gnu: linux-libre 6.12: Update to 6.12.26.
* gnu/packages/linux.scm (linux-libre-6.12-version): Update to 6.12.26.
(linux-libre-6.12-pristine-source): Update hash.
Change-Id: I60dc56d6a3d582781775661da3aa438b33c15810
gnu: linux-libre 6.14: Update to 6.14.5.
* gnu/packages/linux.scm (linux-libre-6.14-version): Update to 6.14.5.
(linux-libre-6.14-pristine-source): Update hash.
Change-Id: I6e81210e7237dabef9eff430ba9920ef3d501b1d
gnu: openssh: Adapt for root-less guix store.
Fixes <https://issues.guix.gnu.org/78067>.
Previously sshd would use /gnu/store/…-openssh-…/var/empty as its
PRIVSEP_PATH. However, when using the unprivileged daemon, that
directory would belong to guix-daemon:guix-daemon, leading to this
error:
sshd[234]: fatal: /gnu/store/…-openssh-10.0p1/var/empty must be owned by root and not group or world-writable.
Fix that by switching to /var/empty.
* gnu/packages/patches/openssh-trust-guix-store-directory.patch
(openssh): Adjust to trust files in guix store owned by guix-daemon.
* gnu/packages/ssh.scm (openssh)[arguments]: Remove ‘reset-/var/empty’
phase; change ‘install’ phase to not create PRIVSEP_PATH.. Append
ending slash when substituting STORE_DIRECTORY.
Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f
Reported-by: Zack Weinberg <zack@owlfolio.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
gnu: Add guile-slugify.
* gnu/packages/guile-xyz.scm (guile-slugify): New variable.
Change-Id: I4e7ab7a4821f53cf7372388efa07cea2fd3c17ef
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
install: Do not leak local checkout URL.
Fixes <https://issues.guix.gnu.org/67707>.
Previously ‘guix describe’ in the installation image would show the
URL of the local checkout that was used to build the image. It now
shows the default URL.
* gnu/system/install.scm (%installation-services): Change channel of
‘guix’ package to inherit from ‘%default-guix-channel’.
Change-Id: If848b5a6166904e982e0f9a0780f3e3f53bdfc28
gnu: Update neomutt.
* gnu/packages/mail.scm (neomutt): Update to 20250404.
[arguments] <configure-flags>: remove deprecated options --disable-idn,
--with-ui and --debug. Change --ssl option to new format. Add --zstd.
<phases>: Remove breaking tests.
[inputs]: Add zstd.
Change-Id: Id823068d28595b398911cde4fce4d1a5c5576561
Signed-off-by: Steve George <steve@futurile.net>
gnu: trealla: Update to 2.70.4.
* gnu/packages/prolog.scm (trealla): Update to 2.70.4.
Change-Id: Ib30d3cd9d4f3fed089184bc8202fba3997cf57b7
gnu: lsp-plugins: Update to 1.2.21.
* gnu/packages/music.scm (lsp-plugins): Update to 1.2.21.
[arguments]: Update file name of test binary.
Change-Id: Ifc65e4fd6d66ef8466c46fd487e710366d5db9b1
gnu: r-posterior: Update to 1.6.1.
* gnu/packages/cran.scm (r-posterior): Update to 1.6.1.
[native-inputs]: Add r-dplyr, r-ggplot2, and r-tidyr.
Change-Id: Ibbea0ab6c98f7d246cdc390e0f8a65f87aca6807
gnu: deluge: Update to 2.2.0.
* gnu/packages/bittorrent.scm (deluge): Update to 2.2.0.
[arguments]<#:phases>: Drop 'fix-deluge-console.
Change-Id: Iad8461c7ea73042fb208ea182f4dc67d4e74adcf
Signed-off-by: Andreas Enge <andreas@enge.fr>
gnu: torbrowser: Update to 14.5.1 [security-fixes].
Fixes CVEs 2025-2817, 2025-4082, 2025-4083, 2025-4084, 2025-4087,
2025-4091 and 2025-4093. See:
<https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/> for
details.
* gnu/packages/tor-browsers.scm (%torbrowser-build-date): Update to
20250428205842.
(%torbrowser-version): Update to 14.5.1.
(%torbrowser-firefox-version): Update to 128.10.0esr-14.5-1-build2.
(torbrowser-translation-base): Update to
04331f4c8177a09f0785f8cf2604dcebde139be5.
(torbrowser-translation-specific): Update to
5f4849f6d050316f9d7fe90018d1a83a3d191341.
Change-Id: I4192dc53ea2f67ca127c61cfc98b4a057954942a
Signed-off-by: Andreas Enge <andreas@enge.fr>
gnu: mullvadbrowser: Update to 14.5.1 [security-fixes].
Fixes CVEs 2025-2817, 2025-4082, 2025-4083, 2025-4084, 2025-4087,
2025-4091 and 2025-4093. See:
<https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/> for
details.
* gnu/packages/tor-browsers.scm (%mullvadbrowser-build-date): Update to
20250428205842.
(%mullvadbrowser-version): Update to 14.5.1.
(%mullvadbrowser-firefox-version): Update to 128.10.0esr-14.5-1-build2.
(mullvadbrowser-translation-base): Update to
04331f4c8177a09f0785f8cf2604dcebde139be5.
(mullvadbrowser-translation-specific): Update to
88915281a11105bef03e638336b2852bd806ef78.
Change-Id: I8d71343b86b41318e7f4c7906cd4d2cf7c60e52e
Signed-off-by: Andreas Enge <andreas@enge.fr>
gnu: quickjs: Update to 2025-04-26.
* gnu/packages/javascript.scm (quickjs): Update to 2025-04-26.
Change-Id: Ia759ec18e58613734446d9cce88f781c3c415c14
Signed-off-by: Andreas Enge <andreas@enge.fr>
Revert "gnu: quickjs: Deprecate."
It seems quickjs-ng and quickjs are not API compatible.
This fixes building tic80.
This reverts commit b94cf86a89ef0a6bf7ec2c8e52f64c5107888f55.
Change-Id: I3666ddbef8d1b2e71d49f9b14aef5a1be4b8495a
Signed-off-by: Andreas Enge <andreas@enge.fr>
gnu: lcrq: Update to 0.2.4.
* gnu/packages/networking.scm (lcrq): Update to 0.2.4.
[homepage]: Update redirected URL.
Change-Id: I22fe5ecb012d915552779acc2d7f69d43ea03a3b
Signed-off-by: Andreas Enge <andreas@enge.fr>
linux-container: Lock mounts by default.
This makes it impossible to unmount or remount things from within
‘call-with-container’.
* gnu/build/linux-container.scm (initialize-user-namespace):
Add #:host-uid and #:host-gid. and honor them.
(run-container): Add #:lock-mounts?. Honor it by calling ‘unshare’
followed by ‘initialize-user-namespace’.
(call-with-container): Add #:lock-mounts? and pass it down.
(container-excursion): Get the user namespace owning the PID namespace
and join it, then join the remaining namespaces.
* tests/containers.scm ("call-with-container, mnt namespace, locked mounts"):
New test.
("container-excursion"): Pass #:lock-mounts? #f.
Change-Id: I13be982aef99e68a653d472f0e595c81cfcfa392
linux-container: Set up “lo” and generate /etc/hosts by default.
* gnu/build/linux-container.scm (run-container): Add #:loopback-network?
and honor it via #:populate-file-system.
(call-with-container): Add #:loopback-network? and pass it to
‘run-container’.
* guix/scripts/environment.scm (launch-environment/container): Remove
call to ‘set-network-interface-up’ and remove generation of /etc/hosts.
* guix/scripts/home.scm (spawn-home-container): Likewise.
Change-Id: I5933a4e8dc6d8e19235a79696b62299d74d1ba21
linux-container: Support having a read-only root file system.
Until now, the read-only file system set up by ‘call-with-container’
would always be writable. With this change, it can be made read-only.
With this patch, only ‘least-authority-wrapper’ switches to a read-only
root file system.
* gnu/build/linux-container.scm (remount-read-only): New procedure.
(mount-file-systems): Add #:writable-root? and #:populate-file-system
and honor them.
(run-container): Likewise.
(call-with-container): Likewise.
* gnu/system/linux-container.scm (container-script): Pass #:writable-root?
to ‘call-with-container’.
(eval/container): Add #:populate-file-system and #:writable-root? and
honor them.
* guix/scripts/environment.scm (launch-environment/container):
Pass #:writable-root? to ‘call-with-container’.
* guix/scripts/home.scm (spawn-home-container): Likewise.
* tests/containers.scm ("call-with-container, mnt namespace, read-only root")
("call-with-container, mnt namespace, writable root"): New tests.
Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
linux-container: Add #:mounts to ‘eval/container’.
* gnu/system/linux-container.scm (eval/container): Add #:mounts
parameter and honor it.
Change-Id: I1d5970f53a3d67db93e937e392f9bf36e75d1573
services: guix: Fix case when /etc/guix/acl is a dangling symlink.
One possible solution for an issue when /etc/guix/acl file exists, but points
to a non-existent location. This can for example happen if one is
reinitializing the system, and remove only /gnu/store and /var/guix, keep the
rest okay. This is a major advantage of guix as compared to other distros that
usually need you to reinitialize the whole root partition. But this will leave
the user with acl file pointing to non-existent location. The file-exists?
procedure will return #f for broken symbolic links.
I think that another reason one would get this issue is, if one was booted in
a live iso, chrooted, fixing their system. They would switch generations to
one with different acl file, delete other generations gc rooting the original
acl file and then gc. One could do this approach for example when recovering
from file corruptions in the store, to get rid of the unsubstitutable paths
that can't be repaired with guix gc --verify.
This fixes the issue by looking for type of a file through lstat, instead of
relying on file-exists?. If the symlink is a broken symlink, it is
removed. Other than that the old behavior is kept:
- If regular file, back it up
- If symlink pointing to the store, remove it
- If symlink not pointing to the store, back it up
* gnu/services/base.scm (substitute-key-authorization): Check if acl file is a
possibly-dangling symbolic link.
Change-Id: I2f8170606b2f4afeea48f04acfd738b04cafc7cf
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>