Debian Patches

Status for guix/1.4.0-3+deb12u1

Patch Description Author Forwarded Bugs Origin Last update
fix-version-string Set version from .tarball-version shipped in guix tarball, rather than potentially attempting to regenerate from git.

===================================================================
Vagrant Cascadian <vagrant@debian.org> not-needed
guix-services-from-usr-bin Patch to run from binaries in /usr/bin.

===================================================================
no
skip-use-of-bootstrap-binary Disable test as it uses bootstrap binaries downloaded from the network
when not present, which violates Debian Policy.

===================================================================
no
tests-Add-common-functions-for-to-check-for-network-.patch [PATCH] tests: Add common functions for to check for network reachability.

* tests/common.sh: New file.
* tests/guix-build-branch.sh, tests/guix-pack.sh,
tests/guix-package-net.sh: Use skip_if_network_unreachable function
from common.sh.
* tests/guix-environment.sh: Use network_reachable function from
common.sh.
Vagrant Cascadian <vagrant@debian.org> yes upstream 2020-11-10
tests-Disable-tests-using-bootstrap-binaries-when-ne.patch [PATCH] tests: Disable tests using bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-11
disable-gexp-script-module-path Disable test that uses bootstrap-guile.

===================================================================
no
use-guix-daemon-from-usr-bin On Debian systems guix-daemon is provided in /usr/bin, use that one.
Also configure to use the _guixbuild group.

===================================================================
no
lsb-init-functions https://lintian.debian.org/tags/init.d-script-does-not-source-init-functions.html

===================================================================
no
0001-tests-challenge-Disable-tests-requiring-bootstrap-bi.patch [PATCH 01/29] tests/challenge: Disable tests requiring bootstrap binaries if network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0002-tests-Only-run-tests-requiring-bootstrap-binaries-wh.patch [PATCH 02/29] tests: Only run tests requiring bootstrap binaries when network is available. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0003-tests-Ensure-tests-that-require-bootstrap-guile-are-.patch [PATCH 03/29] tests: Ensure tests that require %bootstrap-guile are only run when network is reachable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0004-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch [PATCH 04/29] tests: Only run tests using bootstrap binaries when network is available. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0005-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch [PATCH 05/29] tests: Only run tests using bootstrap binaries when network is available. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0006-tests-channels.scm-Disable-latest-channel-instances-.patch [PATCH 06/29] tests/channels.scm: Disable latest-channel-instances includes channel dependencies when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0007-tests-syscalls.scm-Disable-scandir-properties-test-f.patch [PATCH 07/29] tests/syscalls.scm: Disable scandir properties test failure. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0008-tests-derivations.scm-Disable-fixed-output-derivatio.patch [PATCH 08/29] tests/derivations.scm: Disable fixed-output derivations tests when network is unavailable (???) Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0009-tests-derivations.scm-Only-run-download-built-in-bui.patch [PATCH 09/29] tests/derivations.scm: Only run download built-in builder when network is available. Vagrant Cascadian <vagrant@debian.org> no 2020-11-06
0010-tests-challenge.scm-Disable-tests-that-may-require-n.patch [PATCH 10/29] tests/challenge.scm: Disable tests that may require network for bootstrap binaries. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0011-tests-union.scm-Skip-tests-that-depend-on-bootstrap-.patch [PATCH 11/29] tests/union.scm: Skip tests that depend on bootstrap binaries. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0012-tests-store.scm-Disable-tests-requiring-bootstrap-bi.patch [PATCH 12/29] tests/store.scm: Disable tests requiring bootstrap binaries when network in unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0013-tests-store.scm-Disable-tests-requiring-bootstrap-gu.patch [PATCH 13/29] tests/store.scm: Disable tests requiring bootstrap-guile when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0014-tests-size.scm-Disable-tests-requiring-bootstrap-bin.patch [PATCH 14/29] tests/size.scm: Disable tests requiring bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0015-tests-processes.scm-Disable-test-using-bootstrap-gui.patch [PATCH 15/29] tests/processes.scm: Disable test using bootstrap-guile when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0016-tests-derivations.scm-Disable-tests-requiring-bootst.patch [PATCH 16/29] tests/derivations.scm: Disable tests requiring bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0017-tests-gexp.scm-Disable-tests-using-bootstrap-binarie.patch [PATCH 17/29] tests/gexp.scm: Disable tests using bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0018-tests-grafts.scm-Disable-tests-that-require-bootstra.patch [PATCH 18/29] tests/grafts.scm: Disable tests that require bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0019-tests-graph.scm-Disable-test-needing-further-investi.patch [PATCH 19/29] tests/graph.scm: Disable test needing further investigation. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0020-tests-packages.scm-Disable-tests-using-bootstrap-bin.patch [PATCH 20/29] tests/packages.scm: Disable tests using bootstrap binaries when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0021-tests-profiles.scm-Disable-tests-using-bootstrap-bin.patch [PATCH 21/29] tests/profiles.scm: Disable tests using bootstrap binaries when networking is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0022-tests-publish.scm-Disable-test-requiring-bootstrap-b.patch [PATCH 22/29] tests/publish.scm: Disable test requiring bootstrap binaries when networking is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0023-tests-publish.scm-Disable-test-needing-further-inves.patch [PATCH 23/29] tests/publish.scm: Disable test needing further investigation. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0024-tests-derivations.scm-Disable-tests-that-need-bootst.patch [PATCH 24/29] tests/derivations.scm: Disable tests that need bootstrap binaries. Vagrant Cascadian <vagrant@debian.org> no 2020-11-10
0025-tests-containers.scm-Disable-container-tests.patch [PATCH 25/29] tests/containers.scm: Disable container tests. Vagrant Cascadian <vagrant@debian.org> no 2021-01-20
0026-tests-guix-environment-container.sh-Disable-containe.patch [PATCH 26/29] tests/guix-environment-container.sh: Disable container tests. Vagrant Cascadian <vagrant@debian.org> no 2021-01-20
0027-tests-syscalls.scm-Disable-tests-requiring-user-name.patch [PATCH 27/29] tests/syscalls.scm: Disable tests requiring user namespaces. Vagrant Cascadian <vagrant@debian.org> no 2021-01-20
0030-Disable-gexp-derivation-allowed-references-test-when.patch [PATCH 30/32] Disable "gexp->derivation #:allowed-references" test when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2021-04-25
0031-Disable-substitue-deduplication-test-when-network-is.patch [PATCH 31/32] Disable "substitue, deduplication" test when network is unavailable. Vagrant Cascadian <vagrant@debian.org> no 2021-04-25
guix-daemon-openrc-fixes Fix path to guix-daemon and use the _guixbuild group.

===================================================================
no
tests-disable-guix-shell-test =================================================================== no
more-disabled-tests =================================================================== no
use-c-utf8-locale Use the C.UTF-8 locale for guix-daemon and guix-publish.

https://bugs.debian.org/1012536

===================================================================
no
tests-skip-guix-home-no-localstatedir =================================================================== no
tests-disable-trivial-with-allowed-references diff --git a/tests/packages.scm b/tests/packages.scm
index 3506f94f91..3bc5ccb286 100644
no
tests-disable-lower-object-computed-file diff --git a/tests/gexp.scm b/tests/gexp.scm
index ad8e1d57b8..9a2e144377 100644
no
tests-disable-guix-hash-git guix hash -S git requires disarchive, which is not yet available in Debian.

diff --git a/tests/guix-hash.sh b/tests/guix-hash.sh
index 8b03c7985d..bbde6b5c88 100644
no
tests-disable-pypi-guix-package-no-wheel =================================================================== no
tests-gexp.scm-references-file-Skip-test-depending-o.patch [PATCH] tests/gexp.scm: references-file: Skip test depending on bootstrap binaries when network is not reachable. Vagrant Cascadian <vagrant@reproducible-builds.org> no 2022-10-23
tests-build-utils.scm-Disable-wrap-script-tests-if-n.patch [PATCH 1/3] tests/build-utils.scm: Disable wrap-script tests if network unavailable.

May require bootstrap binaries.
Vagrant Cascadian <vagrant@debian.org> no 2022-10-26
tests-guix-shell-export-manifest.sh-Disable-test-req.patch [PATCH 2/3] tests/guix-shell-export-manifest.sh: Disable test, requires bootstrap binaries. Vagrant Cascadian <vagrant@debian.org> no 2022-10-26
tests-profiles.scm-Disable-profile-derivation-format.patch [PATCH 3/3] tests/profiles.scm: Disable "profile-derivation format version 3" and "deduplication of repeated entries", requires bootstrap
binaries.
Vagrant Cascadian <vagrant@debian.org> no 2022-10-26
security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch [PATCH 01/36] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).

This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck <https://github.com/puckipedia>.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor. Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> no 2024-03-11
security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch [PATCH 32/36] daemon: Address shortcoming in previous security fix for CVE-2024-27297.

This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> no 2024-03-12

All known versions for source package 'guix'

Links