From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36983) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWory-0001oW-Kw for guix-patches@gnu.org; Tue, 11 Dec 2018 15:43:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWoru-0002wL-E2 for guix-patches@gnu.org; Tue, 11 Dec 2018 15:43:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:39975) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gWoru-0002w7-0L for guix-patches@gnu.org; Tue, 11 Dec 2018 15:43:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gWort-0007jM-R5 for guix-patches@gnu.org; Tue, 11 Dec 2018 15:43:01 -0500 Subject: [bug#33701] [PATCH staging 00/23] Glib/GTK+ updates Resent-Message-ID: From: Marius Bakke In-Reply-To: <20181211011205.15542-1-mbakke@fastmail.com> References: <20181211011205.15542-1-mbakke@fastmail.com> Date: Tue, 11 Dec 2018 21:42:09 +0100 Message-ID: <87k1kfssm6.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 33701@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Marius Bakke writes: > This late series adds around 1000 rebuilds to the current staging > branch. They also bring many of the GNOME family libraries to the > latest upstream versions. > > The good: > * Latest Ghostscript, Poppler, Harfbuzz, GnuTLS, and other > security-critical libraries. Some of these have changed > build systems, or ABIs, so future patching is easier. > * Most/all regressions are already fixed. Whoops, I spoke too soon: I upgraded glib-networking from 2.58 to 2.59 in the last minute (to fix a test failure), but the change broke libsoup and possibly more. In v2 of this series, two patches have diverged. Libsoup was adjusted to cope with the new "certtool" API from GnuTLS 3.6: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0019-gnu-GnuTLS-Update-to-3.6.5.patch Content-Transfer-Encoding: quoted-printable From=20cab3a4a7fe3e719f2991384c161043bbfae742d6 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 10 Dec 2018 02:38:32 +0100 Subject: [PATCH staging 19/23] gnu: GnuTLS: Update to 3.6.5. * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. * gnu/packages/tls.scm (gnutls): Update to 3.6.5. [source](patches): Remove obsolete. [source](snippet): Add Guile detection fix. * gnu/packages/gnome.scm (libsoup)[arguments]: Adjust 'certtool' invokation= to cope with the new API. =2D-- gnu/local.mk | 1 - gnu/packages/gnome.scm | 3 ++- .../patches/gnutls-skip-pkgconfig-test.patch | 24 ------------------- gnu/packages/tls.scm | 17 +++++++++---- 4 files changed, 14 insertions(+), 31 deletions(-) delete mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0d279e55eb..3f2ca7a845 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -772,7 +772,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ %D%/packages/patches/gnucash-disable-failing-tests.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ =2D %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 9d8e4a8d33..cea9445191 100644 =2D-- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -2556,7 +2556,8 @@ libxml to ease remote use of the RESTful API.") "" ;URI of subject "127.0.0.1" ;IP address of subject "" ;signing? =2D "" ;encryption? + "" ;encryption (RSA)? + "" ;data encryption? "" ;sign OCSP requests? "" ;sign code? "" ;time stamping? diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/pa= ckages/patches/gnutls-skip-pkgconfig-test.patch deleted file mode 100644 index 1fad7c14e3..0000000000 =2D-- a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch +++ /dev/null @@ -1,24 +0,0 @@ =2DFIXME: The static test fails with an error such as: =2D =2D/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main': =2Dc.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init' =2Dcollect2: error: ld returned 1 exit status =2DFAIL pkgconfig.sh (exit status: 1) =2D =2Ddiff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh =2Dindex 6bd4e62f9..05aab8278 100755 =2D--- a/tests/pkgconfig.sh =2D+++ b/tests/pkgconfig.sh =2D@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:" =2D echo " * flags: $(${PKGCONFIG} --libs gnutls)" =2D echo " * common: ${COMMON}" =2D echo " * lib: ${CFLAGS}" =2D-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONF= IG} --cflags gnutls) ${COMMON} =2D- =2D-echo "" =2D-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)" =2D-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(= ${PKGCONFIG} --cflags gnutls) ${COMMON} =2D+gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCON= FIG} --cflags gnutls) ${COMMON} =2D=20 =2D rm -f ${TMPFILE} ${TMPFILE_O} =2D=20 diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index d9971441c6..73be90d0d3 100644 =2D-- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -162,7 +162,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") =2D (version "3.5.18") + (version "3.6.5") (source (origin (method url-fetch) (uri @@ -171,12 +171,19 @@ living in the same process.") (string-append "mirror://gnupg/gnutls/v" (version-major+minor version) "/gnutls-" version ".tar.xz")) =2D (patches =2D (search-patches "gnutls-skip-trust-store-test.patch" =2D "gnutls-skip-pkgconfig-test.patch")) + (patches (search-patches "gnutls-skip-trust-store-test.patch"= )) (sha256 (base32 =2D "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf")))) + "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7")) + (modules '((guix build utils))) + (snippet + '(begin + ;; XXX: The generated configure script in GnuTLS 3.6.5 + ;; apparently does not know about Guile 2.2. + (substitute* "configure" + (("guile_versions_to_search=3D\"2\\.0 1\\.8\"") + "guile_versions_to_search=3D\"2.2 2.0 1.8\"")) + #t)))) (build-system gnu-build-system) (arguments `(; Ensure we don't keep a reference to this buggy software. =2D-=20 2.20.0 --=-=-= Content-Type: text/plain ...while Glib-Networking was downgraded to 2.58, and removes related code at the same time: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0023-gnu-glib-networking-Update-to-2.58.0.patch Content-Transfer-Encoding: quoted-printable From=20ade89abc16f2247e6d5db633f001ff853fa989ba Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 10 Dec 2018 07:39:52 +0100 Subject: [PATCH staging 23/23] gnu: glib-networking: Update to 2.58.0. * gnu/packages/gnome.scm (glib-networking): Update to 2.58.0. [build-system]: Change to MESON-BUILD-SYSTEM. [arguments]: Explicitly disable libproxy; add phase to appease tests. (libgdata, libsoup)[arguments]: Remove phase that sets SSL_CERT_FILE. * gnu/packages/spice.scm (spice)[arguments]: Likewise. * gnu/packages/web.scm (uhttpmock)[arguments]: Likewise. =2D-- gnu/local.mk | 1 - gnu/packages/gnome.scm | 43 +++++-------------- .../glib-networking-ssl-cert-file.patch | 29 ------------- gnu/packages/spice.scm | 6 +-- gnu/packages/web.scm | 9 ---- 5 files changed, 12 insertions(+), 76 deletions(-) delete mode 100644 gnu/packages/patches/glib-networking-ssl-cert-file.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3f2ca7a845..03627b98c1 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -741,7 +741,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ %D%/packages/patches/ghostscript-no-header-creationdate.patch \ %D%/packages/patches/giflib-make-reallocarray-private.patch \ =2D %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ %D%/packages/patches/glibc-CVE-2015-5180.patch \ %D%/packages/patches/glibc-CVE-2015-7547.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index cea9445191..95bfcaf564 100644 =2D-- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -360,12 +360,6 @@ formats like PNG, SVG, PDF and EPS.") (arguments '(#:phases (modify-phases %standard-phases =2D (add-before 'check 'use-empty-ssl-cert-file =2D (lambda _ =2D ;; The ca-certificates.crt is not available in the build =2D ;; environment. =2D (setenv "SSL_CERT_FILE" "/dev/null") =2D #t)) (add-before 'check 'disable-failing-tests (lambda _ ;; The PicasaWeb API tests fail with gnome-online-accounts@3.= 24.2. @@ -2396,7 +2390,7 @@ library.") (define-public glib-networking (package (name "glib-networking") =2D (version "2.54.1") + (version "2.58.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/glib-networking/" @@ -2404,29 +2398,17 @@ library.") name "-" version ".tar.xz")) (sha256 (base32 =2D "0bq16m9nh3gcz9x2fvygr0iwxd2pxcbrm3lj3kihsnh1afv8g9za")) =2D (patches =2D (search-patches "glib-networking-ssl-cert-file.patch")))) =2D (build-system gnu-build-system) + "0s006gs9nsq6mg31spqha1jffzmp6qjh10y27h0fxf1iw1ah5ymx")))) + (build-system meson-build-system) (arguments =2D `(#:configure-flags =2D '("--with-ca-certificates=3D/etc/ssl/certs/ca-certificates.crt") =2D #:phases =2D (modify-phases %standard-phases =2D (add-before 'configure 'patch-giomoduledir =2D ;; Install GIO modules into $out/lib/gio/modules. =2D (lambda _ =2D (substitute* "configure" =2D (("GIO_MODULE_DIR=3D.*") =2D (string-append "GIO_MODULE_DIR=3D" %output =2D "/lib/gio/modules\n"))) =2D #t)) =2D (add-before 'check 'use-empty-ssl-cert-file =2D (lambda _ =2D ;; The ca-certificates.crt is not available in the build =2D ;; environment. =2D (setenv "SSL_CERT_FILE" "/dev/null") =2D #t))))) + `(#:configure-flags '("-Dlibproxy_support=3Dfalse") + #:phases (modify-phases %standard-phases + (add-before 'check 'disable-TLSv1.3 + (lambda _ + ;; XXX: One test fails when TLS 1.3 is enabled, fixe= d in 2.60.0: + ;; . + (setenv "G_TLS_GNUTLS_PRIORITY" "NORMAL:-VERS-TLS1.3= ") + #t))))) (native-inputs `(("pkg-config" ,pkg-config) ("intltool" ,intltool))) @@ -2516,9 +2498,6 @@ libxml to ease remote use of the RESTful API.") ;; The 'check-local' target runs 'env LANG=3DC sort -u', ;; unset 'LC_ALL' to make 'LANG' working. (unsetenv "LC_ALL") =2D ;; The ca-certificates.crt is not available in the build =2D ;; environment. =2D (setenv "SSL_CERT_FILE" "/dev/null") ;; HTTPD in Guix uses mod_event and does not build prefork. (substitute* "tests/httpd.conf" (("^LoadModule mpm_prefork_module.*$") "\n")) diff --git a/gnu/packages/patches/glib-networking-ssl-cert-file.patch b/gnu= /packages/patches/glib-networking-ssl-cert-file.patch deleted file mode 100644 index 32bdd0790f..0000000000 =2D-- a/gnu/packages/patches/glib-networking-ssl-cert-file.patch +++ /dev/null @@ -1,29 +0,0 @@ =2DFrom b010e41346d418220582c20ab8d7f3971e4fb78a Mon Sep 17 00:00:00 2001 =2DFrom: =3D?UTF-8?q?=3DE5=3DAE=3D8B=3DE6=3D96=3D87=3DE6=3DAD=3DA6?=3D =2DDate: Fri, 14 Aug 2015 17:28:36 +0800 =2DSubject: [PATCH] gnutls: Allow overriding the anchor file location by =2D 'SSL_CERT_FILE' =2D =2D--- =2D tls/gnutls/gtlsbackend-gnutls.c | 4 +++- =2D 1 file changed, 3 insertions(+), 1 deletion(-) =2D =2Ddiff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gn= utls.c =2Dindex 55ec1a5..217d3c8 100644 =2D--- a/tls/gnutls/gtlsbackend-gnutls.c =2D+++ b/tls/gnutls/gtlsbackend-gnutls.c =2D@@ -101,8 +101,10 @@ g_tls_backend_gnutls_real_create_database (GTlsBack= endGnutls *self, =2D GError **error) =2D { =2D const gchar *anchor_file =3D NULL; =2D+ anchor_file =3D g_getenv ("SSL_CERT_FILE"); =2D #ifdef GTLS_SYSTEM_CA_FILE =2D- anchor_file =3D GTLS_SYSTEM_CA_FILE; =2D+ if (!anchor_file) =2D+ anchor_file =3D GTLS_SYSTEM_CA_FILE; =2D #endif =2D return g_tls_file_database_new (anchor_file, error); =2D } =2D--=20 =2D2.4.3 =2D diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm index 94e6aa8438..8ab5a335c8 100644 =2D-- a/gnu/packages/spice.scm +++ b/gnu/packages/spice.scm @@ -213,11 +213,7 @@ which allows users to view a desktop computing environ= ment.") "--enable-automated-tests") =20 ;; Several tests appear to be opening the same sockets concurrentl= y. =2D #:parallel-tests? #f =2D =2D #:phases (modify-phases %standard-phases =2D (add-before 'check 'use-empty-ssl-cert-file =2D (lambda _ (setenv "SSL_CERT_FILE" "/dev/null") #t))= ))) + #:parallel-tests? #f)) (synopsis "Server implementation of the SPICE protocol") (description "SPICE is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index f8315d4379..8dc6927897 100644 =2D-- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -4241,15 +4241,6 @@ you'd expect.") (base32 "163py4klka423x7li2b685gmg3a6hjf074mlff2ajhmi3l0lm8x6")))) (build-system glib-or-gtk-build-system) =2D (arguments =2D `(#:phases =2D (modify-phases %standard-phases =2D (add-before 'check 'use-empty-ssl-cert-file =2D (lambda _ =2D ;; Search for ca-certificates.crt files =2D ;; during the check phase. =2D (setenv "SSL_CERT_FILE" "/dev/null") =2D #t))))) (native-inputs `(("gobject-introspection" ,gobject-introspection) ;; For check phase. =2D-=20 2.20.0 --=-=-= Content-Type: text/plain The reason for removing SSL_CERT_FILE completely instead of adjusting the patch is that Glib-Networking no longer does any certificate handling by itself, instead everything is handed over to GnuTLS. Thus supporting such a patch is difficult, and it does not seem to be needed anymore in practice. --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwQISEACgkQoqBt8qM6 VPpY8Qf+OCOAFs7H0dqvFmkbhIvjIjDz5YKaAdMWR2W+xn9AfGiKRGpPgKqx3+++ AMLivLyz8DCAnf5nCKm/i80HpeLX9uGp/NWZGkJoGF56dVIQSdcaT3LDAdqJM0gC B1of5xJfShCcuegTTa9NkP+eSPYpgeoyoA80Lny7UGQhgfR526sxkalKEiGtqJTk gWkSaynQ1yVyYzlJwjFPK462m7ZzVAK1xpFWRRGZw3dK6v1fhCsX3jDtRGviaG0n sk5AFy3gIuvh/He+xa27jM0t9tGSuAPHGkmHMtfNfCdKeH0K8nl45EqL01wlIsnV yDvA8mO0bICtbl0DS3EL3pC2EINs7g== =+KEK -----END PGP SIGNATURE----- --==-=-=--