[PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse

[PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse

[Leo Famulari]

The libfuse project has moved their home to Github and so fuse and
sshfs-fuse have new source URLs.

There is a new version of fuse. The new source URLs are a mess. All the
old bootstrapped versions are under a directory named for the current
release. There are non-bootstrapped auto-generated Github tarballs
available under saner URLs.

For now, I think we should use the "messy" URL to fix the packaging and
upgrade to the current release (2.9.4). When 2.9.5 or 3.0.0 comes out, I
expect the situation will improve.

CVE-2015-3202 is fixed in 2.9.4:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202

Leo Famulari (2):
  gnu: fuse: Update to 2.9.4.
  gnu: sshfs-fuse: Update source URL.

 gnu-system.am                                 |  1 -
 gnu/packages/linux.scm                        | 20 ++++++---
 gnu/packages/patches/fuse-CVE-2015-3202.patch | 65 ---------------------------
 3 files changed, 13 insertions(+), 73 deletions(-)
 delete mode 100644 gnu/packages/patches/fuse-CVE-2015-3202.patch

-- 
2.6.2

[PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Leo Famulari]

* gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
* gnu-system.am (dist_patch_DATA): Remove it.
* gnu/packages/linux.scm (fuse): Update to 2.9.4.
  [source]: Remove patch.
---
 gnu-system.am                                 |  1 -
 gnu/packages/linux.scm                        | 13 +++---
 gnu/packages/patches/fuse-CVE-2015-3202.patch | 65 ---------------------------
 3 files changed, 8 insertions(+), 71 deletions(-)
 delete mode 100644 gnu/packages/patches/fuse-CVE-2015-3202.patch

diff --git a/gnu-system.am b/gnu-system.am
index e1874fa..78669bd 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -467,7 +467,6 @@ dist_patch_DATA =						\
   gnu/packages/patches/flint-ldconfig.patch			\
   gnu/packages/patches/fltk-shared-lib-defines.patch		\
   gnu/packages/patches/freeimage-CVE-2015-0852.patch		\
-  gnu/packages/patches/fuse-CVE-2015-3202.patch			\
   gnu/packages/patches/gawk-shell.patch				\
   gnu/packages/patches/gcc-arm-link-spec-fix.patch		\
   gnu/packages/patches/gcc-cross-environment-variables.patch	\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1fc3c4e..fcae17b 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1242,15 +1242,18 @@ processes currently causing I/O.")
 (define-public fuse
   (package
     (name "fuse")
-    (version "2.9.3")
+    (version "2.9.4")
     (source (origin
               (method url-fetch)
-              (uri (string-append "mirror://sourceforge/fuse/fuse-"
-                                  version ".tar.gz"))
+              (uri (let ((version-with-underscores
+                          (string-join (string-split version #\.) "_")))
+                     (string-append
+                       "https://github.com/libfuse/libfuse/"
+                       "releases/download/" version-with-underscores
+                       "/fuse-" version ".tar.gz")))
               (sha256
                (base32
-                "071r6xjgssy8vwdn6m28qq1bqxsd2bphcd2mzhq0grf5ybm87sqb"))
-              (patches (list (search-patch "fuse-CVE-2015-3202.patch")))))
+                "1qbwp63a2bp0bchabkwiyzszi9x5krlk2pwk2is6g35gyszw1sbb"))))
     (build-system gnu-build-system)
     (inputs `(("util-linux" ,util-linux)))
     (arguments
diff --git a/gnu/packages/patches/fuse-CVE-2015-3202.patch b/gnu/packages/patches/fuse-CVE-2015-3202.patch
deleted file mode 100644
index 7c64de7..0000000
--- a/gnu/packages/patches/fuse-CVE-2015-3202.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-The following patch was copied from Debian.
-
-Description: Fix CVE-2015-3202
- Missing scrubbing of the environment before executing a mount or umount
- of a filesystem.
-Origin: upstream
-Author: Miklos Szeredi <miklos@szeredi.hu>
-Last-Update: 2015-05-19
-
----
- lib/mount_util.c |   23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
---- a/lib/mount_util.c
-+++ b/lib/mount_util.c
-@@ -95,10 +95,12 @@ static int add_mount(const char *prognam
- 		goto out_restore;
- 	}
- 	if (res == 0) {
-+		char *env = NULL;
-+
- 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
- 		setuid(geteuid());
--		execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
--		      "-f", "-t", type, "-o", opts, fsname, mnt, NULL);
-+		execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i",
-+		       "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env);
- 		fprintf(stderr, "%s: failed to execute /bin/mount: %s\n",
- 			progname, strerror(errno));
- 		exit(1);
-@@ -146,10 +148,17 @@ static int exec_umount(const char *progn
- 		goto out_restore;
- 	}
- 	if (res == 0) {
-+		char *env = NULL;
-+
- 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
- 		setuid(geteuid());
--		execl("/bin/umount", "/bin/umount", "-i", rel_mnt,
--		      lazy ? "-l" : NULL, NULL);
-+		if (lazy) {
-+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
-+			       "-l", NULL, &env);
-+		} else {
-+			execle("/bin/umount", "/bin/umount", "-i", rel_mnt,
-+			       NULL, &env);
-+		}
- 		fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
- 			progname, strerror(errno));
- 		exit(1);
-@@ -205,10 +214,12 @@ static int remove_mount(const char *prog
- 		goto out_restore;
- 	}
- 	if (res == 0) {
-+		char *env = NULL;
-+
- 		sigprocmask(SIG_SETMASK, &oldmask, NULL);
- 		setuid(geteuid());
--		execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
--		      "--fake", mnt, NULL);
-+		execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i",
-+		       "--fake", mnt, NULL, &env);
- 		fprintf(stderr, "%s: failed to execute /bin/umount: %s\n",
- 			progname, strerror(errno));
- 		exit(1);
-- 
2.6.2

[PATCH 2/2] gnu: sshfs-fuse: Update source URL.

[Leo Famulari]

* gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL.
---
 gnu/packages/linux.scm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fcae17b..efad70e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1374,8 +1374,11 @@ UnionFS-FUSE additionally supports copy-on-write.")
     (version "2.5")
     (source (origin
               (method url-fetch)
-              (uri (string-append "mirror://sourceforge/fuse/sshfs-fuse-"
-                                  version ".tar.gz"))
+              (uri (let ((version-with-underscores
+                          (string-join (string-split version #\.) "_")))
+                     (string-append "https://github.com/libfuse/sshfs/releases/"
+                                    "download/sshfs_" version-with-underscores
+                                    "/sshfs-fuse-" version ".tar.gz")))
               (sha256
                (base32
                 "0gp6qr33l2p0964j0kds0dfmvyyf5lpgsn11daf0n5fhwm9185z9"))))
-- 
2.6.2

Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
> * gnu-system.am (dist_patch_DATA): Remove it.
> * gnu/packages/linux.scm (fuse): Update to 2.9.4.
>   [source]: Remove patch.

LGTM, thanks!

Ludo’.

Re: [PATCH 2/2] gnu: sshfs-fuse: Update source URL.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL.

OK!

Ludo'.

Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Leo Famulari]

On Tue, Dec 29, 2015 at 04:07:18PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
> > * gnu-system.am (dist_patch_DATA): Remove it.
> > * gnu/packages/linux.scm (fuse): Update to 2.9.4.
> >   [source]: Remove patch.
> 
> LGTM, thanks!

Pushed as b7e7d1b9d3.

> 
> Ludo’.

Re: [PATCH 2/2] gnu: sshfs-fuse: Update source URL.

[Leo Famulari]

On Tue, Dec 29, 2015 at 04:08:32PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL.
> 
> OK!

Pushed as 6959a13271.

> 
> Ludo'.

Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
> * gnu-system.am (dist_patch_DATA): Remove it.
> * gnu/packages/linux.scm (fuse): Update to 2.9.4.
>   [source]: Remove patch.

This patch broke the build on all platforms, because the source URI
returns 404 "Not Found".  See:

  http://hydra.gnu.org/build/905375/nixlog/1/tail-reload

--8<---------------cut here---------------start------------->8---
Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz
From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz...
ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found"
failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz"
--8<---------------cut here---------------end--------------->8---

Can you look into it?

     Mark


> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 1fc3c4e..fcae17b 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -1242,15 +1242,18 @@ processes currently causing I/O.")
>  (define-public fuse
>    (package
>      (name "fuse")
> -    (version "2.9.3")
> +    (version "2.9.4")
>      (source (origin
>                (method url-fetch)
> -              (uri (string-append "mirror://sourceforge/fuse/fuse-"
> -                                  version ".tar.gz"))
> +              (uri (let ((version-with-underscores
> +                          (string-join (string-split version #\.) "_")))
> +                     (string-append
> +                       "https://github.com/libfuse/libfuse/"
> +                       "releases/download/" version-with-underscores
> +                       "/fuse-" version ".tar.gz")))
>                (sha256
>                 (base32
> -                "071r6xjgssy8vwdn6m28qq1bqxsd2bphcd2mzhq0grf5ybm87sqb"))
> -              (patches (list (search-patch "fuse-CVE-2015-3202.patch")))))
> +                "1qbwp63a2bp0bchabkwiyzszi9x5krlk2pwk2is6g35gyszw1sbb"))))
>      (build-system gnu-build-system)
>      (inputs `(("util-linux" ,util-linux)))
>      (arguments

Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
>> * gnu-system.am (dist_patch_DATA): Remove it.
>> * gnu/packages/linux.scm (fuse): Update to 2.9.4.
>>   [source]: Remove patch.
>
> This patch broke the build on all platforms, because the source URI
> returns 404 "Not Found".  See:
>
>   http://hydra.gnu.org/build/905375/nixlog/1/tail-reload
>
> Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz
> From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz...
> ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found"
> failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz"
>
> Can you look into it?

I went ahead and fixed this myself, after realizing that this problem
would cause attempts to build systems that use %base-services to fail,
which I expect is almost all of them.  The reason is that %base-services
includes 'fuse' here:

  ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is
  ;; used, so enable them by default.  The FUSE and ALSA rules are
  ;; less critical, but handy.
  (udev-service #:rules (list lvm2 fuse alsa-utils crda))

Mistakes in source URIs like this are likely to go undetected for those
who use "guix download" to download the source, which is why I never do
that.  I always use "wget" to download the source, and then "guix hash"
to compute the hash (after checking the signature), and finally "guix
build -K" to test the updated 'source' field by downloading the source a
second time before building the package.

     Regards,
       Mark

Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4.

[Leo Famulari]

On Tue, Dec 29, 2015 at 10:34:53PM -0500, Mark H Weaver wrote:
> Mark H Weaver <mhw@netris.org> writes:
> 
> > Leo Famulari <leo@famulari.name> writes:
> >
> >> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file.
> >> * gnu-system.am (dist_patch_DATA): Remove it.
> >> * gnu/packages/linux.scm (fuse): Update to 2.9.4.
> >>   [source]: Remove patch.
> >
> > This patch broke the build on all platforms, because the source URI
> > returns 404 "Not Found".  See:
> >
> >   http://hydra.gnu.org/build/905375/nixlog/1/tail-reload
> >
> > Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz
> > From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz...
> > ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found"
> > failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz"
> >
> > Can you look into it?

My apologies!

> 
> I went ahead and fixed this myself, after realizing that this problem
> would cause attempts to build systems that use %base-services to fail,
> which I expect is almost all of them.  The reason is that %base-services
> includes 'fuse' here:
> 
>   ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is
>   ;; used, so enable them by default.  The FUSE and ALSA rules are
>   ;; less critical, but handy.
>   (udev-service #:rules (list lvm2 fuse alsa-utils crda))

Thank you for taking care of it.

> 
> Mistakes in source URIs like this are likely to go undetected for those
> who use "guix download" to download the source, which is why I never do
> that.  I always use "wget" to download the source, and then "guix hash"
> to compute the hash (after checking the signature), and finally "guix
> build -K" to test the updated 'source' field by downloading the source a
> second time before building the package.

I usually just put the URL in the package definition and then get the
hash from the failed build, but this one was so special that I must have
used `guix download` at some point.

Thanks for explaining this pitfall. I'll keep it in mind in the future.

> 
>      Regards,
>        Mark