[bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.

[bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.

[Maxim Cournoyer]

Maxim Cournoyer (7):
  gnu: gnutls: Update to 3.8.8.
  gnu: gnutls: Enable zstd compression.
  gnu: gnutls: Streamline mips64el conditionals.
  gnu: brotli: Update to 1.1.0.
  gnu: libidn: Update to 1.42.
  gnu: curl: Update to 8.11.1 and ungraft.
  gnu: curl: Enable zstd support.

 gnu/local.mk                                  |   2 -
 gnu/packages/compression.scm                  |  47 ++--
 gnu/packages/curl.scm                         |  59 +++---
 gnu/packages/libidn.scm                       |   4 +-
 gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
 .../gnutls-skip-trust-store-test.patch        |  15 --
 gnu/packages/tls.scm                          |  50 ++---
 7 files changed, 74 insertions(+), 303 deletions(-)
 delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
 delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch


base-commit: 42ba1aa8b3090f3a4957d36be14e93c5e36f1825
-- 
2.46.0

[bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.

[Maxim Cournoyer]

* gnu/packages/tls.scm (gnutls): Update to 3.8.8.
[source]: Delete patches.
[arguments]: Mark failing tests via XFAIL_TESTS make flag.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.

Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
---
 gnu/local.mk                                  |  1 -
 .../gnutls-skip-trust-store-test.patch        | 15 -----------
 gnu/packages/tls.scm                          | 25 ++++++++++---------
 3 files changed, 13 insertions(+), 28 deletions(-)
 delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 8155a5ae34..a4f2e71134 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1477,7 +1477,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnumach-version.patch			\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
-  %D%/packages/patches/gnutls-skip-trust-store-test.patch	\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- 	} else if (ret < 0) {
- 		fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- 	} else if (ret == 0) {
--		fail("no certificates were found in system trust store!\n");
-+		success("no trust store in the Guix build environment!\n");
- 	}
- 
- 	gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5f3bc72f6e..ecdfb5c0e5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,7 +201,7 @@ (define-public p11-kit
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.8.3")
+    (version "3.8.8")
     (source (origin
               (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
@@ -209,10 +209,9 @@ (define-public gnutls
               (uri (string-append "mirror://gnupg/gnutls/v"
                                   (version-major+minor version)
                                   "/gnutls-" version ".tar.xz"))
-              (patches (search-patches "gnutls-skip-trust-store-test.patch"))
               (sha256
                (base32
-                "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))
+                "1yyq74lzlnkgwbr269mddi9vqi1j0dcnw8pdh09vb01qb0704kxc"))))
     (build-system gnu-build-system)
     (arguments
      (list #:tests? (not (or (%current-target-system)
@@ -242,17 +241,19 @@ (define-public gnutls
                      ;; not working on mips64el.
                      "--without-p11-kit")
                     '())))
-
+           #:make-flags
+           #~(list (string-append
+                    "XFAIL_TESTS="
+                    ;; This test checks that the default trust store is
+                    ;; readable; expect it to fail since the trust store
+                    ;; doesn't exist in the build environment.
+                    "trust-store "
+                    ;; This one fails only inside the build environment, for
+                    ;; reasons unknown (see:
+                    ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
+                    "tls13/compress-cert-neg2 "))
            #:phases
            #~(modify-phases %standard-phases
-               ;; fastopen.sh fails to connect to the server in the builder
-               ;; environment (see:
-               ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
-               (add-after 'unpack 'disable-failing-tests
-                 (lambda _
-                   (substitute* "tests/fastopen.sh"
-                     (("^unset RETCODE")
-                      "exit 77\n"))))   ;skip
                #$@(if (target-ppc32?)
                       ;; https://gitlab.com/gnutls/gnutls/-/issues/1354
                       ;; Extend the test timeout from the default of 20 * 1000
-- 
2.46.0

[bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.

[Ludovic Courtès]

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> * gnu/packages/tls.scm (gnutls): Update to 3.8.8.
> [source]: Delete patches.
> [arguments]: Mark failing tests via XFAIL_TESTS make flag.
> * gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): De-register it.
>
> Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1

[...]

> --- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -Version 3.5.11 added a test to check that the default trust store is readable.
> -It does not exist in the build environment, so pretend everything is fine.
> -
> -diff a/tests/trust-store.c b/tests/trust-store.c
> ---- a/tests/trust-store.c
> -+++ b/tests/trust-store.c
> -@@ -61,7 +61,7 @@
> - 	} else if (ret < 0) {
> - 		fail("error loading system trust store: %s\n", gnutls_strerror(ret));
> - 	} else if (ret == 0) {
> --		fail("no certificates were found in system trust store!\n");
> -+		success("no trust store in the Guix build environment!\n");


[...]

> +           #~(list (string-append
> +                    "XFAIL_TESTS="
> +                    ;; This test checks that the default trust store is
> +                    ;; readable; expect it to fail since the trust store
> +                    ;; doesn't exist in the build environment.
> +                    "trust-store "

This suggests that the patch above was still useful, after all?  (The
patch still applies apparently:
<https://ci.guix.gnu.org/build/6753571/log>.)

Also, lack of the patch might trigger failures in the test suites of
dependents.  What does ‘guix build -P1 gnutls’ say?

> +                    ;; This one fails only inside the build environment, for
> +                    ;; reasons unknown (see:
> +                    ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
> +                    "tls13/compress-cert-neg2 "))

This is weird, would be interesting to investigate, maybe stracing the
test to see why it would fail in the build environment and not outside
of it?

Ludo’.

[bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression.

[Maxim Cournoyer]

* gnu/packages/tls.scm [inputs]: Add zstd:lib.

Change-Id: I7cfce764181eebe12a32019107061c88edaa877a
---
 gnu/packages/tls.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ecdfb5c0e5..c0efb66d96 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -283,7 +283,7 @@ (define-public gnutls
                        iproute          ;for 'ss'
                        socat            ;several tests rely on it
                        datefudge))))    ;tests rely on 'datefudge'
-    (inputs (list libunistring))
+    (inputs (list libunistring `(,zstd "lib")))
     (propagated-inputs
      ;; These are all in the 'Requires.private' field of gnutls.pc.
      (append (list libtasn1 libidn2 nettle zlib)
-- 
2.46.0

[bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals.

[Maxim Cournoyer]

* gnu/packages/tls.scm (gnutls) [arguments]: Use target-mips64el? procedure in
 #:configure-flags.
[propagated-inputs]: Likewise.

Change-Id: Ia4b603ef57cebe78df1d3e40222fe9c49d9ee8cc
---
 gnu/packages/tls.scm | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index c0efb66d96..90d6ad5c95 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -232,15 +232,12 @@ (define-public gnutls
               ;; fallback, and users have to configure each program
               ;; independently.  This seems suboptimal.
               "--with-default-trust-store-dir=/etc/ssl/certs"
-
-              (let ((system #$(or (%current-target-system)
-                                  (%current-system))))
-                (if (string-prefix? "mips64el" system)
-                    (list
-                     ;; FIXME: Temporarily disable p11-kit support since it is
-                     ;; not working on mips64el.
-                     "--without-p11-kit")
-                    '())))
+              (if #$(target-mips64el?)
+                  (list
+                   ;; FIXME: Temporarily disable p11-kit support since it is
+                   ;; not working on mips64el.
+                   "--without-p11-kit")
+                  '()))
            #:make-flags
            #~(list (string-append
                     "XFAIL_TESTS="
@@ -287,11 +284,9 @@ (define-public gnutls
     (propagated-inputs
      ;; These are all in the 'Requires.private' field of gnutls.pc.
      (append (list libtasn1 libidn2 nettle zlib)
-             (let ((system (or (%current-target-system)
-                               (%current-system))))
-               (if (string-prefix? "mips64el" system)
-                   '()
-                   (list p11-kit)))))
+             (if (target-mips64el?)
+                 '()
+                 (list p11-kit))))
     (home-page "https://gnutls.org")
     (synopsis "Transport layer security library")
     (description
-- 
2.46.0

[bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0.

[Maxim Cournoyer]

* gnu/packages/compression.scm (brotli): Update to 1.1.0.
[source]: Delete obsolete snippet.
[arguments]: Use gexps.

Change-Id: I4fe13683ff33f528ef897bb65bbb239d4d4985c6
---
 gnu/packages/compression.scm | 47 +++++++++++++++---------------------
 1 file changed, 19 insertions(+), 28 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 44461bb87c..93b6cd070b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2351,7 +2351,7 @@ (define-public isa-l
 (define-public brotli
   (package
     (name "brotli")
-    (version "1.0.9")
+    (version "1.1.0")
     (source
      (origin
        (method git-fetch)
@@ -2360,35 +2360,26 @@ (define-public brotli
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1fikasxf7r2dwlk8mv8w7nmjkn0jw5ic31ky3mvpkdzwgd4xfndl"))
-       (modules '((guix build utils)))
-       (snippet
-        '(begin
-           ;; Cherry-picked from upstream since the latest release
-           ;; https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc
-           (substitute* (find-files "scripts" "^lib.*pc\\.in")
-             (("-R\\$\\{libdir\\} ") ""))
-           #t))))
+        (base32 "0cvcq302wpjpd1a2cmxcp9a01lwvc2kkir8vsdb3x11djnxc0nsk"))))
     (build-system cmake-build-system)
     (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-after 'install 'rename-static-libraries
-           ;; The build tools put a 'static' suffix on the static libraries, but
-           ;; other applications don't know how to find these.
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let ((lib (string-append (assoc-ref %outputs "out") "/lib/")))
-               (rename-file (string-append lib "libbrotlicommon-static.a")
-                            (string-append lib "libbrotlicommon.a"))
-               (rename-file (string-append lib "libbrotlidec-static.a")
-                            (string-append lib "libbrotlidec.a"))
-               (rename-file (string-append lib "libbrotlienc-static.a")
-                            (string-append lib "libbrotlienc.a"))
-               #t))))
-       #:configure-flags
-       (list ;; Defaults to "lib64" on 64-bit archs.
-             (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            (assoc-ref %outputs "out") "/lib"))))
+     (list
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'rename-static-libraries
+            ;; The build tools put a 'static' suffix on the static libraries, but
+            ;; other applications don't know how to find these.
+            (lambda _
+              (let ((lib (string-append #$output "/lib/")))
+                (rename-file (string-append lib "libbrotlicommon-static.a")
+                             (string-append lib "libbrotlicommon.a"))
+                (rename-file (string-append lib "libbrotlidec-static.a")
+                             (string-append lib "libbrotlidec.a"))
+                (rename-file (string-append lib "libbrotlienc-static.a")
+                             (string-append lib "libbrotlienc.a"))))))
+      #:configure-flags
+      #~(list ;; Defaults to "lib64" on 64-bit archs.
+         (string-append "-DCMAKE_INSTALL_LIBDIR=" #$output "/lib"))))
     (home-page "https://github.com/google/brotli")
     (synopsis "General-purpose lossless compression")
     (description "This package provides the reference implementation of Brotli,
-- 
2.46.0

[bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42.

[Maxim Cournoyer]

* gnu/packages/libidn.scm (libidn): Update to 1.42.

Change-Id: I7f65377334d6de889ee0fa08ae941a03c6c4e4ca
---
 gnu/packages/libidn.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 80350db495..8b12fa87d8 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -34,14 +34,14 @@ (define-module (gnu packages libidn)
 (define-public libidn
   (package
    (name "libidn")
-   (version "1.41")
+   (version "1.42")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libidn/libidn-" version
                                 ".tar.gz"))
             (sha256
              (base32
-              "0ic9zlqqppwaqr3i0r8lb8f47rrazzc8d5pfgg8vs6mqciip0kc8"))))
+              "08s7rgg8rnmdrk8zyj6m1rb3j3cs6h44pjv0jckzxr06v3f9khfn"))))
    (build-system gnu-build-system)
    ;; FIXME: No Java and C# libraries are currently built.
    (arguments
-- 
2.46.0

[bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.

[Maxim Cournoyer]

* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.

Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
 gnu/local.mk                                  |   1 -
 gnu/packages/curl.scm                         |  47 ++--
 gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
 3 files changed, 19 insertions(+), 229 deletions(-)
 delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch	\
-  %D%/packages/patches/curl-CVE-2024-8096.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
   %D%/packages/patches/curlftpfs-fix-error-closing-file.patch	\
   %D%/packages/patches/curlftpfs-fix-file-names.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
 ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
 ;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
 (define-public curl
   (package
     (name "curl")
-    (version "8.6.0")
-    (replacement curl/fixed)
+    (version "8.11.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://curl.se/download/curl-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+                "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
               (patches (search-patches "curl-use-ssl-cert-env.patch"))))
     (outputs '("out"
                "doc"))                  ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
                              (dirname (dirname
                                        (search-input-file
                                         %build-inputs "lib/libgssrpc.so"))))
+              "--with-libssh2"
               "--disable-static")
       #:test-target "test-nonflaky"     ;avoid tests marked as "flaky"
       #:phases
@@ -115,20 +116,20 @@ (define-public curl
                                    (if parallel-tests?
                                        (number->string (parallel-job-count))
                                        "1")))
-                       ;; Ignore test 1477 due to a missing file in the 8.5.0
-                       ;; release.  See
-                       ;; <https://github.com/curl/curl/issues/12462>.
-                       (arguments `("-C" "tests" "test"
-                                    ,@make-flags
-                                    ,(if #$(or (system-hurd?)
-                                               (target-arm32?)
-                                               (target-aarch64?))
-                                         ;; protocol FAIL
-                                         (string-append "TFLAGS=~1474 "
-                                                        "!1477 "
-                                                        job-count)
-                                         (string-append "TFLAGS=\"~1477 "
-                                                        job-count "\"")))))
+                       (arguments
+                        `("-C" "tests" "test"
+                          ,@make-flags
+                          ,(string-append "TFLAGS="
+                                          job-count " "
+                                          (if #$(or (system-hurd?)
+                                                    (target-arm32?)
+                                                    (target-aarch64?))
+                                              "~1474 " ;protocol FAIL
+                                              "")
+                                          ;; protocol FAIL
+                                          "~962 ~963 ~964 ~965 ~966 ~967 "
+                                          ;; These fail for unknown reasons.
+                                          "~165 ~1448 ~2046 ~2047"))))
                   ;; The top-level "make check" does "make -C tests quiet-test", which
                   ;; is too quiet.  Use the "test" target instead, which is more
                   ;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
     (native-inputs
      (list nghttp2 perl pkg-config python-minimal-wrapper))
     (inputs
-     (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+     (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
     (native-search-paths
      ;; These variables are introduced by curl-use-ssl-cert-env.patch.
      (list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
     (license (license:non-copyleft "file://COPYING"
                                    "See COPYING in the distribution."))))
 
-(define-public curl/fixed
-  (hidden-package
-   (package
-     (inherit curl)
-     (replacement curl/fixed)
-     (source (origin
-               (inherit (package-source curl))
-               (patches (append (origin-patches (package-source curl))
-                                (search-patches "curl-CVE-2024-8096.patch"))))))))
-
 (define-public gnurl (deprecated-package "gnurl" curl))
 
 (define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
-   init_flags |= GNUTLS_NO_TICKETS;
- #endif
- 
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+  if(!config->verifystatus)
-+    /* Disable the "status_request" TLS extension, enabled by default since
-+       GnuTLS 3.8.0. */
-+    init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
-   rc = gnutls_init(&gtls->session, init_flags);
-   if(rc != GNUTLS_E_SUCCESS) {
-     failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
-     infof(data, "  server certificate verification SKIPPED");
- 
-   if(config->verifystatus) {
--    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
--      gnutls_datum_t status_request;
--      gnutls_ocsp_resp_t ocsp_resp;
-+    gnutls_datum_t status_request;
-+    gnutls_ocsp_resp_t ocsp_resp;
-+    gnutls_ocsp_cert_status_t status;
-+    gnutls_x509_crl_reason_t reason;
- 
--      gnutls_ocsp_cert_status_t status;
--      gnutls_x509_crl_reason_t reason;
-+    rc = gnutls_ocsp_status_request_get(session, &status_request);
- 
--      rc = gnutls_ocsp_status_request_get(session, &status_request);
-+    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+      failf(data, "No OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      infof(data, " server certificate status verification FAILED");
-+    if(rc < 0) {
-+      failf(data, "Invalid OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
--        failf(data, "No OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    gnutls_ocsp_resp_init(&ocsp_resp);
- 
--      if(rc < 0) {
--        failf(data, "Invalid OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+    if(rc < 0) {
-+      failf(data, "Invalid OCSP response received");
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-+    }
- 
--      gnutls_ocsp_resp_init(&ocsp_resp);
-+    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+                                      &status, NULL, NULL, NULL, &reason);
- 
--      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
--      if(rc < 0) {
--        failf(data, "Invalid OCSP response received");
--        return CURLE_SSL_INVALIDCERTSTATUS;
--      }
-+    switch(status) {
-+    case GNUTLS_OCSP_CERT_GOOD:
-+      break;
- 
--      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
--                                        &status, NULL, NULL, NULL, &reason);
-+    case GNUTLS_OCSP_CERT_REVOKED: {
-+      const char *crl_reason;
- 
--      switch(status) {
--      case GNUTLS_OCSP_CERT_GOOD:
-+      switch(reason) {
-+      default:
-+      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+        crl_reason = "unspecified reason";
-         break;
- 
--      case GNUTLS_OCSP_CERT_REVOKED: {
--        const char *crl_reason;
--
--        switch(reason) {
--          default:
--          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
--            crl_reason = "unspecified reason";
--            break;
--
--          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
--            crl_reason = "private key compromised";
--            break;
--
--          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
--            crl_reason = "CA compromised";
--            break;
--
--          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
--            crl_reason = "affiliation has changed";
--            break;
-+      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+        crl_reason = "private key compromised";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_SUPERSEDED:
--            crl_reason = "certificate superseded";
--            break;
-+      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+        crl_reason = "CA compromised";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
--            crl_reason = "operation has ceased";
--            break;
-+      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+        crl_reason = "affiliation has changed";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
--            crl_reason = "certificate is on hold";
--            break;
-+      case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+        crl_reason = "certificate superseded";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
--            crl_reason = "will be removed from delta CRL";
--            break;
-+      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+        crl_reason = "operation has ceased";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
--            crl_reason = "privilege withdrawn";
--            break;
-+      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+        crl_reason = "certificate is on hold";
-+        break;
- 
--          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
--            crl_reason = "AA compromised";
--            break;
--        }
-+      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+        crl_reason = "will be removed from delta CRL";
-+        break;
- 
--        failf(data, "Server certificate was revoked: %s", crl_reason);
-+      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+        crl_reason = "privilege withdrawn";
-         break;
--      }
- 
--      default:
--      case GNUTLS_OCSP_CERT_UNKNOWN:
--        failf(data, "Server certificate status is unknown");
-+      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+        crl_reason = "AA compromised";
-         break;
-       }
- 
--      gnutls_ocsp_resp_deinit(ocsp_resp);
-+      failf(data, "Server certificate was revoked: %s", crl_reason);
-+      break;
-+    }
- 
--      return CURLE_SSL_INVALIDCERTSTATUS;
-+    default:
-+    case GNUTLS_OCSP_CERT_UNKNOWN:
-+      failf(data, "Server certificate status is unknown");
-+      break;
-     }
--    else
--      infof(data, "  server certificate status verification OK");
-+
-+    gnutls_ocsp_resp_deinit(ocsp_resp);
-+    if(status != GNUTLS_OCSP_CERT_GOOD)
-+      return CURLE_SSL_INVALIDCERTSTATUS;
-   }
-   else
-     infof(data, "  server certificate status verification SKIPPED");
-- 
2.46.0

[bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support.

[Maxim Cournoyer]

* gnu/packages/curl.scm [inputs]: Add zstd:lib.

Change-Id: I48e1099c3a445bcbdeaf16c5a79d956bd1b51307
---
 gnu/packages/curl.scm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 8645ce73f8..d0c8c5c2a6 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -151,9 +151,19 @@ (define-public curl
                           (close port)))))
                  #~()))))
     (native-inputs
-     (list nghttp2 perl pkg-config python-minimal-wrapper))
+     (list nghttp2
+           perl
+           pkg-config
+           python-minimal-wrapper))
     (inputs
-     (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
+     (list gnutls
+           libidn
+           libpsl
+           libssh2
+           mit-krb5
+           `(,nghttp2 "lib")
+           zlib
+           `(,zstd "lib")))
     (native-search-paths
      ;; These variables are introduced by curl-use-ssl-cert-env.patch.
      (list $SSL_CERT_DIR
-- 
2.46.0

[bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.

[Ludovic Courtès]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>   gnu: gnutls: Update to 3.8.8.
>   gnu: gnutls: Enable zstd compression.
>   gnu: gnutls: Streamline mips64el conditionals.
>   gnu: brotli: Update to 1.1.0.
>   gnu: libidn: Update to 1.42.
>   gnu: curl: Update to 8.11.1 and ungraft.
>   gnu: curl: Enable zstd support.

‘core-updates’ is now gone:

  https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html

Instead, this should go on a dedicated branch, with a “request to merge”
and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
currently out of order).

Thanks,
Ludo’.

[bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.

[Maxim Cournoyer]

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>>   gnu: gnutls: Update to 3.8.8.
>>   gnu: gnutls: Enable zstd compression.
>>   gnu: gnutls: Streamline mips64el conditionals.
>>   gnu: brotli: Update to 1.1.0.
>>   gnu: libidn: Update to 1.42.
>>   gnu: curl: Update to 8.11.1 and ungraft.
>>   gnu: curl: Enable zstd support.
>
> ‘core-updates’ is now gone:
>
>   https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html

I'm (finally) aware of this :-).  But it seemed like useful, when
submitting to the trackr for review to have a subject prefix anyway to
communicate that this causes a mass rebuild, hopefully avoiding the
situation of another committer picking these up and pushing them to the
master.

> Instead, this should go on a dedicated branch, with a “request to merge”
> and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
> currently out of order).

Understood; do the patches LGTY?

-- 
Thanks,
Maxim

[bug#75026] [PATCH core-updates 0/7] Update gnutls and curl.

[Ludovic Courtès]

Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

>> ‘core-updates’ is now gone:
>>
>>   https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html
>
> I'm (finally) aware of this :-).  But it seemed like useful, when
> submitting to the trackr for review to have a subject prefix anyway to
> communicate that this causes a mass rebuild, hopefully avoiding the
> situation of another committer picking these up and pushing them to the
> master.

Makes sense.  :-)

>> Instead, this should go on a dedicated branch, with a “request to merge”
>> and a jobset on ci.guix (ideally qa.guix would pick it up but it’s
>> currently out of order).
>
> Understood; do the patches LGTY?

Except for the questions I posted about GnuTLS, it LGTM.

Thanks,
Ludo’.