* bug#47144: security patching of 'patch' package
[not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
@ 2021-03-14 21:37 ` Mark H Weaver
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
` (5 more replies)
0 siblings, 6 replies; 29+ messages in thread
From: Mark H Weaver @ 2021-03-14 21:37 UTC (permalink / raw)
To: 47144
[-- Attachment #1: Type: text/plain, Size: 315 bytes --]
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
[-- Attachment #2.1: Type: text/plain, Size: 614 bytes --]
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time:
https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,
Léo
[-- Attachment #2.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #3: Type: text/plain, Size: 67 bytes --]
-------------------- End of forwarded message --------------------
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
@ 2021-03-15 18:26 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-04-14 21:54 ` Leo Famulari
` (4 subsequent siblings)
5 siblings, 1 reply; 29+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw)
To: 47144; +Cc: Léo Le Bouter
I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.
This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:
gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.
This file seems to be generated by YACC from earlier log.
Léo Le Bouter (1):
gnu: patch: Update to 2.7.6-7623b2d [security fixes].
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
--
2.30.2
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-15 18:26 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 21:58 ` Ludovic Courtès
0 siblings, 1 reply; 29+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw)
To: 47144; +Cc: Léo Le Bouter
* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages pcre)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages hurd)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages version-control)
#:use-module (guix i18n)
#:use-module (guix utils)
#:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))
+ (replacement patch/fixed)
(build-system gnu-build-system)
(arguments
;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+ (package/inherit patch
+ (name "patch")
+ (version "2.7.6")
+ ;; (version (string-append "2.7.6-" (string-take commit 7)))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ `(modify-phases ,phases
+ (replace 'bootstrap
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* (list "gnulib/gnulib-tool"
+ "gnulib/build-aux/git-version-gen")
+ (("/bin/sh") (which "sh")))
+ (invoke "bash" "bootstrap" "--no-git"
+ "--gnulib-srcdir=gnulib")
+ #t))))))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("git" ,git-minimal)
+ ,@(package-native-inputs patch))))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.30.2
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-18 21:58 ` Ludovic Courtès
2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2021-03-18 21:58 UTC (permalink / raw)
To: 47144
Hi,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.
It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency. (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)
What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.
HTH,
Ludo’.
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-14 21:54 ` Leo Famulari
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
` (3 subsequent siblings)
5 siblings, 0 replies; 29+ messages in thread
From: Leo Famulari @ 2021-04-14 21:54 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47144
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952
I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.
Unfortunately, the patches largely don't apply to the most recent
release of patch.
Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2021-03-18 21:58 ` Ludovic Courtès
@ 2022-03-23 3:03 ` Maxim Cournoyer
0 siblings, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2022-03-23 3:03 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 47144
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency. (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.
The latest release of patch is the one we have, v2.7.6, made 4 years
ago.
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0.
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-04-14 21:54 ` Leo Famulari
@ 2024-05-31 2:59 ` Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
` (2 subsequent siblings)
5 siblings, 2 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw)
To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.
Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---
gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan
base-commit: eb4dc1b9ae3779419b047e2f4c7b5879353956a6
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-05-31 2:59 ` Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw)
To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari
Also fix the gnulib-tool command, which would fail due to not finding their
implementation scripts.
* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.
Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---
gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0f1ab6669a..5759b508cf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1391,6 +1391,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
@ 2024-05-31 2:59 ` Maxim Cournoyer
2024-05-31 16:13 ` Simon Tournier
` (2 more replies)
1 sibling, 3 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-05-31 2:59 UTC (permalink / raw)
To: 47144
Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus,
Maxim Cournoyer, Leo Famulari, Ludovic Courtès
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.
Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---
gnu/packages/base.scm | 44 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..8dcbf4b087 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,45 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ (version (git-version "2.7.6" revision commit))
+ (source (origin
+ (inherit (package-source patch))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'update-bootstrap-script
+ (lambda* (#:key native-inputs inputs #:allow-other-keys)
+ (copy-file (search-input-file
+ (or native-inputs inputs)
+ "src/gnulib/build-aux/bootstrap")
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed gnulib)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
@ 2024-05-31 16:13 ` Simon Tournier
2024-06-01 1:49 ` Maxim Cournoyer
2024-06-01 11:34 ` Maxim Cournoyer
2024-06-01 14:32 ` Ludovic Courtès
2 siblings, 1 reply; 29+ messages in thread
From: Simon Tournier @ 2024-05-31 16:13 UTC (permalink / raw)
To: Maxim Cournoyer, 47144
Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus,
Maxim Cournoyer, Leo Famulari
Hi Maxim,
On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> + (source (origin
> + (inherit (package-source patch))
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://git.savannah.gnu.org/git/patch.git")
> + (commit commit)))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
If I read correctly, (package-source patch) reads:
--8<---------------cut here---------------start------------->8---
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/patch/patch-"
version ".tar.xz"))
(sha256
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))
--8<---------------cut here---------------end--------------->8---
Therefore the only thing that is copied is the ’patches’ field. Right?
I think it would easy the readability to avoid ’inherit’ and plainly
write ’patches’.
Cheers,
simon
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-05-31 16:13 ` Simon Tournier
@ 2024-06-01 1:49 ` Maxim Cournoyer
2024-06-04 15:39 ` Simon Tournier
0 siblings, 1 reply; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 1:49 UTC (permalink / raw)
To: Simon Tournier
Cc: Mark H Weaver, Ludovic Courtès, Leo Famulari, Vivien Kraus,
47144
Hi Simon,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi Maxim,
>
> On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> + (source (origin
>> + (inherit (package-source patch))
>> + (method git-fetch)
>> + (uri (git-reference
>> + (url "https://git.savannah.gnu.org/git/patch.git")
>> + (commit commit)))
>> + (file-name (git-file-name name version))
>> + (sha256
>> + (base32
>> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
>
> If I read correctly, (package-source patch) reads:
>
> (source (origin
> (method url-fetch)
> (uri (string-append "mirror://gnu/patch/patch-"
> version ".tar.xz"))
> (sha256
> (base32
> "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
> (patches (search-patches "patch-hurd-path-max.patch"))))
>
> Therefore the only thing that is copied is the ’patches’ field. Right?
>
> I think it would easy the readability to avoid ’inherit’ and plainly
> write ’patches’.
I preferred inheritance to avoid having to manually sync things in the
long run... (hopefully the graft gets ungrafted before 'patch' amasses
new phatces, but we never know...)
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-05-31 16:13 ` Simon Tournier
@ 2024-06-01 11:34 ` Maxim Cournoyer
2024-06-01 14:32 ` Ludovic Courtès
2 siblings, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 11:34 UTC (permalink / raw)
To: 47144; +Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus, Leo Famulari
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch) [replacement]: Graft with the above.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
[...]
> (define-public patch
> (package
> + (replacement patch/fixed)
> (name "patch")
> (version "2.7.6")
> (source (origin
> @@ -291,6 +294,45 @@ (define-public patch
> (license gpl3+)
> (home-page "https://savannah.gnu.org/projects/patch/")))
>
> +(define patch/fixed
> + ;; The latest release is from 2018, and lacks multiple security related
> + ;; patches. Since Fedora carries 23 patches, simply use the latest commit
> + ;; until a proper release is made.
> + (let ((revision "0")
> + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
> + (package
> + (inherit patch)
> + (name "patch")
> + (version (git-version "2.7.6" revision commit))
I just realized that since this is for grafting purposes, I shouldn't
touch the version field (they need to match in length...). Will send a v2.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0.
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
` (2 preceding siblings ...)
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-01 12:56 ` Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
5 siblings, 2 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw)
To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.
Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---
(no changes since v1)
gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan
base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-01 12:56 ` Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw)
To: 47144; +Cc: Ludovic Courtès, Vivien Kraus, Maxim Cournoyer, Leo Famulari
Also fix the commands, which would fail due to not finding their
implementation scripts.
* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.
Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---
(no changes since v1)
gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
@ 2024-06-01 12:56 ` Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 12:56 UTC (permalink / raw)
To: 47144
Cc: Mark H Weaver, Ludovic Courtès, Vivien Kraus,
Maxim Cournoyer, Leo Famulari, Ludovic Courtès
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.
Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---
Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle
gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..45dbf77817 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,53 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ ;; TODO: Uncomment when ungrafting.
+ ;;(version (git-version "2.7.6" revision commit))
+ (source (origin
+ (inherit (package-source patch))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ ;; TODO: Uncomment when ungrafting and using the above
+ ;; 'git-version'-computed version.
+ ;;(file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle with.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.41.0
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-05-31 16:13 ` Simon Tournier
2024-06-01 11:34 ` Maxim Cournoyer
@ 2024-06-01 14:32 ` Ludovic Courtès
2024-06-01 15:02 ` Maxim Cournoyer
2 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2024-06-01 14:32 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> (define-public patch
> (package
> + (replacement patch/fixed)
Unless I’m mistaken, this will have practically no effect because Patch
is a build-time-only dependency.
My recommendation would be to not add a ‘replacement’ field at all.
Instead, you could add a new ‘patch/latest’ public variable pointing to
that commit that you picked. That way, users running ‘guix install
patch’ or similar will get the latest version of Patch.
On the next ‘core-packages-team’ cycle, we’d update Patch to refer to
that commit.
WDYT?
Ludo’.
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-06-01 14:32 ` Ludovic Courtès
@ 2024-06-01 15:02 ` Maxim Cournoyer
2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès
0 siblings, 1 reply; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-01 15:02 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> (define-public patch
>> (package
>> + (replacement patch/fixed)
>
> Unless I’m mistaken, this will have practically no effect because Patch
> is a build-time-only dependency.
>
> My recommendation would be to not add a ‘replacement’ field at all.
> Instead, you could add a new ‘patch/latest’ public variable pointing to
> that commit that you picked. That way, users running ‘guix install
> patch’ or similar will get the latest version of Patch.
I see what you mean, but for all practical purposes, using a graft seems
a more thorough (because it affects the original 'patch' *variable* as
well) means that have the same effect for users, so I'd seems like a
slightly better option to me.
So e.g. someone using the Guix API referencing exactly to the 'patch'
package variable would get a secure version, but would otherwise need to
know to adjust their code to use 'patch/latest'.
Does that make sense?
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-06-01 1:49 ` Maxim Cournoyer
@ 2024-06-04 15:39 ` Simon Tournier
2024-06-05 1:08 ` Maxim Cournoyer
0 siblings, 1 reply; 29+ messages in thread
From: Simon Tournier @ 2024-06-04 15:39 UTC (permalink / raw)
To: Maxim Cournoyer
Cc: Mark H Weaver, Ludovic Courtès, 47144, Vivien Kraus,
Leo Famulari
Hi Maxim,
On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> I preferred inheritance to avoid having to manually sync things in the
> long run... (hopefully the graft gets ungrafted before 'patch' amasses
> new phatces, but we never know...)
What would be the long run? ;-)
Well, from my perspective, there is nothing to manually sync in the
future.
I mean, the only patch applied to release “2.7.6” will be still required
for patch/fixed; hence one will need to do what I am proposing if
’patch’ is removed. Else if ’patch’ receives some security fixes, then
it seems expected to assume that the fix will be included in the latest
patch (here ’patch/fixed’). Last, please note that ’patch’ is barely
modified.
--8<---------------cut here---------------start------------->8---
$ git log --format="%cd %s" -- gnu/packages/base.scm | grep 'gnu: patch'
Thu May 30 11:35:13 2024 -0400 gnu: patch: Fix indentation.
Sun Apr 22 22:40:48 2018 +0200 gnu: patch: Work around a cross-compilation issue.
Wed Mar 14 22:11:34 2018 +0100 gnu: patch: Update to 2.7.6.
Fri Jun 12 15:46:25 2015 +0300 gnu: patch: Set PATH_MAX for Hurd systems.
Mon Mar 9 22:56:50 2015 -0400 gnu: patch: Update to 2.7.5.
Sat Mar 7 20:34:50 2015 -0500 Revert "gnu: patch: Update to 2.7.5."
Sun Mar 8 00:32:11 2015 +0100 gnu: patch: Update to 2.7.5.
Wed Feb 11 11:23:46 2015 +0100 gnu: patch: Update to 2.7.4.
Fri Feb 6 13:53:28 2015 +0100 gnu: patch: Add 2.7.4 and make it a replacement for the default one.
Sat Apr 27 00:23:19 2013 +0200 gnu: patch: Update to 2.7.1.
--8<---------------cut here---------------end--------------->8---
I still think that it eases to have the patch close to the source
instead of coming from inheritance. Anyway. :-)
Cheers,
simon
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-06-04 15:39 ` Simon Tournier
@ 2024-06-05 1:08 ` Maxim Cournoyer
0 siblings, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-05 1:08 UTC (permalink / raw)
To: Simon Tournier
Cc: Mark H Weaver, Ludovic Courtès, 47144, Vivien Kraus,
Leo Famulari
Hi,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi Maxim,
>
> On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> I preferred inheritance to avoid having to manually sync things in the
>> long run... (hopefully the graft gets ungrafted before 'patch' amasses
>> new phatces, but we never know...)
>
> What would be the long run? ;-)
> Well, from my perspective, there is nothing to manually sync in the
> future.
You're probably right.
> I mean, the only patch applied to release “2.7.6” will be still required
> for patch/fixed; hence one will need to do what I am proposing if
> ’patch’ is removed. Else if ’patch’ receives some security fixes, then
> it seems expected to assume that the fix will be included in the latest
> patch (here ’patch/fixed’). Last, please note that ’patch’ is barely
> modified.
OK. I don't mind to do this change. I'll send e revised version with
that done.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0.
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
` (3 preceding siblings ...)
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-05 1:24 ` Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
5 siblings, 2 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw)
To: 47144
Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès,
Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.
Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---
(no changes since v1)
gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan
base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-05 1:24 ` Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw)
To: 47144
Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès,
Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier
Also fix the commands, which would fail due to not finding their
implementation scripts.
* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.
Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---
(no changes since v1)
gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes].
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
@ 2024-06-05 1:24 ` Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-05 1:24 UTC (permalink / raw)
To: 47144
Cc: Mark H Weaver, Maxim Cournoyer, Mark H Weaver,
Ludovic Courtès, Léo Le Bouter, Leo Famulari,
Maxim Cournoyer, Simon Tournier
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.
Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---
Changes in v3:
- Do not use inheritance for patch/fixed origin
Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle
gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..3246b7bd0a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,53 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ ;; TODO: Uncomment when ungrafting.
+ ;;(version (git-version "2.7.6" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ ;; TODO: Uncomment when ungrafting and using the above
+ ;; 'git-version'-computed version.
+ ;;(file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle with.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2024-06-01 15:02 ` Maxim Cournoyer
@ 2024-06-05 16:04 ` Ludovic Courtès
2024-06-05 16:44 ` Simon Tournier
0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2024-06-05 16:04 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: Mark H Weaver, 47144, Vivien Kraus, Leo Famulari
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> Unless I’m mistaken, this will have practically no effect because Patch
>> is a build-time-only dependency.
>>
>> My recommendation would be to not add a ‘replacement’ field at all.
>> Instead, you could add a new ‘patch/latest’ public variable pointing to
>> that commit that you picked. That way, users running ‘guix install
>> patch’ or similar will get the latest version of Patch.
>
> I see what you mean, but for all practical purposes, using a graft seems
> a more thorough (because it affects the original 'patch' *variable* as
> well) means that have the same effect for users, so I'd seems like a
> slightly better option to me.
Strictly speaking, yes, but in practice the benefit are largely
theoretical IMO, and the cost of having a graft this deep in the
dependency graph.
What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
to the new version?
Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
code etc. would refer to ‘patch’ and thus get the latest version.
Ludo’.
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès
@ 2024-06-05 16:44 ` Simon Tournier
2024-06-06 0:49 ` Maxim Cournoyer
0 siblings, 1 reply; 29+ messages in thread
From: Simon Tournier @ 2024-06-05 16:44 UTC (permalink / raw)
To: Ludovic Courtès, Maxim Cournoyer
Cc: Mark H Weaver, Leo Famulari, Vivien Kraus, 47144
Hi,
On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.
I agree; it appears to me “safer” than the graft.
However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’. Then once upstream Patch upgrades, there is
also the question to unpin all the packages.
Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution. Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.
Cheers,
simon
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0.
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
` (4 preceding siblings ...)
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-06 0:46 ` Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer
5 siblings, 2 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw)
To: 47144
Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès,
Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.
Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---
(no changes since v1)
gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan
base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
@ 2024-06-06 0:46 ` Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer
1 sibling, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw)
To: 47144
Cc: Maxim Cournoyer, Mark H Weaver, Ludovic Courtès,
Léo Le Bouter, Leo Famulari, Maxim Cournoyer, Simon Tournier
Also fix the commands, which would fail due to not finding their
implementation scripts.
* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.
Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---
(no changes since v1)
gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes].
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
@ 2024-06-06 0:46 ` Maxim Cournoyer
2024-06-24 4:43 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
1 sibling, 1 reply; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-06 0:46 UTC (permalink / raw)
To: 47144
Cc: Mark H Weaver, Maxim Cournoyer, Mark H Weaver,
Ludovic Courtès, Léo Le Bouter, Leo Famulari,
Maxim Cournoyer, Simon Tournier, Christopher Baines,
Efraim Flashner, Ekaitz Zarraga, Guillaume Le Vaillant,
Josselin Poiret, Katherine Cox-Buday, Mathieu Othacehe,
Munyoki Kilyungi, Ricardo Wurmus, Sharlatan Hellseher,
Tobias Geerinckx-Rice, jgart
* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this. Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---
Changes in v4:
- Use a hidden patch/pinned and patch variables instead of a graft
Changes in v3:
- Do not use inheritance for patch/fixed origin
Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle
gnu/packages/base.scm | 102 +++++++++++++++++++++++++---------
gnu/packages/commencement.scm | 8 +--
gnu/packages/lisp.scm | 2 +-
guix/packages.scm | 2 +-
4 files changed, 82 insertions(+), 32 deletions(-)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..66c5b7d237 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ (define-public tar
(license gpl3+)
(home-page "https://www.gnu.org/software/tar/")))
-(define-public patch
- (package
- (name "patch")
- (version "2.7.6")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnu/patch/patch-"
- version ".tar.xz"))
- (sha256
- (base32
- "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
- (patches (search-patches "patch-hurd-path-max.patch"))))
- (build-system gnu-build-system)
- (arguments
- ;; Work around a cross-compilation bug whereby libpatch.a would provide
- ;; '__mktime_internal', which conflicts with the one in libc.a.
- (if (%current-target-system)
- `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
- '()))
- (native-inputs (list ed))
- (synopsis "Apply differences to originals, with optional backups")
- (description
- "Patch is a program that applies changes to files based on differences
+;;; TODO: Replace/merge with 'patch' on core-updates.
+(define-public patch/pinned
+ (hidden-package
+ (package
+ (name "patch")
+ (version "2.7.6")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnu/patch/patch-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (build-system gnu-build-system)
+ (arguments
+ ;; Work around a cross-compilation bug whereby libpatch.a would provide
+ ;; '__mktime_internal', which conflicts with the one in libc.a.
+ (if (%current-target-system)
+ `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+ '()))
+ (native-inputs (list ed))
+ (synopsis "Apply differences to originals, with optional backups")
+ (description
+ "Patch is a program that applies changes to files based on differences
laid out as by the program \"diff\". The changes may be applied to one or more
files depending on the contents of the diff file. It accepts several
different diff formats. It may also be used to revert previously applied
differences.")
- (license gpl3+)
- (home-page "https://savannah.gnu.org/projects/patch/")))
+ (license gpl3+)
+ (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+ (base patch/pinned))
+ (package
+ (inherit base)
+ (name "patch")
+ (version (git-version "2.7.6" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments base)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed))
+ (properties '()))))
(define-public diffutils
(package
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index b4d236c35b..0433059493 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -878,7 +878,7 @@ (define tcc-boot
(define patch-mesboot
;; The initial patch.
(package
- (inherit patch)
+ (inherit patch/pinned)
(name "patch-mesboot")
(version "2.5.9")
(source (origin
@@ -2167,8 +2167,8 @@ (define gawk-boot0
(define patch-boot0
(package
- (inherit patch)
- (source (bootstrap-origin (package-source patch)))
+ (inherit patch/pinned)
+ (source (bootstrap-origin (package-source patch/pinned)))
(name "patch-boot0")
(native-inputs '())
(inputs
@@ -3482,7 +3482,7 @@ (define-public %final-inputs
("bzip2" ,bzip2)
("file" ,file)
("diffutils" ,diffutils)
- ("patch" ,patch)
+ ("patch" ,patch/pinned)
("findutils" ,findutils)
("gawk" ,gawk)))
("sed" ,sed-final)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 6bf93d83c7..6f3bd126cc 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -121,7 +121,7 @@ (define-public cl-asdf
(build-system trivial-build-system)
(native-inputs
`(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
- ("patch" ,patch)))
+ ("patch" ,patch/pinned)))
(arguments
`(#:modules ((guix build utils)
(guix build lisp-utils))
diff --git a/guix/packages.scm b/guix/packages.scm
index abe89cdb07..f3a9a61785 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -899,7 +899,7 @@ (define (%standard-patch-inputs system)
("gzip" ,(ref '(gnu packages compression) 'gzip))
("lzip" ,(ref '(gnu packages compression) 'lzip))
("unzip" ,(ref '(gnu packages compression) 'unzip))
- ("patch" ,(ref '(gnu packages base) 'patch))
+ ("patch" ,(ref '(gnu packages base) 'patch/pinned))
("locales"
,(parameterize ((%current-target-system #f)
(%current-system system))
--
2.45.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2024-06-05 16:44 ` Simon Tournier
@ 2024-06-06 0:49 ` Maxim Cournoyer
0 siblings, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-06 0:49 UTC (permalink / raw)
To: Simon Tournier
Cc: Mark H Weaver, Ludovic Courtès, Leo Famulari, Vivien Kraus,
47144
Hi Simon,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’. Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.
Indeed. It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'... I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
* bug#47144: security patching of 'patch' package
2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer
@ 2024-06-24 4:43 ` Maxim Cournoyer
0 siblings, 0 replies; 29+ messages in thread
From: Maxim Cournoyer @ 2024-06-24 4:43 UTC (permalink / raw)
To: 47144-done
Cc: Josselin Poiret, Tobias Geerinckx-Rice, Sharlatan Hellseher,
Ekaitz Zarraga, Simon Tournier, Guillaume Le Vaillant,
Mark H Weaver, Ludovic Courtès, Katherine Cox-Buday,
Efraim Flashner, Leo Famulari, Ricardo Wurmus, Munyoki Kilyungi,
jgart, Mathieu Othacehe, Christopher Baines, Léo Le Bouter
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this. Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
Applied locally and will push shortly.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2024-06-24 5:17 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 21:58 ` Ludovic Courtès
2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
2021-04-14 21:54 ` Leo Famulari
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-05-31 16:13 ` Simon Tournier
2024-06-01 1:49 ` Maxim Cournoyer
2024-06-04 15:39 ` Simon Tournier
2024-06-05 1:08 ` Maxim Cournoyer
2024-06-01 11:34 ` Maxim Cournoyer
2024-06-01 14:32 ` Ludovic Courtès
2024-06-01 15:02 ` Maxim Cournoyer
2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès
2024-06-05 16:44 ` Simon Tournier
2024-06-06 0:49 ` Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer
2024-06-24 4:43 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).