| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-version-string | Set version from .tarball-version shipped in guix tarball, rather than potentially attempting to regenerate from git. =================================================================== |
Vagrant Cascadian <vagrant@debian.org> | not-needed | |||
| guix-services-from-usr-bin | Patch to run from binaries in /usr/bin. =================================================================== |
no | ||||
| skip-use-of-bootstrap-binary | Disable test as it uses bootstrap binaries downloaded from the network when not present, which violates Debian Policy. diff -ur tests/build-utils.scm /run/schroot/mount/sid-dada96d4-fed0-4d5f-8734-d01af1e5695f/build/guix-qPiHB3/guix-1.1.0+66851.6799e6/tests/build-utils.scm |
no | ||||
| 0001-tests-challenge-Disable-tests-requiring-bootstrap-bi.patch | [PATCH 01/23] tests/challenge: Disable tests requiring bootstrap binaries if network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0002-tests-Only-run-tests-requiring-bootstrap-binaries-wh.patch | [PATCH 02/23] tests: Only run tests requiring bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0003-tests-Ensure-tests-that-require-bootstrap-guile-are-.patch | [PATCH 03/23] tests: Ensure tests that require %bootstrap-guile are only run when network is reachable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0004-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch | [PATCH 04/23] tests: Only run tests using bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0005-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch | [PATCH 05/23] tests: Only run tests using bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0006-tests-channels.scm-Disable-latest-channel-instances-.patch | [PATCH 06/23] tests/channels.scm: Disable latest-channel-instances includes channel dependencies when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0007-tests-syscalls.scm-Disable-scandir-properties-test-f.patch | [PATCH 07/23] tests/syscalls.scm: Disable scandir properties test failure. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0008-tests-derivations.scm-Disable-fixed-output-derivatio.patch | [PATCH 08/23] tests/derivations.scm: Disable fixed-output derivations tests when network is unavailable (???) | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0009-tests-derivations.scm-Only-run-download-built-in-bui.patch | [PATCH 09/23] tests/derivations.scm: Only run download built-in builder when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0010-tests-challenge.scm-Disable-tests-that-may-require-n.patch | [PATCH 10/23] tests/challenge.scm: Disable tests that may require network for bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0011-tests-union.scm-Skip-tests-that-depend-on-bootstrap-.patch | [PATCH 11/23] tests/union.scm: Skip tests that depend on bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0012-tests-store.scm-Disable-tests-requiring-bootstrap-bi.patch | [PATCH 12/23] tests/store.scm: Disable tests requiring bootstrap binaries when network in unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0013-tests-store.scm-Disable-tests-requiring-bootstrap-gu.patch | [PATCH 13/23] tests/store.scm: Disable tests requiring bootstrap-guile when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0014-tests-size.scm-Disable-tests-requiring-bootstrap-bin.patch | [PATCH 14/23] tests/size.scm: Disable tests requiring bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0015-tests-processes.scm-Disable-test-using-bootstrap-gui.patch | [PATCH 15/23] tests/processes.scm: Disable test using bootstrap-guile when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0016-tests-derivations.scm-Disable-tests-requiring-bootst.patch | [PATCH 16/23] tests/derivations.scm: Disable tests requiring bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0017-tests-gexp.scm-Disable-tests-using-bootstrap-binarie.patch | [PATCH 17/23] tests/gexp.scm: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0018-tests-grafts.scm-Disable-tests-that-require-bootstra.patch | [PATCH 18/23] tests/grafts.scm: Disable tests that require bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0019-tests-graph.scm-Disable-test-needing-further-investi.patch | [PATCH 19/23] tests/graph.scm: Disable test needing further investigation. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0020-tests-packages.scm-Disable-tests-using-bootstrap-bin.patch | [PATCH 20/23] tests/packages.scm: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0021-tests-profiles.scm-Disable-tests-using-bootstrap-bin.patch | [PATCH 21/23] tests/profiles.scm: Disable tests using bootstrap binaries when networking is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0022-tests-publish.scm-Disable-test-requiring-bootstrap-b.patch | [PATCH 22/23] tests/publish.scm: Disable test requiring bootstrap binaries when networking is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0023-tests-publish.scm-Disable-test-needing-further-inves.patch | [PATCH 23/23] tests/publish.scm: Disable test needing further investigation. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0024-tests-derivations.scm-Disable-tests-with-unknown-cau.patch | [PATCH 24/24] tests/derivations.scm: Disable tests with unknown causes. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| tests-Add-common-functions-for-to-check-for-network-.patch | [PATCH] tests: Add common functions for to check for network reachability. * tests/common.sh: New file. * tests/guix-build-branch.sh, tests/guix-pack.sh, tests/guix-package-net.sh: Use skip_if_network_unreachable function from common.sh. * tests/guix-environment.sh: Use network_reachable function from common.sh. |
Vagrant Cascadian <vagrant@debian.org> | yes | upstream | 2020-11-10 | |
| tests-Disable-tests-using-bootstrap-binaries-when-ne.patch | [PATCH] tests: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-11 | ||
| disable-tests-that-fail-with-tilde-in-build-path | Tests fail when the build path contains a "~" =================================================================== |
yes | upstream | |||
| disable-gexp-script-module-path | Disable test that uses bootstrap-guile. =================================================================== |
no | ||||
| use-guix-daemon-from-usr-bin | On Debian systems guix-daemon is provided in /usr/bin, use that one. Also configure to use the _guixbuild group. =================================================================== |
no | ||||
| lsb-init-functions | https://lintian.debian.org/tags/init.d-script-does-not-source-init-functions.html =================================================================== |
no | ||||
| do-not-embed-build-path-in-gnu-ci | Do not embed build path https://issues.guix.gnu.org/44835 diff --git a/gnu/ci.scm b/gnu/ci.scm index 5548d9560e..0bacfbe025 100644 |
no | ||||
| 0025-tests-containers.scm-Disable-container-tests.patch | [PATCH 25/29] tests/containers.scm: Disable container tests. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0026-tests-guix-environment-container.sh-Disable-containe.patch | [PATCH 26/29] tests/guix-environment-container.sh: Disable container tests. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0027-tests-syscalls.scm-Disable-tests-requiring-user-name.patch | [PATCH 27/29] tests/syscalls.scm: Disable tests requiring user namespaces. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0028-tests-lint.scm-Disable-several-lint-tests-that-fail-.patch | [PATCH 28/29] tests/lint.scm: Disable several lint tests that fail with guile-2.2. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0029-tests-swh.scm-Disable-tests-the-fail-with-guile-2.2.patch | [PATCH 29/29] tests/swh.scm: Disable tests the fail with guile-2.2. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| security/daemon-Prevent-privilege-escalation-with-keep-failed.patch | [PATCH] daemon: Prevent privilege escalation with '--keep-failed' [security]. Fixes <https://bugs.gnu.org/47229>. Reported by Nathan Nye of WhiteBeam Security. * nix/libstore/build.cc (DerivationGoal::startBuilder): When 'useChroot' is true, add "/top" to 'tmpDir'. (DerivationGoal::deleteTmpDir): Adjust accordingly. When 'settings.keepFailed' is true, chown in two steps: first the "/top" sub-directory, and then rename "/top" to its parent. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2021-03-18 | ||
| tests-Ensure-test-OpenPGP-keys-never-expire.patch | [PATCH] tests: Ensure test OpenPGP keys never expire. All these keys had expiration dates. 'tests/keys/ed25519.pub' expired on 2022-04-24. Fixes <https://issues.guix.gnu.org/55506>. * tests/keys/ed25519.pub, tests/keys/ed25519-2.pub, tests/keys/ed25519-3.pub: Remove expiration date. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2022-05-18 | ||
| security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch | [PATCH 01/36] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2024-03-11 | ||
| security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch | [PATCH 32/36] daemon: Address shortcoming in previous security fix for CVE-2024-27297. This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2024-03-12 | ||
| 0001-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch | daemon: Sanitize failed build outputs prior to exposing them. The only thing keeping a rogue builder and a local user from collaborating to usurp control over the builder's user during the build is the fact that whatever files the builder may produce are not accessible to any other users yet. If we're going to make them accessible, we should probably do some sanity checking to ensure that sort of collaborating can't happen. Currently this isn't happening when failed build outputs are moved from the chroot as an aid to debugging. * nix/libstore/build.cc (secureFilePerms): new function. (DerivationGoal::buildDone): use it. |
Reepca Russelstein <reepca@russelstein.xyz> | no | 2024-10-20 | ||
| 0002-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch | daemon: Sanitize successful build outputs prior to exposing them. There is currently a window of time between when the build outputs are exposed and when their metadata is canonicalized. * nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after metadata canonicalization to move successful build outputs to the store. |
Reepca Russelstein <reepca@russelstein.xyz> | no | 2024-10-20 |