~ruther/guix-local: desktop-services

1618ca7a — Ludovic Courtès 8 months ago

gnu: guix: Update to 9202921 [security].

Fixes guix/guix#2419.

* gnu/packages/package-management.scm (guix): Update to 9202921.

Change-Id: I7476c4e90be61a9607731731534d988eba168104

9202921e — Reepca Russelstein 10 months ago

perform-download: Use (ice-9 sandbox) for mirrors.

"guix perform-download" is used to implement the daemon's "download" and
"git-download" builtin builders.  Because these are builtins, it runs without
any additional isolation beyond merely running as a build user.  In such a
context, allowing arbitrary user-supplied code to be evaluated will easily
lead to the build user being taken over, which can then be used to corrupt
future builds, enable exploitation of certain vulnerabilities, and in the case
of the rootless daemon completely take over guix-daemon.

Use (ice-9 sandbox) to ensure that only safe bindings are available during the
evaluation of the content-addressed-mirrors file.

* guix/perform-download.scm (%safe-bindings, %sandbox-module): new variables.
  (syntax-noop): new syntax.
  (eval-content-addressed-mirrors, assert-store-file,
   call-with-input-file/no-symlinks): new procedures.
  (perform-download): use assert-store-file to ensure files are in the store
  before being read.  Use call-with-input-file/no-symlinks for opening
  untrusted files.  Use eval-content-addressed-mirrors to evaluate the
  content-addressed-mirrors file.

Change-Id: I8ed27a95d84dbcc7d72d0d75f172d113f8be6c79
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

f607aaaa — Reepca Russelstein 10 months ago

download: Handle content-addressed-mirrors returning #f.

* guix/build/download.scm (url-fetch): don't pass the return value from a
  content-addressed-mirror procedure to 'string->uri' if it is #f.

Change-Id: Ic4f94f86fcfebe6f2e60cb3c4330ce57886ab647
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

2a333541 — Reepca Russelstein 10 months ago

perform-download: Ensure reading never evaluates code.

Since this is used to implement the "download" and "git-download" builtins,
which are run outside of any chroot, this is trusted code with respect to the
user-supplied strings it reads.

* guix/scripts/perform-download.scm (read/safe): new procedure.
  (perform-download, perform-git-download): use it.
  (guix-perform-download): explicitly set 'read-eval?' to #f and
  'read-hash-procedures' to '().  #f is the default value of 'read-eval?' on
  startup, but set it anyway to be certain.

Change-Id: I93cb8e32607a6f9a559a26c1cbd6b88212ead884
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

43bb79fc — Omar Bassam 8 months ago

gnu: sbcl-clss: Update to 0.3.1-3.cd5f603

* gnu/packages/lisp-xyz.scm (sbcl-clss): Update to 0.3.1-3.cd5f603

Change-Id: I479a79b1a1d3ac45ef31d9c02cc187fa072bf219
Signed-off-by: Omar Bassam <omar.bassam88@gmail.com>
Signed-off-by: jgart <jgart@dismail.de>

f73a492a — Artyom V. Poptsov 8 months ago

gnu: lr: Update to 2.0.

* gnu/packages/admin.scm (lr): Update to 2.0.
[arguments]: Use GEXPs.

Change-Id: I3264ccc86aa699a1e77c0388b48c801c5a4392ac

acc331fa — Maxim Cournoyer 8 months ago

gnu: ghc-hsopenssl: Update to 0.11.7.9.

* gnu/packages/haskell-crypto.scm (ghc-hsopenssl): Update to 0.11.7.9.
[#:configure-flags]: New argument.

Change-Id: I2719bdef7e6bbd76fe4c079d663917839a787e81

0260cf87 — Maxim Cournoyer 8 months ago

gnu: qemu: Update to 10.1.0.

* gnu/packages/virtualization.scm (qemu): Update to 10.1.0.
[source] <patches>: Remove qemu-disable-bios-tables-test and
qemu-glibc-2.41.patch patches; add qemu-fix-test-virtio-version.patch.
* gnu/packages/patches/qemu-disable-bios-tables-test.patch: Rebase.
* gnu/packages/patches/qemu-disable-migration-test.patch: Delete file.
* gnu/packages/patches/qemu-glibc-2.41.patch: Likewise.
* gnu/packages/patches/qemu-fix-test-virtio-version.patch: New file.
* gnu/local.mk (dist_patch_DATA): Update accordingly.

Change-Id: I0203137a144f89dcc502d1bcb2fa6f717b7223ff

d431f462 — Nicolas Graves 8 months ago

cve: Upgrade to JSON 2.0 feeds.

Fixes guix/guix#2213.  The 1.1-formatted-data is no longer available
from NIST.

* guix/cve.scm (string->date*, <cve-item>,
reference-data->cve-configuration, cpe-match->cve-configuration,
configuration-data->cve-configurations, json->cve-items,
yearly-feed-uri, cve-item->vulnerability): Upgrade to JSON 2.0 feeds
schema.
(<cve>): Remove uneeded record.
* tests/cve-sample.json: Update them. Remove CVE-2019-0005 (no value
added, lots of lines).
* tests/cve.scm (%expected-vulnerabilities): Upgrade accordingly.
(json->cve-items, vulnerabilities->lookup-proc tests): Update accordingly.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>

ad5e0fc7 — Nicolas Graves 8 months ago

gnu: wget: Graft secure package.

* gnu/packages/wget.scm (wget/fixed): Add new variable.
(wget): Hide package. Graft wget/fixed.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>

8f310b6f — Nicolas Graves 8 months ago

gnu: mercurial: Add package and rename former to mercurial/pinned.

Mercurial currently has CVEs. IMHO, it's unsafe to carry them around
in a profile.  However, updating mercurial potential leads to a lot of
rebuilds and I don't want to tackle this right now.

As for other packages, the way forward is to add a variant of the
package only used for hg-fetch, here mercurial/pinned.

* gnu/packages/version-control.scm
(mercurial-check-phase): Add helper variable.
(mercurial): Update to 7.1.
[arguments]: Use gexps.
<#:phases>: Refresh them. Add phase 'add-install-to-pythonpath for
running tests. Run tests after install. Add phase 'configure-check.
<#:imported-modules, #:modules>: Add them for
'add-install-for-pythonpath.k
[native-inputs]: Remove python-nose. Add python-setuptools-next,
python-setuptools-scm-next.
(mercurial/pinned): Inherit from mercurial, but build the exact same
derivation as the previous mercurial variable.

* guix/hg-download.scm (hg-package): Use mercurial/pinned.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>

6c71c8dc — Nicolas Graves 8 months ago

gnu: subversion: Add package and rename former to subversion/pinned.

Subversion currently has CVEs. IMHO, it's unsafe to carry them around
in a profile. However, updating subversion potential leads to a lot of
rebuilds and I don't want to tackle this right now.

As for other packages, the way forward is to add a variant of the
package only used for svn-fetch, here subversion/pinned.

* gnu/packages/version-control.scm (subversion): Update to 1.14.5.
(subversion/pinned): Inherit from subversion, but build the exact same
derivation as the previous subversion variable.

* guix/svn-download.scm (subversion-package): Use subversion/pinned.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>

a5ff617c — Ludovic Courtès 8 months ago

gnu: guile-fibers: Provide correct ‘git-reference’.

This is a followup to 6a45a2aac076e3b53b49932c28fbdde8c3e3de7a.

* gnu/packages/guile-xyz.scm (guile-fibers-1.4)[source]: Add missing ‘uri’
field.

Change-Id: Ie17a4e70c18c021aac9d5d88f1789c16fd4c7ad9

19f2030b — Hugo Buddelmeijer 9 months ago

gnu: Add python-edps.

* gnu/packages/astronomy.scm (python-edps): New variable.

Change-Id: Ia7235a34575538d5532c94d0bad7e358a1e6aaa3
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>

f7f78d12 — Hugo Buddelmeijer 9 months ago

gnu: Add python-pyesorex.

* gnu/packages/astronomy.scm (python-pyesorex): New variable.

Change-Id: I9da8fe817fb11faab7718cfbd718622e75ef0db1
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>

6c025178 — Hugo Buddelmeijer 9 months ago

gnu: Add python-pycpl.

* gnu/packages/astronomy.scm (python-pycpl): New variable.

Change-Id: Ieded5de94b146be76269fe0868ff55a21ac5f325
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>

20542abc — Hugo Buddelmeijer 9 months ago

gnu: Add esorex.

* gnu/packages/astronomy.scm (esorex): New variable.

Change-Id: I62d901f1d4659cca01f4530bb84614628f876b47
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>

355023e3 — Hugo Buddelmeijer 9 months ago

gnu: Add cpl.

* gnu/packages/astronomy.scm (cpl): New variable.

Change-Id: I07e6ee15f2366b73335740abc51fd4540ab9d1e6
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>

1ae3d4ea — Sharlatan Hellseher 9 months ago

gnu: uraniborg: Update to 0.0.10.

* gnu/packages/astronomy.scm (uraniborg): Update to 0.0.10.
[arguments] <tests?>: Enable as post-install-check phase.
[phase]{patch-config}: Adjust default base directory to store path.
{post-install-check}: New phase.
{check}: Delete phase.
[description]: Mention about default base location.

Change-Id: I1dc2184b97c6bcaf6c5df0c0f3154ea2a25263f3

b69eaec7 — Sharlatan Hellseher 9 months ago

gnu: stellarium: Update to 25.2, build with Qt6.

* gnu/packages/astronomy.scm (stellarium): Update to 25.2.
[arguments] <configure-flags>: Enable Qt6 build (it's default), adjust
search for qtserialport and qtpositioning.
[inputs]: Remove calcmysky-qt5, qtbase-5, qtcharts-5, qtlocation-5,
qtmultimedia-5, qtscript-5, qtserialport-5, qtwayland-5, qtwebengine-5,
and qxlsx-qt5; add calcmysky, eigen, glm, qtbase, qtcharts, qtlocation,
qtmultimedia, qtserialport, qtwayland, qtwebengine, and qxlsx.
[native-inputs]: Remove qttools-5; add qttools.

Change-Id: Ic37a06fd4d15872bf18a0f75901359f2021cac2f