* [PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse @ 2015-12-26 6:44 Leo Famulari 2015-12-26 6:44 ` [PATCH 1/2] gnu: fuse: Update to 2.9.4 Leo Famulari 2015-12-26 6:44 ` [PATCH 2/2] gnu: sshfs-fuse: Update source URL Leo Famulari 0 siblings, 2 replies; 10+ messages in thread From: Leo Famulari @ 2015-12-26 6:44 UTC (permalink / raw) To: guix-devel The libfuse project has moved their home to Github and so fuse and sshfs-fuse have new source URLs. There is a new version of fuse. The new source URLs are a mess. All the old bootstrapped versions are under a directory named for the current release. There are non-bootstrapped auto-generated Github tarballs available under saner URLs. For now, I think we should use the "messy" URL to fix the packaging and upgrade to the current release (2.9.4). When 2.9.5 or 3.0.0 comes out, I expect the situation will improve. CVE-2015-3202 is fixed in 2.9.4: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202 Leo Famulari (2): gnu: fuse: Update to 2.9.4. gnu: sshfs-fuse: Update source URL. gnu-system.am | 1 - gnu/packages/linux.scm | 20 ++++++--- gnu/packages/patches/fuse-CVE-2015-3202.patch | 65 --------------------------- 3 files changed, 13 insertions(+), 73 deletions(-) delete mode 100644 gnu/packages/patches/fuse-CVE-2015-3202.patch -- 2.6.2 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-26 6:44 [PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse Leo Famulari @ 2015-12-26 6:44 ` Leo Famulari 2015-12-29 15:07 ` Ludovic Courtès 2015-12-30 2:02 ` Mark H Weaver 2015-12-26 6:44 ` [PATCH 2/2] gnu: sshfs-fuse: Update source URL Leo Famulari 1 sibling, 2 replies; 10+ messages in thread From: Leo Famulari @ 2015-12-26 6:44 UTC (permalink / raw) To: guix-devel * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. * gnu-system.am (dist_patch_DATA): Remove it. * gnu/packages/linux.scm (fuse): Update to 2.9.4. [source]: Remove patch. --- gnu-system.am | 1 - gnu/packages/linux.scm | 13 +++--- gnu/packages/patches/fuse-CVE-2015-3202.patch | 65 --------------------------- 3 files changed, 8 insertions(+), 71 deletions(-) delete mode 100644 gnu/packages/patches/fuse-CVE-2015-3202.patch diff --git a/gnu-system.am b/gnu-system.am index e1874fa..78669bd 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -467,7 +467,6 @@ dist_patch_DATA = \ gnu/packages/patches/flint-ldconfig.patch \ gnu/packages/patches/fltk-shared-lib-defines.patch \ gnu/packages/patches/freeimage-CVE-2015-0852.patch \ - gnu/packages/patches/fuse-CVE-2015-3202.patch \ gnu/packages/patches/gawk-shell.patch \ gnu/packages/patches/gcc-arm-link-spec-fix.patch \ gnu/packages/patches/gcc-cross-environment-variables.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 1fc3c4e..fcae17b 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1242,15 +1242,18 @@ processes currently causing I/O.") (define-public fuse (package (name "fuse") - (version "2.9.3") + (version "2.9.4") (source (origin (method url-fetch) - (uri (string-append "mirror://sourceforge/fuse/fuse-" - version ".tar.gz")) + (uri (let ((version-with-underscores + (string-join (string-split version #\.) "_"))) + (string-append + "https://github.com/libfuse/libfuse/" + "releases/download/" version-with-underscores + "/fuse-" version ".tar.gz"))) (sha256 (base32 - "071r6xjgssy8vwdn6m28qq1bqxsd2bphcd2mzhq0grf5ybm87sqb")) - (patches (list (search-patch "fuse-CVE-2015-3202.patch"))))) + "1qbwp63a2bp0bchabkwiyzszi9x5krlk2pwk2is6g35gyszw1sbb")))) (build-system gnu-build-system) (inputs `(("util-linux" ,util-linux))) (arguments diff --git a/gnu/packages/patches/fuse-CVE-2015-3202.patch b/gnu/packages/patches/fuse-CVE-2015-3202.patch deleted file mode 100644 index 7c64de7..0000000 --- a/gnu/packages/patches/fuse-CVE-2015-3202.patch +++ /dev/null @@ -1,65 +0,0 @@ -The following patch was copied from Debian. - -Description: Fix CVE-2015-3202 - Missing scrubbing of the environment before executing a mount or umount - of a filesystem. -Origin: upstream -Author: Miklos Szeredi <miklos@szeredi.hu> -Last-Update: 2015-05-19 - ---- - lib/mount_util.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/lib/mount_util.c -+++ b/lib/mount_util.c -@@ -95,10 +95,12 @@ static int add_mount(const char *prognam - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", -- "-f", "-t", type, "-o", opts, fsname, mnt, NULL); -+ execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", -+ "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env); - fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", - progname, strerror(errno)); - exit(1); -@@ -146,10 +148,17 @@ static int exec_umount(const char *progn - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/umount", "/bin/umount", "-i", rel_mnt, -- lazy ? "-l" : NULL, NULL); -+ if (lazy) { -+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt, -+ "-l", NULL, &env); -+ } else { -+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt, -+ NULL, &env); -+ } - fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", - progname, strerror(errno)); - exit(1); -@@ -205,10 +214,12 @@ static int remove_mount(const char *prog - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", -- "--fake", mnt, NULL); -+ execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", -+ "--fake", mnt, NULL, &env); - fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", - progname, strerror(errno)); - exit(1); -- 2.6.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-26 6:44 ` [PATCH 1/2] gnu: fuse: Update to 2.9.4 Leo Famulari @ 2015-12-29 15:07 ` Ludovic Courtès 2015-12-29 19:21 ` Leo Famulari 2015-12-30 2:02 ` Mark H Weaver 1 sibling, 1 reply; 10+ messages in thread From: Ludovic Courtès @ 2015-12-29 15:07 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. > * gnu-system.am (dist_patch_DATA): Remove it. > * gnu/packages/linux.scm (fuse): Update to 2.9.4. > [source]: Remove patch. LGTM, thanks! Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-29 15:07 ` Ludovic Courtès @ 2015-12-29 19:21 ` Leo Famulari 0 siblings, 0 replies; 10+ messages in thread From: Leo Famulari @ 2015-12-29 19:21 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Tue, Dec 29, 2015 at 04:07:18PM +0100, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. > > * gnu-system.am (dist_patch_DATA): Remove it. > > * gnu/packages/linux.scm (fuse): Update to 2.9.4. > > [source]: Remove patch. > > LGTM, thanks! Pushed as b7e7d1b9d3. > > Ludo’. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-26 6:44 ` [PATCH 1/2] gnu: fuse: Update to 2.9.4 Leo Famulari 2015-12-29 15:07 ` Ludovic Courtès @ 2015-12-30 2:02 ` Mark H Weaver 2015-12-30 3:34 ` Mark H Weaver 1 sibling, 1 reply; 10+ messages in thread From: Mark H Weaver @ 2015-12-30 2:02 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> writes: > * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. > * gnu-system.am (dist_patch_DATA): Remove it. > * gnu/packages/linux.scm (fuse): Update to 2.9.4. > [source]: Remove patch. This patch broke the build on all platforms, because the source URI returns 404 "Not Found". See: http://hydra.gnu.org/build/905375/nixlog/1/tail-reload --8<---------------cut here---------------start------------->8--- Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz... ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found" failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" --8<---------------cut here---------------end--------------->8--- Can you look into it? Mark > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 1fc3c4e..fcae17b 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -1242,15 +1242,18 @@ processes currently causing I/O.") > (define-public fuse > (package > (name "fuse") > - (version "2.9.3") > + (version "2.9.4") > (source (origin > (method url-fetch) > - (uri (string-append "mirror://sourceforge/fuse/fuse-" > - version ".tar.gz")) > + (uri (let ((version-with-underscores > + (string-join (string-split version #\.) "_"))) > + (string-append > + "https://github.com/libfuse/libfuse/" > + "releases/download/" version-with-underscores > + "/fuse-" version ".tar.gz"))) > (sha256 > (base32 > - "071r6xjgssy8vwdn6m28qq1bqxsd2bphcd2mzhq0grf5ybm87sqb")) > - (patches (list (search-patch "fuse-CVE-2015-3202.patch"))))) > + "1qbwp63a2bp0bchabkwiyzszi9x5krlk2pwk2is6g35gyszw1sbb")))) > (build-system gnu-build-system) > (inputs `(("util-linux" ,util-linux))) > (arguments ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-30 2:02 ` Mark H Weaver @ 2015-12-30 3:34 ` Mark H Weaver 2015-12-30 6:54 ` Leo Famulari 0 siblings, 1 reply; 10+ messages in thread From: Mark H Weaver @ 2015-12-30 3:34 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Mark H Weaver <mhw@netris.org> writes: > Leo Famulari <leo@famulari.name> writes: > >> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. >> * gnu-system.am (dist_patch_DATA): Remove it. >> * gnu/packages/linux.scm (fuse): Update to 2.9.4. >> [source]: Remove patch. > > This patch broke the build on all platforms, because the source URI > returns 404 "Not Found". See: > > http://hydra.gnu.org/build/905375/nixlog/1/tail-reload > > Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz > From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz... > ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found" > failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" > > Can you look into it? I went ahead and fixed this myself, after realizing that this problem would cause attempts to build systems that use %base-services to fail, which I expect is almost all of them. The reason is that %base-services includes 'fuse' here: ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is ;; used, so enable them by default. The FUSE and ALSA rules are ;; less critical, but handy. (udev-service #:rules (list lvm2 fuse alsa-utils crda)) Mistakes in source URIs like this are likely to go undetected for those who use "guix download" to download the source, which is why I never do that. I always use "wget" to download the source, and then "guix hash" to compute the hash (after checking the signature), and finally "guix build -K" to test the updated 'source' field by downloading the source a second time before building the package. Regards, Mark ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] gnu: fuse: Update to 2.9.4. 2015-12-30 3:34 ` Mark H Weaver @ 2015-12-30 6:54 ` Leo Famulari 0 siblings, 0 replies; 10+ messages in thread From: Leo Famulari @ 2015-12-30 6:54 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel On Tue, Dec 29, 2015 at 10:34:53PM -0500, Mark H Weaver wrote: > Mark H Weaver <mhw@netris.org> writes: > > > Leo Famulari <leo@famulari.name> writes: > > > >> * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. > >> * gnu-system.am (dist_patch_DATA): Remove it. > >> * gnu/packages/linux.scm (fuse): Update to 2.9.4. > >> [source]: Remove patch. > > > > This patch broke the build on all platforms, because the source URI > > returns 404 "Not Found". See: > > > > http://hydra.gnu.org/build/905375/nixlog/1/tail-reload > > > > Starting download of /gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz > > From https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz... > > ERROR: download failed "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" 404 "Not Found" > > failed to download "/gnu/store/1yv745ixmy5r5mf5pnlppd31pz0qnqab-fuse-2.9.4.tar.gz" from "https://github.com/libfuse/libfuse/releases/download/2_9_4/fuse-2.9.4.tar.gz" > > > > Can you look into it? My apologies! > > I went ahead and fixed this myself, after realizing that this problem > would cause attempts to build systems that use %base-services to fail, > which I expect is almost all of them. The reason is that %base-services > includes 'fuse' here: > > ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is > ;; used, so enable them by default. The FUSE and ALSA rules are > ;; less critical, but handy. > (udev-service #:rules (list lvm2 fuse alsa-utils crda)) Thank you for taking care of it. > > Mistakes in source URIs like this are likely to go undetected for those > who use "guix download" to download the source, which is why I never do > that. I always use "wget" to download the source, and then "guix hash" > to compute the hash (after checking the signature), and finally "guix > build -K" to test the updated 'source' field by downloading the source a > second time before building the package. I usually just put the URL in the package definition and then get the hash from the failed build, but this one was so special that I must have used `guix download` at some point. Thanks for explaining this pitfall. I'll keep it in mind in the future. > > Regards, > Mark ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 2/2] gnu: sshfs-fuse: Update source URL. 2015-12-26 6:44 [PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse Leo Famulari 2015-12-26 6:44 ` [PATCH 1/2] gnu: fuse: Update to 2.9.4 Leo Famulari @ 2015-12-26 6:44 ` Leo Famulari 2015-12-29 15:08 ` Ludovic Courtès 1 sibling, 1 reply; 10+ messages in thread From: Leo Famulari @ 2015-12-26 6:44 UTC (permalink / raw) To: guix-devel * gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL. --- gnu/packages/linux.scm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fcae17b..efad70e 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1374,8 +1374,11 @@ UnionFS-FUSE additionally supports copy-on-write.") (version "2.5") (source (origin (method url-fetch) - (uri (string-append "mirror://sourceforge/fuse/sshfs-fuse-" - version ".tar.gz")) + (uri (let ((version-with-underscores + (string-join (string-split version #\.) "_"))) + (string-append "https://github.com/libfuse/sshfs/releases/" + "download/sshfs_" version-with-underscores + "/sshfs-fuse-" version ".tar.gz"))) (sha256 (base32 "0gp6qr33l2p0964j0kds0dfmvyyf5lpgsn11daf0n5fhwm9185z9")))) -- 2.6.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] gnu: sshfs-fuse: Update source URL. 2015-12-26 6:44 ` [PATCH 2/2] gnu: sshfs-fuse: Update source URL Leo Famulari @ 2015-12-29 15:08 ` Ludovic Courtès 2015-12-29 19:22 ` Leo Famulari 0 siblings, 1 reply; 10+ messages in thread From: Ludovic Courtès @ 2015-12-29 15:08 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > * gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL. OK! Ludo'. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] gnu: sshfs-fuse: Update source URL. 2015-12-29 15:08 ` Ludovic Courtès @ 2015-12-29 19:22 ` Leo Famulari 0 siblings, 0 replies; 10+ messages in thread From: Leo Famulari @ 2015-12-29 19:22 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Tue, Dec 29, 2015 at 04:08:32PM +0100, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > * gnu/packages/linux.scm (sshfs-fuse)[source]: Update URL. > > OK! Pushed as 6959a13271. > > Ludo'. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-12-30 6:54 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-12-26 6:44 [PATCH 0/2] Fix URLS for fuse and sshfs-fuse and update fuse Leo Famulari 2015-12-26 6:44 ` [PATCH 1/2] gnu: fuse: Update to 2.9.4 Leo Famulari 2015-12-29 15:07 ` Ludovic Courtès 2015-12-29 19:21 ` Leo Famulari 2015-12-30 2:02 ` Mark H Weaver 2015-12-30 3:34 ` Mark H Weaver 2015-12-30 6:54 ` Leo Famulari 2015-12-26 6:44 ` [PATCH 2/2] gnu: sshfs-fuse: Update source URL Leo Famulari 2015-12-29 15:08 ` Ludovic Courtès 2015-12-29 19:22 ` Leo Famulari
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.