreakTest.txt")))))))
+                          "tests/uniwbrk/WordBreakTest.txt")))))
+       (patches (search-patches "gnulib-bootstrap.patch"))))
     (build-system copy-build-system)
     (arguments
      (list
       #:install-plan
       #~'(("./gnulib-tool" "bin/")
+          ("./gnulib-tool.py" "bin/")
+          ("./gnulib-tool.sh" "bin/")
           ("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
       #:modules '((ice-9 match)
                   (guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
                   ((guix build gnu-build-system) #:prefix gnu:))
       #:phases
       #~(modify-phases %standard-phases
+          ;; Since this package is intended to be used in source form, it
+          ;; should not retain references to tools (with the exception for the
+          ;; commands we install, which should be wrapper for proper
+          ;; execution).
+          (delete 'patch-source-shebangs)
+          (delete 'patch-generated-file-shebangs)
+          (delete 'patch-usr-bin-file)
           (add-before 'install 'check
             (assoc-ref gnu:%standard-phases 'check))
           (add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
   sc_Wundef_boolean \\
   sc_copyright_check \\
   sc_file_system \\
+  sc_error_message_warn_fatal \\
   sc_indent \\
   sc_keep_gnulib_texi_files_mostly_ascii \\
+  sc_prefer_angle_bracket_headers \\
   sc_prohibit_assert_without_use \\
   sc_prohibit_close_stream_without_use \\
   sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
   sc_prohibit_intprops_without_use \\
   sc_prohibit_openat_without_use \\
   sc_prohibit_test_minus_ao \\
-  sc_unportable_grep_q"))
+  sc_readme_link_copying \\
+  sc_readme_link_install \\
+  sc_unportable_grep_q \\
+  sc_unsigned_char \\
+  sc_unsigned_int \\
+  sc_unsigned_long \\
+  sc_unsigned_short"))
               (substitute* "Makefile"
-                (("sc_check_(sym_list|copyright)" rule)
+                (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
                  (string-append "disabled_check_" rule))
                 (("sc_cpp_indent_check")
                  "disabled_cpp_indent_check")
                 (("sc_prefer_ac_check_funcs_once")
                  "disabled_prefer_ac_check_funcs_once")
-                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
                  (string-append "disabled_prohibit_" rule)))))
           (add-before 'check 'regenerate-unicode
             (lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
                              (sha256
                               (base32
                                "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
-                        (find-ucd-files "EastAsianWidth.txt"
+                        (find-ucd-files "BidiMirroring.txt"
+                                        "EastAsianWidth.txt"
                                         "LineBreak.txt"
                                         "auxiliary/WordBreakProperty.txt"
                                         "auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
                    ("NormalizationTest.txt" . "uninorm")
                    ("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
                    ("auxiliary/WordBreakTest.txt" . "uniwbrk")))
-                (delete-file "gen-uni-tables"))))
-          (add-after 'install 'restore-shebangs
-            (lambda _
-              (substitute* (find-files
-                            (string-append #$output "/src/gnulib")
-                            (lambda (fname stat)
-                              (and (not (string-suffix? "/lib/javaversion.class" fname))
-                                   (not (string-suffix? ".mo" fname)))))
-                (("^#! ?(.*)/bin/sh" _ prefix)
-                 "#!/bin/sh")
-                (("^#! ?(.*)/bin/python3" _ prefix)
-                 "#!/usr/bin/env python3")
-                (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
-                 (string-append "#!/usr/bin/" program))))))))
+                (delete-file "gen-uni-tables")))))))
     (inputs
-     (list bash-minimal))                         ;shebang for gnulib-tool
+     (list bash-minimal)) ;shebang for gnulib-tool
     (native-inputs
      (list
       bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
 
 (define-public gnulib
   (gnulib-checkout
-   #:version "2022-12-31"
-   #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
-   #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+   #:version "2024-05-30"
+   #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+   #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
 
 (define-public pdpmake
   (package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources.  The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version.  Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+ 
+ # Bootstrap this package from checked-out sources.
+ 
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+ 
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+   fi
+ 
+   if $use_gnulib; then
+-    gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    gnulib_tool=$(command -v gnulib-tool)
++    if test -x "$gnulib_tool"; then
++      :                         # done
++    elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++      gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++    else
++      gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    fi
+     <$gnulib_tool || return
+   fi
+ 
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+       * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+     esac
+   done
+-  gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  if test -n "$GNULIB_SRCDIR"; then
++    gnulib_dir=$GNULIB_SRCDIR
++  else
++    gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  fi
+ }
+ 
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+-- 
+2.41.0
+
-- 
2.45.1

bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes].

[Maxim Cournoyer]

* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v3:
 - Do not use inheritance for patch/fixed origin

Changes in v2:
 - Use same version to have the same store length, a graft requirement
 - Copy the gnulib source in a phase to avoid introducing a dependency cycle

 gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..3246b7bd0a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
 
 (define-public patch
   (package
+    (replacement patch/fixed)
     (name "patch")
     (version "2.7.6")
     (source (origin
@@ -291,6 +294,53 @@ (define-public patch
     (license gpl3+)
     (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+    (package
+      (inherit patch)
+      (name "patch")
+      ;; TODO: Uncomment when ungrafting.
+      ;;(version (git-version "2.7.6" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                ;; TODO: Uncomment when ungrafting and using the above
+                ;; 'git-version'-computed version.
+                ;;(file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+                (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle with.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed)))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.45.1

bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0.

[Maxim Cournoyer]

* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

 gnu/packages/unicode.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
 (define-public ucd
   (package
     (name "ucd")
-    (version "15.0.0")
+    (version "15.1.0")
     (source
      (origin
        (method url-fetch/zipbomb)
        (uri (string-append "https://www.unicode.org/Public/zipped/" version
                            "/UCD.zip"))
        (sha256
-        (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+        (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
     (build-system copy-build-system)
     (arguments
      '(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
-- 
2.45.1

bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.

[Maxim Cournoyer]

Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int,  sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

 gnu/local.mk                                |  1 +
 gnu/packages/build-tools.scm                | 55 ++++++++-------
 gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
 3 files changed, 107 insertions(+), 24 deletions(-)
 create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnome-settings-daemon-gc.patch		\
   %D%/packages/patches/gnome-session-support-elogind.patch	\
   %D%/packages/patches/gnome-tweaks-search-paths.patch		\
+  %D%/packages/patches/gnulib-bootstrap.patch			\
   %D%/packages/patches/gnumach-support-noide.patch		\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
                           ;; FIXME: tests/uniname/HangulSyllableNames.txt
                           ;; seems like a UCD file but it is not distributed
                           ;; with UCD.
-                          "tests/uniwbrk/WordBreakTest.txt")))))))
+                          "tests/uniwbrk/WordBreakTest.txt")))))
+       (patches (search-patches "gnulib-bootstrap.patch"))))
     (build-system copy-build-system)
     (arguments
      (list
       #:install-plan
       #~'(("./gnulib-tool" "bin/")
+          ("./gnulib-tool.py" "bin/")
+          ("./gnulib-tool.sh" "bin/")
           ("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
       #:modules '((ice-9 match)
                   (guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
                   ((guix build gnu-build-system) #:prefix gnu:))
       #:phases
       #~(modify-phases %standard-phases
+          ;; Since this package is intended to be used in source form, it
+          ;; should not retain references to tools (with the exception for the
+          ;; commands we install, which should be wrapper for proper
+          ;; execution).
+          (delete 'patch-source-shebangs)
+          (delete 'patch-generated-file-shebangs)
+          (delete 'patch-usr-bin-file)
           (add-before 'install 'check
             (assoc-ref gnu:%standard-phases 'check))
           (add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
   sc_Wundef_boolean \\
   sc_copyright_check \\
   sc_file_system \\
+  sc_error_message_warn_fatal \\
   sc_indent \\
   sc_keep_gnulib_texi_files_mostly_ascii \\
+  sc_prefer_angle_bracket_headers \\
   sc_prohibit_assert_without_use \\
   sc_prohibit_close_stream_without_use \\
   sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
   sc_prohibit_intprops_without_use \\
   sc_prohibit_openat_without_use \\
   sc_prohibit_test_minus_ao \\
-  sc_unportable_grep_q"))
+  sc_readme_link_copying \\
+  sc_readme_link_install \\
+  sc_unportable_grep_q \\
+  sc_unsigned_char \\
+  sc_unsigned_int \\
+  sc_unsigned_long \\
+  sc_unsigned_short"))
               (substitute* "Makefile"
-                (("sc_check_(sym_list|copyright)" rule)
+                (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
                  (string-append "disabled_check_" rule))
                 (("sc_cpp_indent_check")
                  "disabled_cpp_indent_check")
                 (("sc_prefer_ac_check_funcs_once")
                  "disabled_prefer_ac_check_funcs_once")
-                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+                (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
                  (string-append "disabled_prohibit_" rule)))))
           (add-before 'check 'regenerate-unicode
             (lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
                              (sha256
                               (base32
                                "0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
-                        (find-ucd-files "EastAsianWidth.txt"
+                        (find-ucd-files "BidiMirroring.txt"
+                                        "EastAsianWidth.txt"
                                         "LineBreak.txt"
                                         "auxiliary/WordBreakProperty.txt"
                                         "auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
                    ("NormalizationTest.txt" . "uninorm")
                    ("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
                    ("auxiliary/WordBreakTest.txt" . "uniwbrk")))
-                (delete-file "gen-uni-tables"))))
-          (add-after 'install 'restore-shebangs
-            (lambda _
-              (substitute* (find-files
-                            (string-append #$output "/src/gnulib")
-                            (lambda (fname stat)
-                              (and (not (string-suffix? "/lib/javaversion.class" fname))
-                                   (not (string-suffix? ".mo" fname)))))
-                (("^#! ?(.*)/bin/sh" _ prefix)
-                 "#!/bin/sh")
-                (("^#! ?(.*)/bin/python3" _ prefix)
-                 "#!/usr/bin/env python3")
-                (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
-                 (string-append "#!/usr/bin/" program))))))))
+                (delete-file "gen-uni-tables")))))))
     (inputs
-     (list bash-minimal))                         ;shebang for gnulib-tool
+     (list bash-minimal)) ;shebang for gnulib-tool
     (native-inputs
      (list
       bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
 
 (define-public gnulib
   (gnulib-checkout
-   #:version "2022-12-31"
-   #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
-   #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+   #:version "2024-05-30"
+   #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+   #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
 
 (define-public pdpmake
   (package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources.  The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version.  Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+ 
+ # Bootstrap this package from checked-out sources.
+ 
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+ 
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+   fi
+ 
+   if $use_gnulib; then
+-    gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    gnulib_tool=$(command -v gnulib-tool)
++    if test -x "$gnulib_tool"; then
++      :                         # done
++    elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++      gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++    else
++      gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++    fi
+     <$gnulib_tool || return
+   fi
+ 
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+       * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+     esac
+   done
+-  gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  if test -n "$GNULIB_SRCDIR"; then
++    gnulib_dir=$GNULIB_SRCDIR
++  else
++    gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++  fi
+ }
+ 
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+-- 
+2.41.0
+
-- 
2.45.1

bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes].

[Maxim Cournoyer]

* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this.  Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v4:
 - Use a hidden patch/pinned and patch variables instead of a graft

Changes in v3:
 - Do not use inheritance for patch/fixed origin

Changes in v2:
 - Use same version to have the same store length, a graft requirement
 - Copy the gnulib source in a phase to avoid introducing a dependency cycle

 gnu/packages/base.scm         | 102 +++++++++++++++++++++++++---------
 gnu/packages/commencement.scm |   8 +--
 gnu/packages/lisp.scm         |   2 +-
 guix/packages.scm             |   2 +-
 4 files changed, 82 insertions(+), 32 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..66c5b7d237 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ (define-public tar
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/")))
 
-(define-public patch
-  (package
-    (name "patch")
-    (version "2.7.6")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/patch/patch-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
-              (patches (search-patches "patch-hurd-path-max.patch"))))
-    (build-system gnu-build-system)
-    (arguments
-     ;; Work around a cross-compilation bug whereby libpatch.a would provide
-     ;; '__mktime_internal', which conflicts with the one in libc.a.
-     (if (%current-target-system)
-         `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
-         '()))
-    (native-inputs (list ed))
-    (synopsis "Apply differences to originals, with optional backups")
-    (description
-     "Patch is a program that applies changes to files based on differences
+;;; TODO: Replace/merge with 'patch' on core-updates.
+(define-public patch/pinned
+  (hidden-package
+   (package
+     (name "patch")
+     (version "2.7.6")
+     (source (origin
+               (method url-fetch)
+               (uri (string-append "mirror://gnu/patch/patch-"
+                                   version ".tar.xz"))
+               (sha256
+                (base32
+                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+               (patches (search-patches "patch-hurd-path-max.patch"))))
+     (build-system gnu-build-system)
+     (arguments
+      ;; Work around a cross-compilation bug whereby libpatch.a would provide
+      ;; '__mktime_internal', which conflicts with the one in libc.a.
+      (if (%current-target-system)
+          `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+          '()))
+     (native-inputs (list ed))
+     (synopsis "Apply differences to originals, with optional backups")
+     (description
+      "Patch is a program that applies changes to files based on differences
 laid out as by the program \"diff\".  The changes may be applied to one or more
 files depending on the contents of the diff file.  It accepts several
 different diff formats.  It may also be used to revert previously applied
 differences.")
-    (license gpl3+)
-    (home-page "https://savannah.gnu.org/projects/patch/")))
+     (license gpl3+)
+     (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+        (base patch/pinned))
+    (package
+      (inherit base)
+      (name "patch")
+      (version (git-version "2.7.6" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+                (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments base)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed))
+      (properties '()))))
 
 (define-public diffutils
   (package
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index b4d236c35b..0433059493 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -878,7 +878,7 @@ (define tcc-boot
 (define patch-mesboot
   ;; The initial patch.
   (package
-    (inherit patch)
+    (inherit patch/pinned)
     (name "patch-mesboot")
     (version "2.5.9")
     (source (origin
@@ -2167,8 +2167,8 @@ (define gawk-boot0
 
 (define patch-boot0
   (package
-    (inherit patch)
-    (source (bootstrap-origin (package-source patch)))
+    (inherit patch/pinned)
+    (source (bootstrap-origin (package-source patch/pinned)))
     (name "patch-boot0")
     (native-inputs '())
     (inputs
@@ -3482,7 +3482,7 @@ (define-public %final-inputs
                    ("bzip2" ,bzip2)
                    ("file" ,file)
                    ("diffutils" ,diffutils)
-                   ("patch" ,patch)
+                   ("patch" ,patch/pinned)
                    ("findutils" ,findutils)
                    ("gawk" ,gawk)))
           ("sed" ,sed-final)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 6bf93d83c7..6f3bd126cc 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -121,7 +121,7 @@ (define-public cl-asdf
     (build-system trivial-build-system)
     (native-inputs
      `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
-       ("patch" ,patch)))
+       ("patch" ,patch/pinned)))
     (arguments
      `(#:modules ((guix build utils)
                   (guix build lisp-utils))
diff --git a/guix/packages.scm b/guix/packages.scm
index abe89cdb07..f3a9a61785 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -899,7 +899,7 @@ (define (%standard-patch-inputs system)
       ("gzip"  ,(ref '(gnu packages compression) 'gzip))
       ("lzip"  ,(ref '(gnu packages compression) 'lzip))
       ("unzip" ,(ref '(gnu packages compression) 'unzip))
-      ("patch" ,(ref '(gnu packages base) 'patch))
+      ("patch" ,(ref '(gnu packages base) 'patch/pinned))
       ("locales"
        ,(parameterize ((%current-target-system #f)
                        (%current-system system))
-- 
2.45.1

bug#47144: security patching of 'patch' package

[Maxim Cournoyer]

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this.  Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

Applied locally and will push shortly.

-- 
Thanks,
Maxim