* [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.
@ 2024-12-22 15:52 Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
` (7 more replies)
0 siblings, 8 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 15:52 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
Maxim Cournoyer (7):
gnu: gnutls: Update to 3.8.8.
gnu: gnutls: Enable zstd compression.
gnu: gnutls: Streamline mips64el conditionals.
gnu: brotli: Update to 1.1.0.
gnu: libidn: Update to 1.42.
gnu: curl: Update to 8.11.1 and ungraft.
gnu: curl: Enable zstd support.
gnu/local.mk | 2 -
gnu/packages/compression.scm | 47 ++--
gnu/packages/curl.scm | 59 +++---
gnu/packages/libidn.scm | 4 +-
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
.../gnutls-skip-trust-store-test.patch | 15 --
gnu/packages/tls.scm | 50 ++---
7 files changed, 74 insertions(+), 303 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch
base-commit: 42ba1aa8b3090f3a4957d36be14e93c5e36f1825
--
2.46.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
@ 2024-12-22 16:00 ` Maxim Cournoyer
2024-12-24 14:50 ` Ludovic Courtès
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
` (6 subsequent siblings)
7 siblings, 1 reply; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:00 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/tls.scm (gnutls): Update to 3.8.8.
[source]: Delete patches.
[arguments]: Mark failing tests via XFAIL_TESTS make flag.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
---
gnu/local.mk | 1 -
.../gnutls-skip-trust-store-test.patch | 15 -----------
gnu/packages/tls.scm | 25 ++++++++++---------
3 files changed, 13 insertions(+), 28 deletions(-)
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8155a5ae34..a4f2e71134 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1477,7 +1477,6 @@ dist_patch_DATA = \
%D%/packages/patches/gnumach-version.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
- %D%/packages/patches/gnutls-skip-trust-store-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- } else if (ret < 0) {
- fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- } else if (ret == 0) {
-- fail("no certificates were found in system trust store!\n");
-+ success("no trust store in the Guix build environment!\n");
- }
-
- gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5f3bc72f6e..ecdfb5c0e5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,7 +201,7 @@ (define-public p11-kit
(define-public gnutls
(package
(name "gnutls")
- (version "3.8.3")
+ (version "3.8.8")
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -209,10 +209,9 @@ (define-public gnutls
(uri (string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))
+ "1yyq74lzlnkgwbr269mddi9vqi1j0dcnw8pdh09vb01qb0704kxc"))))
(build-system gnu-build-system)
(arguments
(list #:tests? (not (or (%current-target-system)
@@ -242,17 +241,19 @@ (define-public gnutls
;; not working on mips64el.
"--without-p11-kit")
'())))
-
+ #:make-flags
+ #~(list (string-append
+ "XFAIL_TESTS="
+ ;; This test checks that the default trust store is
+ ;; readable; expect it to fail since the trust store
+ ;; doesn't exist in the build environment.
+ "trust-store "
+ ;; This one fails only inside the build environment, for
+ ;; reasons unknown (see:
+ ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
+ "tls13/compress-cert-neg2 "))
#:phases
#~(modify-phases %standard-phases
- ;; fastopen.sh fails to connect to the server in the builder
- ;; environment (see:
- ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
- (add-after 'unpack 'disable-failing-tests
- (lambda _
- (substitute* "tests/fastopen.sh"
- (("^unset RETCODE")
- "exit 77\n")))) ;skip
#$@(if (target-ppc32?)
;; https://gitlab.com/gnutls/gnutls/-/issues/1354
;; Extend the test timeout from the default of 20 * 1000
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals Maxim Cournoyer
` (5 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/tls.scm [inputs]: Add zstd:lib.
Change-Id: I7cfce764181eebe12a32019107061c88edaa877a
---
gnu/packages/tls.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ecdfb5c0e5..c0efb66d96 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -283,7 +283,7 @@ (define-public gnutls
iproute ;for 'ss'
socat ;several tests rely on it
datefudge)))) ;tests rely on 'datefudge'
- (inputs (list libunistring))
+ (inputs (list libunistring `(,zstd "lib")))
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0 Maxim Cournoyer
` (4 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/tls.scm (gnutls) [arguments]: Use target-mips64el? procedure in
#:configure-flags.
[propagated-inputs]: Likewise.
Change-Id: Ia4b603ef57cebe78df1d3e40222fe9c49d9ee8cc
---
gnu/packages/tls.scm | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index c0efb66d96..90d6ad5c95 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -232,15 +232,12 @@ (define-public gnutls
;; fallback, and users have to configure each program
;; independently. This seems suboptimal.
"--with-default-trust-store-dir=/etc/ssl/certs"
-
- (let ((system #$(or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- (list
- ;; FIXME: Temporarily disable p11-kit support since it is
- ;; not working on mips64el.
- "--without-p11-kit")
- '())))
+ (if #$(target-mips64el?)
+ (list
+ ;; FIXME: Temporarily disable p11-kit support since it is
+ ;; not working on mips64el.
+ "--without-p11-kit")
+ '()))
#:make-flags
#~(list (string-append
"XFAIL_TESTS="
@@ -287,11 +284,9 @@ (define-public gnutls
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
- (let ((system (or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- '()
- (list p11-kit)))))
+ (if (target-mips64el?)
+ '()
+ (list p11-kit))))
(home-page "https://gnutls.org")
(synopsis "Transport layer security library")
(description
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (2 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
` (3 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/compression.scm (brotli): Update to 1.1.0.
[source]: Delete obsolete snippet.
[arguments]: Use gexps.
Change-Id: I4fe13683ff33f528ef897bb65bbb239d4d4985c6
---
gnu/packages/compression.scm | 47 +++++++++++++++---------------------
1 file changed, 19 insertions(+), 28 deletions(-)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 44461bb87c..93b6cd070b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2351,7 +2351,7 @@ (define-public isa-l
(define-public brotli
(package
(name "brotli")
- (version "1.0.9")
+ (version "1.1.0")
(source
(origin
(method git-fetch)
@@ -2360,35 +2360,26 @@ (define-public brotli
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1fikasxf7r2dwlk8mv8w7nmjkn0jw5ic31ky3mvpkdzwgd4xfndl"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Cherry-picked from upstream since the latest release
- ;; https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc
- (substitute* (find-files "scripts" "^lib.*pc\\.in")
- (("-R\\$\\{libdir\\} ") ""))
- #t))))
+ (base32 "0cvcq302wpjpd1a2cmxcp9a01lwvc2kkir8vsdb3x11djnxc0nsk"))))
(build-system cmake-build-system)
(arguments
- `(#:phases
- (modify-phases %standard-phases
- (add-after 'install 'rename-static-libraries
- ;; The build tools put a 'static' suffix on the static libraries, but
- ;; other applications don't know how to find these.
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((lib (string-append (assoc-ref %outputs "out") "/lib/")))
- (rename-file (string-append lib "libbrotlicommon-static.a")
- (string-append lib "libbrotlicommon.a"))
- (rename-file (string-append lib "libbrotlidec-static.a")
- (string-append lib "libbrotlidec.a"))
- (rename-file (string-append lib "libbrotlienc-static.a")
- (string-append lib "libbrotlienc.a"))
- #t))))
- #:configure-flags
- (list ;; Defaults to "lib64" on 64-bit archs.
- (string-append "-DCMAKE_INSTALL_LIBDIR="
- (assoc-ref %outputs "out") "/lib"))))
+ (list
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'install 'rename-static-libraries
+ ;; The build tools put a 'static' suffix on the static libraries, but
+ ;; other applications don't know how to find these.
+ (lambda _
+ (let ((lib (string-append #$output "/lib/")))
+ (rename-file (string-append lib "libbrotlicommon-static.a")
+ (string-append lib "libbrotlicommon.a"))
+ (rename-file (string-append lib "libbrotlidec-static.a")
+ (string-append lib "libbrotlidec.a"))
+ (rename-file (string-append lib "libbrotlienc-static.a")
+ (string-append lib "libbrotlienc.a"))))))
+ #:configure-flags
+ #~(list ;; Defaults to "lib64" on 64-bit archs.
+ (string-append "-DCMAKE_INSTALL_LIBDIR=" #$output "/lib"))))
(home-page "https://github.com/google/brotli")
(synopsis "General-purpose lossless compression")
(description "This package provides the reference implementation of Brotli,
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (3 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0 Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft Maxim Cournoyer
` (2 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/libidn.scm (libidn): Update to 1.42.
Change-Id: I7f65377334d6de889ee0fa08ae941a03c6c4e4ca
---
gnu/packages/libidn.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 80350db495..8b12fa87d8 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -34,14 +34,14 @@ (define-module (gnu packages libidn)
(define-public libidn
(package
(name "libidn")
- (version "1.41")
+ (version "1.42")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libidn/libidn-" version
".tar.gz"))
(sha256
(base32
- "0ic9zlqqppwaqr3i0r8lb8f47rrazzc8d5pfgg8vs6mqciip0kc8"))))
+ "08s7rgg8rnmdrk8zyj6m1rb3j3cs6h44pjv0jckzxr06v3f9khfn"))))
(build-system gnu-build-system)
;; FIXME: No Java and C# libraries are currently built.
(arguments
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (4 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer
2024-12-23 19:45 ` [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Ludovic Courtès
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
gnu/local.mk | 1 -
gnu/packages/curl.scm | 47 ++--
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
3 files changed, 19 insertions(+), 229 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
- (replacement curl/fixed)
+ (version "8.11.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -115,20 +116,20 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(string-append "TFLAGS="
+ job-count " "
+ (if #$(or (system-hurd?)
+ (target-arm32?)
+ (target-aarch64?))
+ "~1474 " ;protocol FAIL
+ "")
+ ;; protocol FAIL
+ "~962 ~963 ~964 ~965 ~966 ~967 "
+ ;; These fail for unknown reasons.
+ "~165 ~1448 ~2046 ~2047"))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(>ls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (5 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-23 19:45 ` [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Ludovic Courtès
7 siblings, 0 replies; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/curl.scm [inputs]: Add zstd:lib.
Change-Id: I48e1099c3a445bcbdeaf16c5a79d956bd1b51307
---
gnu/packages/curl.scm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 8645ce73f8..d0c8c5c2a6 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -151,9 +151,19 @@ (define-public curl
(close port)))))
#~()))))
(native-inputs
- (list nghttp2 perl pkg-config python-minimal-wrapper))
+ (list nghttp2
+ perl
+ pkg-config
+ python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls
+ libidn
+ libpsl
+ libssh2
+ mit-krb5
+ `(,nghttp2 "lib")
+ zlib
+ `(,zstd "lib")))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
--
2.46.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (6 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer
@ 2024-12-23 19:45 ` Ludovic Courtès
2024-12-24 2:15 ` Maxim Cournoyer
7 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2024-12-23 19:45 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 75026
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> gnu: gnutls: Update to 3.8.8.
> gnu: gnutls: Enable zstd compression.
> gnu: gnutls: Streamline mips64el conditionals.
> gnu: brotli: Update to 1.1.0.
> gnu: libidn: Update to 1.42.
> gnu: curl: Update to 8.11.1 and ungraft.
> gnu: curl: Enable zstd support.
‘core-updates’ is now gone:
https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html
Instead, this should go on a dedicated branch, with a “request to merge”
and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
currently out of order).
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.
2024-12-23 19:45 ` [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Ludovic Courtès
@ 2024-12-24 2:15 ` Maxim Cournoyer
2024-12-24 14:52 ` Ludovic Courtès
0 siblings, 1 reply; 12+ messages in thread
From: Maxim Cournoyer @ 2024-12-24 2:15 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 75026
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> gnu: gnutls: Update to 3.8.8.
>> gnu: gnutls: Enable zstd compression.
>> gnu: gnutls: Streamline mips64el conditionals.
>> gnu: brotli: Update to 1.1.0.
>> gnu: libidn: Update to 1.42.
>> gnu: curl: Update to 8.11.1 and ungraft.
>> gnu: curl: Enable zstd support.
>
> ‘core-updates’ is now gone:
>
> https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html
I'm (finally) aware of this :-). But it seemed like useful, when
submitting to the trackr for review to have a subject prefix anyway to
communicate that this causes a mass rebuild, hopefully avoiding the
situation of another committer picking these up and pushing them to the
master.
> Instead, this should go on a dedicated branch, with a “request to merge”
> and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
> currently out of order).
Understood; do the patches LGTY?
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
@ 2024-12-24 14:50 ` Ludovic Courtès
0 siblings, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2024-12-24 14:50 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 75026
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> * gnu/packages/tls.scm (gnutls): Update to 3.8.8.
> [source]: Delete patches.
> [arguments]: Mark failing tests via XFAIL_TESTS make flag.
> * gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): De-register it.
>
> Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
[...]
> --- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -Version 3.5.11 added a test to check that the default trust store is readable.
> -It does not exist in the build environment, so pretend everything is fine.
> -
> -diff a/tests/trust-store.c b/tests/trust-store.c
> ---- a/tests/trust-store.c
> -+++ b/tests/trust-store.c
> -@@ -61,7 +61,7 @@
> - } else if (ret < 0) {
> - fail("error loading system trust store: %s\n", gnutls_strerror(ret));
> - } else if (ret == 0) {
> -- fail("no certificates were found in system trust store!\n");
> -+ success("no trust store in the Guix build environment!\n");
[...]
> + #~(list (string-append
> + "XFAIL_TESTS="
> + ;; This test checks that the default trust store is
> + ;; readable; expect it to fail since the trust store
> + ;; doesn't exist in the build environment.
> + "trust-store "
This suggests that the patch above was still useful, after all? (The
patch still applies apparently:
<https://ci.guix.gnu.org/build/6753571/log>.)
Also, lack of the patch might trigger failures in the test suites of
dependents. What does ‘guix build -P1 gnutls’ say?
> + ;; This one fails only inside the build environment, for
> + ;; reasons unknown (see:
> + ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
> + "tls13/compress-cert-neg2 "))
This is weird, would be interesting to investigate, maybe stracing the
test to see why it would fail in the build environment and not outside
of it?
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.
2024-12-24 2:15 ` Maxim Cournoyer
@ 2024-12-24 14:52 ` Ludovic Courtès
0 siblings, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2024-12-24 14:52 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 75026
Hello,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>> ‘core-updates’ is now gone:
>>
>> https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html
>
> I'm (finally) aware of this :-). But it seemed like useful, when
> submitting to the trackr for review to have a subject prefix anyway to
> communicate that this causes a mass rebuild, hopefully avoiding the
> situation of another committer picking these up and pushing them to the
> master.
Makes sense. :-)
>> Instead, this should go on a dedicated branch, with a “request to merge”
>> and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
>> currently out of order).
>
> Understood; do the patches LGTY?
Except for the questions I posted about GnuTLS, it LGTM.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2024-12-24 15:08 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
2024-12-24 14:50 ` Ludovic Courtès
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer
2024-12-23 19:45 ` [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Ludovic Courtès
2024-12-24 2:15 ` Maxim Cournoyer
2024-12-24 14:52 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).