security patching of 'patch' package

  • Done
  • quality assurance status badge
Details
6 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Maxim Cournoyer
  • Mark H Weaver
  • Simon Tournier
Owner
unassigned
Submitted by
Mark H Weaver
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:37
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
877dm9s9fz.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?


There's not that many commits since last release, but lots of time:

Thank you,
Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIOZsACgkQRaix6GvN
EKYVKhAAmQbS0q6xgmoC5Eo+T4qYiLrg6EfUMicYO9I1LBDFGfp85XIMjqAtIkiD
2B1XJLzXY7xZheiKBYLjppuq5XHXGMQ80JZi0lQEuoMh0+1DTcvvI0Ugtydjxvas
C9DTlhNTFxm368W7qxYR2JttsUstyweVz27DPY9O62QRUnyHRsJvQXLSI/CHWXFI
3DiXzjjBXowsCu9af69fIzBCBQ6B0QvknryHnix1AeVnSfu/0SM7Bimy5AKOnjkN
cjnHQr5Mc+FIVdOu/pzgNoVmwczVhyu/A8nReYIiePGTMa+CpuEr/Vrexqc3npcX
jYzo4P+d/PRdALGgdOlGMDdlAr3ZVHhS9P5agQe9Q3YeJVVSZzwH6TzFT+0KrENy
2HoM+zKNBE8qVLMuDH9AaZ7XrZyJJDomuDm927ojaSnS0sq0nbzzLWkSNGnL+hXj
5NFCm/QClGySc9DMuZWc76nxn02BTykiKXC03P/GfMJ3B97Lev51h5oEi4TlKsRh
jlMwJBaYp8h6FP6EDJLc8ahaIKN8aooquutFOUXn+IGBmYY1uXTO0V0UJqVz131J
GdmH4SnVqWtCbiKCVLSguAthS6EwSq0EAzEaeUVmi18YA++gOp6N+FQSmjpRkRwX
jVwtTmzYoL/yKx28CoPapFK7pa3ekB0W43nw4/Eb68qpbvlpXxI=
=cESP
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:42
control message for bug #47144
(address . control@debbugs.gnu.org)
87r1kgh6so.fsf@gnu.org
tags 47144 + security
quit
L
L
Léo Le Bouter wrote on 15 Mar 2021 19:26
[PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-1-lle-bout@zaclys.net
I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.

This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:

gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

This file seems to be generated by YACC from earlier log.

Léo Le Bouter (1):
gnu: patch: Update to 2.7.6-7623b2d [security fixes].

gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)

--
2.30.2
L
L
Léo Le Bouter wrote on 15 Mar 2021 19:26
[PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-2-lle-bout@zaclys.net
* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)

Toggle diff (72 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages pcre)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages hurd)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages version-control)
#:use-module (guix i18n)
#:use-module (guix utils)
#:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))
+ (replacement patch/fixed)
(build-system gnu-build-system)
(arguments
;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+ (package/inherit patch
+ (name "patch")
+ (version "2.7.6")
+ ;; (version (string-append "2.7.6-" (string-take commit 7)))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ `(modify-phases ,phases
+ (replace 'bootstrap
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* (list "gnulib/gnulib-tool"
+ "gnulib/build-aux/git-version-gen")
+ (("/bin/sh") (which "sh")))
+ (invoke "bash" "bootstrap" "--no-git"
+ "--gnulib-srcdir=gnulib")
+ #t))))))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("git" ,git-minimal)
+ ,@(package-native-inputs patch))))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.30.2
L
L
Ludovic Courtès wrote on 18 Mar 2021 22:58
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
87lfakjf8f.fsf@gnu.org
Hi,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:

Toggle quote (3 lines)
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency. (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.

HTH,
Ludo’.
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Leo Famulari wrote on 14 Apr 2021 23:54
Re: bug#47144: security patching of 'patch' package
(name . Mark H Weaver)(address . mhw@netris.org)(address . 47144@debbugs.gnu.org)
YHdklP7565AtJ4uR@jasmine.lan
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
Toggle quote (4 lines)
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952

I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.

Unfortunately, the patches largely don't apply to the most recent
release of patch.

Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.
L
L
Leo Famulari wrote on 14 Apr 2021 23:54
(no subject)
(address . control@debbugs.gnu.org)
YHdksDadnrKDcbUD@jasmine.lan
unblock 47297 with 47144
M
M
Maxim Cournoyer wrote on 23 Mar 2022 04:03
Re: bug#47144: security patching of 'patch' package
(name . Ludovic Courtès)(address . ludo@gnu.org)
87mthhz7xo.fsf_-_@gmail.com
Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (15 lines)
> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency. (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.

The latest release of patch is the one we have, v2.7.6, made 4 years
ago.

Thanks,

Maxim
M
M
Maxim Cournoyer wrote on 31 May 04:59 +0200
[PATCH 1/3] gnu: ucd: Update to 15.1.0.
(address . 47144@debbugs.gnu.org)
28b457771ab0e7ad87cb65600a5898f68be5074a.1717124361.git.maxim.cournoyer@gmail.com
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan

base-commit: eb4dc1b9ae3779419b047e2f4c7b5879353956a6
--
2.41.0
M
M
Maxim Cournoyer wrote on 31 May 04:59 +0200
[PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
(address . 47144@debbugs.gnu.org)
ee628a2b24ba42c665dcda72b57ba387d119d5fc.1717124361.git.maxim.cournoyer@gmail.com
Also fix the gnulib-tool command, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

Toggle diff (224 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 0f1ab6669a..5759b508cf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1391,6 +1391,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.41.0
M
M
Maxim Cournoyer wrote on 31 May 04:59 +0200
[PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
(address . 47144@debbugs.gnu.org)
5eda21a09360653b198f1b0d7f52cf531dc97485.1717124361.git.maxim.cournoyer@gmail.com
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

gnu/packages/base.scm | 44 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)

Toggle diff (80 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..8dcbf4b087 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,45 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ (version (git-version "2.7.6" revision commit))
+ (source (origin
+ (inherit (package-source patch))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'update-bootstrap-script
+ (lambda* (#:key native-inputs inputs #:allow-other-keys)
+ (copy-file (search-input-file
+ (or native-inputs inputs)
+ "src/gnulib/build-aux/bootstrap")
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed gnulib)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.41.0
S
S
Simon Tournier wrote on 31 May 18:13 +0200
87zfs62c4z.fsf@gmail.com
Hi Maxim,

On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

Toggle quote (11 lines)
> + (source (origin
> + (inherit (package-source patch))
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://git.savannah.gnu.org/git/patch.git")
> + (commit commit)))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))

If I read correctly, (package-source patch) reads:

Toggle snippet (10 lines)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/patch/patch-"
version ".tar.xz"))
(sha256
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))

Therefore the only thing that is copied is the ’patches’ field. Right?

I think it would easy the readability to avoid ’inherit’ and plainly
write ’patches’.


Cheers,
simon
M
M
Maxim Cournoyer wrote on 1 Jun 03:49 +0200
(name . Simon Tournier)(address . zimon.toutoune@gmail.com)
87ikytctzo.fsf@gmail.com
Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

Toggle quote (31 lines)
> Hi Maxim,
>
> On Thu, 30 May 2024 at 22:59, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> + (source (origin
>> + (inherit (package-source patch))
>> + (method git-fetch)
>> + (uri (git-reference
>> + (url "https://git.savannah.gnu.org/git/patch.git")
>> + (commit commit)))
>> + (file-name (git-file-name name version))
>> + (sha256
>> + (base32
>> + "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
>
> If I read correctly, (package-source patch) reads:
>
> (source (origin
> (method url-fetch)
> (uri (string-append "mirror://gnu/patch/patch-"
> version ".tar.xz"))
> (sha256
> (base32
> "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
> (patches (search-patches "patch-hurd-path-max.patch"))))
>
> Therefore the only thing that is copied is the ’patches’ field. Right?
>
> I think it would easy the readability to avoid ’inherit’ and plainly
> write ’patches’.

I preferred inheritance to avoid having to manually sync things in the
long run... (hopefully the graft gets ungrafted before 'patch' amasses
new phatces, but we never know...)

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 1 Jun 13:34 +0200
Re: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
(address . 47144@debbugs.gnu.org)
87ikysc2wq.fsf@gmail.com
Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (7 lines)
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch) [replacement]: Graft with the above.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

[...]

Toggle quote (21 lines)
> (define-public patch
> (package
> + (replacement patch/fixed)
> (name "patch")
> (version "2.7.6")
> (source (origin
> @@ -291,6 +294,45 @@ (define-public patch
> (license gpl3+)
> (home-page "https://savannah.gnu.org/projects/patch/")))
>
> +(define patch/fixed
> + ;; The latest release is from 2018, and lacks multiple security related
> + ;; patches. Since Fedora carries 23 patches, simply use the latest commit
> + ;; until a proper release is made.
> + (let ((revision "0")
> + (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
> + (package
> + (inherit patch)
> + (name "patch")
> + (version (git-version "2.7.6" revision commit))

I just realized that since this is for grafting purposes, I shouldn't
touch the version field (they need to match in length...). Will send a v2.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 1 Jun 14:56 +0200
[PATCH v2 1/3] gnu: ucd: Update to 15.1.0.
(address . 47144@debbugs.gnu.org)
a3641c8501b839cb4490edca279bf15a8141b8ea.1717246609.git.maxim.cournoyer@gmail.com
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.41.0
M
M
Maxim Cournoyer wrote on 1 Jun 14:56 +0200
[PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
(address . 47144@debbugs.gnu.org)
c34f058c9534a551b2cdc24cac9c642af14e842c.1717246609.git.maxim.cournoyer@gmail.com
Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

Toggle diff (224 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.41.0
M
M
Maxim Cournoyer wrote on 1 Jun 14:56 +0200
[PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes].
(address . 47144@debbugs.gnu.org)
fa71e5023e26c025307a2a11be911e4b008580d7.1717246609.git.maxim.cournoyer@gmail.com
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle

gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)

Toggle diff (88 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..45dbf77817 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,53 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ ;; TODO: Uncomment when ungrafting.
+ ;;(version (git-version "2.7.6" revision commit))
+ (source (origin
+ (inherit (package-source patch))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ ;; TODO: Uncomment when ungrafting and using the above
+ ;; 'git-version'-computed version.
+ ;;(file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle with.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.41.0
L
L
Ludovic Courtès wrote on 1 Jun 16:32 +0200
Re: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
87r0dgn36w.fsf@gnu.org
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

Toggle quote (4 lines)
> (define-public patch
> (package
> + (replacement patch/fixed)

Unless I’m mistaken, this will have practically no effect because Patch
is a build-time-only dependency.

My recommendation would be to not add a ‘replacement’ field at all.
Instead, you could add a new ‘patch/latest’ public variable pointing to
that commit that you picked. That way, users running ‘guix install
patch’ or similar will get the latest version of Patch.

On the next ‘core-packages-team’ cycle, we’d update Patch to refer to
that commit.

WDYT?

Ludo’.
M
M
Maxim Cournoyer wrote on 1 Jun 17:02 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)
875xusln8m.fsf@gmail.com
Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (16 lines)
> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> (define-public patch
>> (package
>> + (replacement patch/fixed)
>
> Unless I’m mistaken, this will have practically no effect because Patch
> is a build-time-only dependency.
>
> My recommendation would be to not add a ‘replacement’ field at all.
> Instead, you could add a new ‘patch/latest’ public variable pointing to
> that commit that you picked. That way, users running ‘guix install
> patch’ or similar will get the latest version of Patch.

I see what you mean, but for all practical purposes, using a graft seems
a more thorough (because it affects the original 'patch' *variable* as
well) means that have the same effect for users, so I'd seems like a
slightly better option to me.

So e.g. someone using the Guix API referencing exactly to the 'patch'
package variable would get a secure version, but would otherwise need to
know to adjust their code to use 'patch/latest'.

Does that make sense?

--
Thanks,
Maxim
S
S
Simon Tournier wrote on 4 Jun 17:39 +0200
Re: bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes].
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
87le3kyawi.fsf@gmail.com
Hi Maxim,

On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

Toggle quote (4 lines)
> I preferred inheritance to avoid having to manually sync things in the
> long run... (hopefully the graft gets ungrafted before 'patch' amasses
> new phatces, but we never know...)

What would be the long run? ;-)

Well, from my perspective, there is nothing to manually sync in the
future.

I mean, the only patch applied to release “2.7.6” will be still required
for patch/fixed; hence one will need to do what I am proposing if
’patch’ is removed. Else if ’patch’ receives some security fixes, then
it seems expected to assume that the fix will be included in the latest
patch (here ’patch/fixed’). Last, please note that ’patch’ is barely
modified.

Toggle snippet (13 lines)
$ git log --format="%cd %s" -- gnu/packages/base.scm | grep 'gnu: patch'
Thu May 30 11:35:13 2024 -0400 gnu: patch: Fix indentation.
Sun Apr 22 22:40:48 2018 +0200 gnu: patch: Work around a cross-compilation issue.
Wed Mar 14 22:11:34 2018 +0100 gnu: patch: Update to 2.7.6.
Fri Jun 12 15:46:25 2015 +0300 gnu: patch: Set PATH_MAX for Hurd systems.
Mon Mar 9 22:56:50 2015 -0400 gnu: patch: Update to 2.7.5.
Sat Mar 7 20:34:50 2015 -0500 Revert "gnu: patch: Update to 2.7.5."
Sun Mar 8 00:32:11 2015 +0100 gnu: patch: Update to 2.7.5.
Wed Feb 11 11:23:46 2015 +0100 gnu: patch: Update to 2.7.4.
Fri Feb 6 13:53:28 2015 +0100 gnu: patch: Add 2.7.4 and make it a replacement for the default one.
Sat Apr 27 00:23:19 2013 +0200 gnu: patch: Update to 2.7.1.

I still think that it eases to have the patch close to the source
instead of coming from inheritance. Anyway. :-)

Cheers,
simon
M
M
Maxim Cournoyer wrote on 5 Jun 03:08 +0200
(name . Simon Tournier)(address . zimon.toutoune@gmail.com)
87plsw42o1.fsf@gmail.com
Hi,

Simon Tournier <zimon.toutoune@gmail.com> writes:

Toggle quote (13 lines)
> Hi Maxim,
>
> On Fri, 31 May 2024 at 21:49, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> I preferred inheritance to avoid having to manually sync things in the
>> long run... (hopefully the graft gets ungrafted before 'patch' amasses
>> new phatces, but we never know...)
>
> What would be the long run? ;-)

> Well, from my perspective, there is nothing to manually sync in the
> future.

You're probably right.

Toggle quote (7 lines)
> I mean, the only patch applied to release “2.7.6” will be still required
> for patch/fixed; hence one will need to do what I am proposing if
> ’patch’ is removed. Else if ’patch’ receives some security fixes, then
> it seems expected to assume that the fix will be included in the latest
> patch (here ’patch/fixed’). Last, please note that ’patch’ is barely
> modified.

OK. I don't mind to do this change. I'll send e revised version with
that done.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 5 Jun 03:24 +0200
[PATCH v3 1/3] gnu: ucd: Update to 15.1.0.
(address . 47144@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
a3641c8501b839cb4490edca279bf15a8141b8ea.1717550623.git.maxim.cournoyer@gmail.com
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.45.1
M
M
Maxim Cournoyer wrote on 5 Jun 03:24 +0200
[PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
(address . 47144@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
c34f058c9534a551b2cdc24cac9c642af14e842c.1717550623.git.maxim.cournoyer@gmail.com
Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

Toggle diff (224 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.45.1
M
M
Maxim Cournoyer wrote on 5 Jun 03:24 +0200
[PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes].
(address . 47144@debbugs.gnu.org)
6637c8e33997272ab489b7f35e587c3abd77b82b.1717550623.git.maxim.cournoyer@gmail.com
* gnu/packages/base.scm (patch/fixed): New variable.
(patch) [replacement]: Graft with the above.

Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v3:
- Do not use inheritance for patch/fixed origin

Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle

gnu/packages/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)

Toggle diff (88 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..3246b7bd0a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -263,6 +265,7 @@ (define-public tar
(define-public patch
(package
+ (replacement patch/fixed)
(name "patch")
(version "2.7.6")
(source (origin
@@ -291,6 +294,53 @@ (define-public patch
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92"))
+ (package
+ (inherit patch)
+ (name "patch")
+ ;; TODO: Uncomment when ungrafting.
+ ;;(version (git-version "2.7.6" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ ;; TODO: Uncomment when ungrafting and using the above
+ ;; 'git-version'-computed version.
+ ;;(file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle with.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed)))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.45.1
L
L
Ludovic Courtès wrote on 5 Jun 18:04 +0200
Re: bug#47144: security patching of 'patch' package
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
878qzj74vc.fsf_-_@gnu.org
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

Toggle quote (2 lines)
> Ludovic Courtès <ludo@gnu.org> writes:

[...]

Toggle quote (13 lines)
>> Unless I’m mistaken, this will have practically no effect because Patch
>> is a build-time-only dependency.
>>
>> My recommendation would be to not add a ‘replacement’ field at all.
>> Instead, you could add a new ‘patch/latest’ public variable pointing to
>> that commit that you picked. That way, users running ‘guix install
>> patch’ or similar will get the latest version of Patch.
>
> I see what you mean, but for all practical purposes, using a graft seems
> a more thorough (because it affects the original 'patch' *variable* as
> well) means that have the same effect for users, so I'd seems like a
> slightly better option to me.

Strictly speaking, yes, but in practice the benefit are largely
theoretical IMO, and the cost of having a graft this deep in the
dependency graph.

What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
to the new version?

Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
code etc. would refer to ‘patch’ and thus get the latest version.

Ludo’.
S
S
Simon Tournier wrote on 5 Jun 18:44 +0200
87a5jznxtz.fsf@gmail.com
Hi,

On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (6 lines)
> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.

I agree; it appears to me “safer” than the graft.

However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’. Then once upstream Patch upgrades, there is
also the question to unpin all the packages.

Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution. Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.

Cheers,
simon
M
M
Maxim Cournoyer wrote on 6 Jun 02:46 +0200
[PATCH v4 1/3] gnu: ucd: Update to 15.1.0.
(address . 47144@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
a3641c8501b839cb4490edca279bf15a8141b8ea.1717634752.git.maxim.cournoyer@gmail.com
* gnu/packages/unicode.scm (ucd): Update to 15.1.0.

Change-Id: I0828544c35eef90a8f76c2084362ee4594189244
---

(no changes since v1)

gnu/packages/unicode.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (25 lines)
diff --git a/gnu/packages/unicode.scm b/gnu/packages/unicode.scm
index 23f08a2aab..fe188ed71d 100644
--- a/gnu/packages/unicode.scm
+++ b/gnu/packages/unicode.scm
@@ -77,14 +77,14 @@ (define-public libunibreak
(define-public ucd
(package
(name "ucd")
- (version "15.0.0")
+ (version "15.1.0")
(source
(origin
(method url-fetch/zipbomb)
(uri (string-append "https://www.unicode.org/Public/zipped/" version
"/UCD.zip"))
(sha256
- (base32 "133inqn33hcfvylmps63yjr6rrqrfq6x7a5hr5fd51z6yc0f9gaz"))))
+ (base32 "0xv10nkvg6451415imvb0qx72ljp0hv9f8h1sl6509ir0lync76b"))))
(build-system copy-build-system)
(arguments
'(#:install-plan

base-commit: dc4c48f10281007a0ab3541b8a64198c60c6d5b0
--
2.45.1
M
M
Maxim Cournoyer wrote on 6 Jun 02:46 +0200
[PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301.
(address . 47144@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
c34f058c9534a551b2cdc24cac9c642af14e842c.1717634752.git.maxim.cournoyer@gmail.com
Also fix the commands, which would fail due to not finding their
implementation scripts.

* gnu/packages/patches/gnulib-bootstrap.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/build-tools.scm (gnulib): Update to 2024-05-30-1.ac4b301.
[source]: Apply patch.
[phases] {patch-source-shebangs, patch-generated-file-shebangs}
{patch-usr-bin-file, restore-shebangs}: Delete phases.
{disable-failing-tests}: Disable sc_error_message_warn_fatal,
sc_prefer_angle_bracket_headers, sc_check_config_h_reminder,
sc_prohibit_sc_omitted_at, sc_readme_link_copying, sc_readme_link_install,
sc_unsigned_char, sc_unsigned_int, sc_unsigned_long and sc_unsigned_short
checks.
{regenerate-unicode}: Register BidiMirroring.txt unicode data file.

Change-Id: I154b2c5980b671f1e73e7a1f74d926ea080a7aa0
---

(no changes since v1)

gnu/local.mk | 1 +
gnu/packages/build-tools.scm | 55 ++++++++-------
gnu/packages/patches/gnulib-bootstrap.patch | 75 +++++++++++++++++++++
3 files changed, 107 insertions(+), 24 deletions(-)
create mode 100644 gnu/packages/patches/gnulib-bootstrap.patch

Toggle diff (224 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 6934d5ccc7..b369127194 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,6 +1393,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-settings-daemon-gc.patch \
%D%/packages/patches/gnome-session-support-elogind.patch \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
+ %D%/packages/patches/gnulib-bootstrap.patch \
%D%/packages/patches/gnumach-support-noide.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index daaf450e70..82abf5b9f1 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020, 2023 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 qblade <qblade@protonmail.com>
-;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Juliana Sims <juli@incana.org>
;;;
;;; This file is part of GNU Guix.
@@ -853,12 +853,15 @@ (define*-public (gnulib-checkout #:key
;; FIXME: tests/uniname/HangulSyllableNames.txt
;; seems like a UCD file but it is not distributed
;; with UCD.
- "tests/uniwbrk/WordBreakTest.txt")))))))
+ "tests/uniwbrk/WordBreakTest.txt")))))
+ (patches (search-patches "gnulib-bootstrap.patch"))))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~'(("./gnulib-tool" "bin/")
+ ("./gnulib-tool.py" "bin/")
+ ("./gnulib-tool.sh" "bin/")
("." "src/gnulib" #:exclude-regexp ("\\.git.*")))
#:modules '((ice-9 match)
(guix build utils)
@@ -866,6 +869,13 @@ (define*-public (gnulib-checkout #:key
((guix build gnu-build-system) #:prefix gnu:))
#:phases
#~(modify-phases %standard-phases
+ ;; Since this package is intended to be used in source form, it
+ ;; should not retain references to tools (with the exception for the
+ ;; commands we install, which should be wrapper for proper
+ ;; execution).
+ (delete 'patch-source-shebangs)
+ (delete 'patch-generated-file-shebangs)
+ (delete 'patch-usr-bin-file)
(add-before 'install 'check
(assoc-ref gnu:%standard-phases 'check))
(add-before 'check 'fix-tests
@@ -889,8 +899,10 @@ (define*-public (gnulib-checkout #:key
sc_Wundef_boolean \\
sc_copyright_check \\
sc_file_system \\
+ sc_error_message_warn_fatal \\
sc_indent \\
sc_keep_gnulib_texi_files_mostly_ascii \\
+ sc_prefer_angle_bracket_headers \\
sc_prohibit_assert_without_use \\
sc_prohibit_close_stream_without_use \\
sc_prohibit_defined_have_decl_tests \\
@@ -899,15 +911,22 @@ (define*-public (gnulib-checkout #:key
sc_prohibit_intprops_without_use \\
sc_prohibit_openat_without_use \\
sc_prohibit_test_minus_ao \\
- sc_unportable_grep_q"))
+ sc_readme_link_copying \\
+ sc_readme_link_install \\
+ sc_unportable_grep_q \\
+ sc_unsigned_char \\
+ sc_unsigned_int \\
+ sc_unsigned_long \\
+ sc_unsigned_short"))
(substitute* "Makefile"
- (("sc_check_(sym_list|copyright)" rule)
+ (("sc_check_(sym_list|copyright|config_h_reminder)" rule)
(string-append "disabled_check_" rule))
(("sc_cpp_indent_check")
"disabled_cpp_indent_check")
(("sc_prefer_ac_check_funcs_once")
"disabled_prefer_ac_check_funcs_once")
- (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs)" rule)
+ (("sc_prohibit_(AC_LIBOBJ_in_m4|leading_TABs\
+|sc_omitted_at)" rule)
(string-append "disabled_prohibit_" rule)))))
(add-before 'check 'regenerate-unicode
(lambda* (#:key inputs #:allow-other-keys)
@@ -939,7 +958,8 @@ (define*-public (gnulib-checkout #:key
(sha256
(base32
"0k6wyijyzdl5g3nibcwfm898kfydx1pqaz28v7fdvnzdvd5fz7lh"))))
- (find-ucd-files "EastAsianWidth.txt"
+ (find-ucd-files "BidiMirroring.txt"
+ "EastAsianWidth.txt"
"LineBreak.txt"
"auxiliary/WordBreakProperty.txt"
"auxiliary/GraphemeBreakProperty.txt"
@@ -962,22 +982,9 @@ (define*-public (gnulib-checkout #:key
("NormalizationTest.txt" . "uninorm")
("auxiliary/GraphemeBreakTest.txt" . "unigbrk")
("auxiliary/WordBreakTest.txt" . "uniwbrk")))
- (delete-file "gen-uni-tables"))))
- (add-after 'install 'restore-shebangs
- (lambda _
- (substitute* (find-files
- (string-append #$output "/src/gnulib")
- (lambda (fname stat)
- (and (not (string-suffix? "/lib/javaversion.class" fname))
- (not (string-suffix? ".mo" fname)))))
- (("^#! ?(.*)/bin/sh" _ prefix)
- "#!/bin/sh")
- (("^#! ?(.*)/bin/python3" _ prefix)
- "#!/usr/bin/env python3")
- (("^#! ?(.*)/bin/([a-zA-Z0-9-]+)" _ prefix program)
- (string-append "#!/usr/bin/" program))))))))
+ (delete-file "gen-uni-tables")))))))
(inputs
- (list bash-minimal)) ;shebang for gnulib-tool
+ (list bash-minimal)) ;shebang for gnulib-tool
(native-inputs
(list
bash-minimal python perl clisp
@@ -1005,9 +1012,9 @@ (define*-public (gnulib-checkout #:key
(define-public gnulib
(gnulib-checkout
- #:version "2022-12-31"
- #:commit "875461ffdf58ac04677957b4ae4160465b83b940"
- #:hash (base32 "0bf7a6wdns9c5wwv60qfcn9llg0j6jz5ryd2qgsqqx2i6xkmp77c")))
+ #:version "2024-05-30"
+ #:commit "ac4b301ae15223c98b51cd5a0eda2e2cf57c817b"
+ #:hash (base32 "0f4w56fc97clg13mmdghx84dh9xqmaqr3j672ppfh3h66gmmmvzs")))
(define-public pdpmake
(package
diff --git a/gnu/packages/patches/gnulib-bootstrap.patch b/gnu/packages/patches/gnulib-bootstrap.patch
new file mode 100644
index 0000000000..c0c9a5e732
--- /dev/null
+++ b/gnu/packages/patches/gnulib-bootstrap.patch
@@ -0,0 +1,75 @@
+From adbf7ce2c2b03ce5ee25d4c68f9bb247b0dcbc2b Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Thu, 30 May 2024 14:48:04 -0400
+Subject: [PATCH] bootstrap: Use gnulib-tool from PATH if available.
+
+Some distributions such as GNU Guix include in their package for
+gnulib a 'gnulib-tool' command under their $bindir
+prefix (e.g. '/bin') for users to use, along the unmodified full
+sources. The idea is that any wrapping or distribution modifications
+for the *execution* of the script at run time is done on these
+commands, while the rest of the source should be in their
+pristine (unmodified) version. Adjust the 'gnulib-tool' discovery
+mechanism to support such installation layout.
+
+* build-aux/bootstrap (autogen) <gnulib_tool>: Prefer to use from
+PATH, else from $GNULIB_SRCDIR/../../bin/gnulib-tool, else from
+$GNULIB_SRCDIR/gnulib-tool.
+* gnulib-tool.sh (func_gnulib_dir): Honor GNULIB_SRCDIR to locate
+gnulib's main directory.
+---
+ build-aux/bootstrap | 11 +++++++++--
+ gnulib-tool.sh | 6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/build-aux/bootstrap b/build-aux/bootstrap
+index 6295b8a128..06271eea8b 100755
+--- a/build-aux/bootstrap
++++ b/build-aux/bootstrap
+@@ -3,7 +3,7 @@
+
+ # Bootstrap this package from checked-out sources.
+
+-scriptversion=2024-04-13.15; # UTC
++scriptversion=2024-05-30.20; # UTC
+
+ # Copyright (C) 2003-2024 Free Software Foundation, Inc.
+ #
+@@ -1164,7 +1164,14 @@ autogen()
+ fi
+
+ if $use_gnulib; then
+- gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ gnulib_tool=$(command -v gnulib-tool)
++ if test -x "$gnulib_tool"; then
++ : # done
++ elif test -x $GNULIB_SRCDIR/../../bin/gnulib-tool; then
++ gnulib_tool=$GNULIB_SRCDIR/../../bin/gnulib-tool
++ else
++ gnulib_tool=$GNULIB_SRCDIR/gnulib-tool
++ fi
+ <$gnulib_tool || return
+ fi
+
+diff --git a/gnulib-tool.sh b/gnulib-tool.sh
+index 12f0b82461..0aefbe2b2b 100755
+--- a/gnulib-tool.sh
++++ b/gnulib-tool.sh
+@@ -518,7 +518,11 @@ func_gnulib_dir ()
+ * ) self_abspathname=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`/"$linkval" ;;
+ esac
+ done
+- gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ if test -n "$GNULIB_SRCDIR"; then
++ gnulib_dir=$GNULIB_SRCDIR
++ else
++ gnulib_dir=`echo "$self_abspathname" | sed -e 's,/[^/]*$,,'`
++ fi
+ }
+
+ # func_tmpdir
+
+base-commit: ac4b301ae15223c98b51cd5a0eda2e2cf57c817b
+--
+2.41.0
+
--
2.45.1
M
M
Maxim Cournoyer wrote on 6 Jun 02:49 +0200
Re: bug#47144: security patching of 'patch' package
(name . Simon Tournier)(address . zimon.toutoune@gmail.com)
87ikym3nf1.fsf@gmail.com
Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

Toggle quote (16 lines)
> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’. Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.

Indeed. It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'... I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 6 Jun 02:46 +0200
[PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes].
(address . 47144@debbugs.gnu.org)
7663177c58ca72f54b6c715561701952b35910ec.1717634752.git.maxim.cournoyer@gmail.com
* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this. Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.

Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v4:
- Use a hidden patch/pinned and patch variables instead of a graft

Changes in v3:
- Do not use inheritance for patch/fixed origin

Changes in v2:
- Use same version to have the same store length, a graft requirement
- Copy the gnulib source in a phase to avoid introducing a dependency cycle

gnu/packages/base.scm | 102 +++++++++++++++++++++++++---------
gnu/packages/commencement.scm | 8 +--
gnu/packages/lisp.scm | 2 +-
guix/packages.scm | 2 +-
4 files changed, 82 insertions(+), 32 deletions(-)

Toggle diff (194 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..66c5b7d237 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
#:use-module (gnu packages acl)
#:use-module (gnu packages algebra)
#:use-module (gnu packages attr)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ (define-public tar
(license gpl3+)
(home-page "https://www.gnu.org/software/tar/")))
-(define-public patch
- (package
- (name "patch")
- (version "2.7.6")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnu/patch/patch-"
- version ".tar.xz"))
- (sha256
- (base32
- "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
- (patches (search-patches "patch-hurd-path-max.patch"))))
- (build-system gnu-build-system)
- (arguments
- ;; Work around a cross-compilation bug whereby libpatch.a would provide
- ;; '__mktime_internal', which conflicts with the one in libc.a.
- (if (%current-target-system)
- `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
- '()))
- (native-inputs (list ed))
- (synopsis "Apply differences to originals, with optional backups")
- (description
- "Patch is a program that applies changes to files based on differences
+;;; TODO: Replace/merge with 'patch' on core-updates.
+(define-public patch/pinned
+ (hidden-package
+ (package
+ (name "patch")
+ (version "2.7.6")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnu/patch/patch-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (build-system gnu-build-system)
+ (arguments
+ ;; Work around a cross-compilation bug whereby libpatch.a would provide
+ ;; '__mktime_internal', which conflicts with the one in libc.a.
+ (if (%current-target-system)
+ `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+ '()))
+ (native-inputs (list ed))
+ (synopsis "Apply differences to originals, with optional backups")
+ (description
+ "Patch is a program that applies changes to files based on differences
laid out as by the program \"diff\". The changes may be applied to one or more
files depending on the contents of the diff file. It accepts several
different diff formats. It may also be used to revert previously applied
differences.")
- (license gpl3+)
- (home-page "https://savannah.gnu.org/projects/patch/")))
+ (license gpl3+)
+ (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+ ;; The latest release is from 2018, and lacks multiple security related
+ ;; patches. Since Fedora carries 23 patches, simply use the latest commit
+ ;; until a proper release is made.
+ (let ((revision "0")
+ (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+ (base patch/pinned))
+ (package
+ (inherit base)
+ (name "patch")
+ (version (git-version "2.7.6" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments base)
+ ((#:phases phases '%standard-phases)
+ #~(modify-phases #$phases
+ (add-after 'unpack 'copy-gnulib-sources
+ (lambda _
+ ;; XXX: We copy the source instead of using 'gnulib' as a
+ ;; native input to avoid introducing a dependency cycle.
+ (copy-recursively #+gnulib "gnulib")
+ (setenv "GNULIB_SRCDIR"
+ (string-append (getcwd) "/gnulib/src/gnulib"))))
+ (add-after 'copy-gnulib-sources 'update-bootstrap-script
+ (lambda _
+ (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+ "bootstrap")))
+ (add-after 'unpack 'patch-configure.ac
+ (lambda _
+ (substitute* "configure.ac"
+ ;; The gnulib-provided git-version-gen script has a plain
+ ;; shebang of #!/bin/sh; avoid using it.
+ (("build-aux/git-version-gen" all)
+ (string-append "sh " all)))))))))
+ (native-inputs (list autoconf automake bison ed))
+ (properties '()))))
(define-public diffutils
(package
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index b4d236c35b..0433059493 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -878,7 +878,7 @@ (define tcc-boot
(define patch-mesboot
;; The initial patch.
(package
- (inherit patch)
+ (inherit patch/pinned)
(name "patch-mesboot")
(version "2.5.9")
(source (origin
@@ -2167,8 +2167,8 @@ (define gawk-boot0
(define patch-boot0
(package
- (inherit patch)
- (source (bootstrap-origin (package-source patch)))
+ (inherit patch/pinned)
+ (source (bootstrap-origin (package-source patch/pinned)))
(name "patch-boot0")
(native-inputs '())
(inputs
@@ -3482,7 +3482,7 @@ (define-public %final-inputs
("bzip2" ,bzip2)
("file" ,file)
("diffutils" ,diffutils)
- ("patch" ,patch)
+ ("patch" ,patch/pinned)
("findutils" ,findutils)
("gawk" ,gawk)))
("sed" ,sed-final)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 6bf93d83c7..6f3bd126cc 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -121,7 +121,7 @@ (define-public cl-asdf
(build-system trivial-build-system)
(native-inputs
`(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
- ("patch" ,patch)))
+ ("patch" ,patch/pinned)))
(arguments
`(#:modules ((guix build utils)
(guix build lisp-utils))
diff --git a/guix/packages.scm b/guix/packages.scm
index abe89cdb07..f3a9a61785 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -899,7 +899,7 @@ (define (%standard-patch-inputs system)
("gzip" ,(ref '(gnu packages compression) 'gzip))
("lzip" ,(ref '(gnu packages compression) 'lzip))
("unzip" ,(ref '(gnu packages compression) 'unzip))
- ("patch" ,(ref '(gnu packages base) 'patch))
+ ("patch" ,(ref '(gnu packages base) 'patch/pinned))
("locales"
,(parameterize ((%current-target-system #f)
(%current-system system))
--
2.45.1
M
M
Maxim Cournoyer wrote on 24 Jun 06:43 +0200
Re: bug#47144: security patching of 'patch' package
(address . 47144-done@debbugs.gnu.org)
87cyo70x31.fsf_-_@gmail.com
Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (13 lines)
> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this. Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

Applied locally and will push shortly.

--
Thanks,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47144@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47144
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch