From 4641d4bb8eab7d05b4915d20361d1902e1499d33 Mon Sep 17 00:00:00 2001
From: Rutherther <rutherther@ditigal.xyz>
Date: Sun, 21 Sep 2025 21:20:09 +0200
Subject: [PATCH] vm-image.tmpl: Do not leak local checkout URL.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow up of 94c9e53fa4 that made similar change, but in
gnu/system/install.scm.

Change local checkout url for the default channel url to ensure release images
will not leak local checkout url.

* gnu/system/examples/vm-image.tmpl: Change channel of
‘guix’ package to inherit from ‘%default-guix-channel’.

Change-Id: I1c633b44cfa067cae1d2948e7e7ef6922995c27d
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 gnu/system/examples/vm-image.tmpl | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/gnu/system/examples/vm-image.tmpl b/gnu/system/examples/vm-image.tmpl
index 205ae73a9fcaf0434985a7ae2549bef14e4ebffa..d3e70642b9e68893d63258b3852a8824e92de69e 100644
--- a/gnu/system/examples/vm-image.tmpl
+++ b/gnu/system/examples/vm-image.tmpl
@@ -5,7 +5,12 @@
 ;;   guix system reconfigure /etc/config.scm
 ;;
 
-(use-modules (gnu) (guix) (srfi srfi-1))
+(use-modules (gnu)
+             (guix)
+             (srfi srfi-1)
+             (ice-9 match)
+             (guix channels)
+             (gnu system image))
 (use-service-modules desktop mcron networking spice ssh xorg sddm)
 (use-package-modules bootloaders fonts
                      package-management xdisorg xorg)
@@ -25,6 +30,15 @@ Run '\x1b[1;37minfo guix\x1b[0m' to browse documentation.
 accounts.\x1b[0m
 "))
 
+(define (guix-package-commit guix)
+  ;; Extract the commit of the GUIX package.
+  (match (package-source guix)
+    ((? channel? source)
+     (channel-commit source))
+    (_
+     (apply (lambda* (#:key commit #:allow-other-keys) commit)
+            (package-arguments guix)))))
+
 (operating-system
   (host-name "gnu")
   (timezone "Etc/UTC")
@@ -123,7 +137,14 @@ root ALL=(ALL) ALL
                      (guix-service-type config =>
                                         (guix-configuration
                                          (inherit config)
-                                         (guix (current-guix))))))))
+                                         (guix
+                                          (let ((guix (current-guix)))
+                                            (package
+                                              (inherit guix)
+                                              ;; Do not leak the local checkout URL.
+                                              (source (channel
+                                                        (inherit %default-guix-channel)
+                                                        (commit (guix-package-commit guix)))))))))))))
 
   ;; Allow resolution of '.local' host names with mDNS.
   (name-service-switch %mdns-host-lookup-nss))