| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-version-string | Set version from .tarball-version shipped in guix tarball, rather than potentially attempting to regenerate from git. =================================================================== |
Vagrant Cascadian <vagrant@debian.org> | not-needed | |||
| guix-services-from-usr-bin | Patch to run from binaries in /usr/bin. =================================================================== |
no | ||||
| skip-use-of-bootstrap-binary | Disable test as it uses bootstrap binaries downloaded from the network when not present, which violates Debian Policy. =================================================================== |
no | ||||
| tests-Add-common-functions-for-to-check-for-network-.patch | [PATCH] tests: Add common functions for to check for network reachability. * tests/common.sh: New file. * tests/guix-build-branch.sh, tests/guix-pack.sh, tests/guix-package-net.sh: Use skip_if_network_unreachable function from common.sh. * tests/guix-environment.sh: Use network_reachable function from common.sh. |
Vagrant Cascadian <vagrant@debian.org> | yes | upstream | 2020-11-10 | |
| tests-Disable-tests-using-bootstrap-binaries-when-ne.patch | [PATCH] tests: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-11 | ||
| disable-gexp-script-module-path | Disable test that uses bootstrap-guile. =================================================================== |
no | ||||
| use-guix-daemon-from-usr-bin | On Debian systems guix-daemon is provided in /usr/bin, use that one. Also configure to use the _guixbuild group. =================================================================== |
no | ||||
| lsb-init-functions | https://lintian.debian.org/tags/init.d-script-does-not-source-init-functions.html =================================================================== |
no | ||||
| 0001-tests-challenge-Disable-tests-requiring-bootstrap-bi.patch | [PATCH 01/29] tests/challenge: Disable tests requiring bootstrap binaries if network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0002-tests-Only-run-tests-requiring-bootstrap-binaries-wh.patch | [PATCH 02/29] tests: Only run tests requiring bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0003-tests-Ensure-tests-that-require-bootstrap-guile-are-.patch | [PATCH 03/29] tests: Ensure tests that require %bootstrap-guile are only run when network is reachable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0004-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch | [PATCH 04/29] tests: Only run tests using bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0005-tests-Only-run-tests-using-bootstrap-binaries-when-n.patch | [PATCH 05/29] tests: Only run tests using bootstrap binaries when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0006-tests-channels.scm-Disable-latest-channel-instances-.patch | [PATCH 06/29] tests/channels.scm: Disable latest-channel-instances includes channel dependencies when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0007-tests-syscalls.scm-Disable-scandir-properties-test-f.patch | [PATCH 07/29] tests/syscalls.scm: Disable scandir properties test failure. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0008-tests-derivations.scm-Disable-fixed-output-derivatio.patch | [PATCH 08/29] tests/derivations.scm: Disable fixed-output derivations tests when network is unavailable (???) | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0009-tests-derivations.scm-Only-run-download-built-in-bui.patch | [PATCH 09/29] tests/derivations.scm: Only run download built-in builder when network is available. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-06 | ||
| 0010-tests-challenge.scm-Disable-tests-that-may-require-n.patch | [PATCH 10/29] tests/challenge.scm: Disable tests that may require network for bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0011-tests-union.scm-Skip-tests-that-depend-on-bootstrap-.patch | [PATCH 11/29] tests/union.scm: Skip tests that depend on bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0012-tests-store.scm-Disable-tests-requiring-bootstrap-bi.patch | [PATCH 12/29] tests/store.scm: Disable tests requiring bootstrap binaries when network in unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0013-tests-store.scm-Disable-tests-requiring-bootstrap-gu.patch | [PATCH 13/29] tests/store.scm: Disable tests requiring bootstrap-guile when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0014-tests-size.scm-Disable-tests-requiring-bootstrap-bin.patch | [PATCH 14/29] tests/size.scm: Disable tests requiring bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0015-tests-processes.scm-Disable-test-using-bootstrap-gui.patch | [PATCH 15/29] tests/processes.scm: Disable test using bootstrap-guile when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0016-tests-derivations.scm-Disable-tests-requiring-bootst.patch | [PATCH 16/29] tests/derivations.scm: Disable tests requiring bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0017-tests-gexp.scm-Disable-tests-using-bootstrap-binarie.patch | [PATCH 17/29] tests/gexp.scm: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0018-tests-grafts.scm-Disable-tests-that-require-bootstra.patch | [PATCH 18/29] tests/grafts.scm: Disable tests that require bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0019-tests-graph.scm-Disable-test-needing-further-investi.patch | [PATCH 19/29] tests/graph.scm: Disable test needing further investigation. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0020-tests-packages.scm-Disable-tests-using-bootstrap-bin.patch | [PATCH 20/29] tests/packages.scm: Disable tests using bootstrap binaries when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0021-tests-profiles.scm-Disable-tests-using-bootstrap-bin.patch | [PATCH 21/29] tests/profiles.scm: Disable tests using bootstrap binaries when networking is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0022-tests-publish.scm-Disable-test-requiring-bootstrap-b.patch | [PATCH 22/29] tests/publish.scm: Disable test requiring bootstrap binaries when networking is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0023-tests-publish.scm-Disable-test-needing-further-inves.patch | [PATCH 23/29] tests/publish.scm: Disable test needing further investigation. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0024-tests-derivations.scm-Disable-tests-that-need-bootst.patch | [PATCH 24/29] tests/derivations.scm: Disable tests that need bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2020-11-10 | ||
| 0025-tests-containers.scm-Disable-container-tests.patch | [PATCH 25/29] tests/containers.scm: Disable container tests. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0026-tests-guix-environment-container.sh-Disable-containe.patch | [PATCH 26/29] tests/guix-environment-container.sh: Disable container tests. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0027-tests-syscalls.scm-Disable-tests-requiring-user-name.patch | [PATCH 27/29] tests/syscalls.scm: Disable tests requiring user namespaces. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-01-20 | ||
| 0030-Disable-gexp-derivation-allowed-references-test-when.patch | [PATCH 30/32] Disable "gexp->derivation #:allowed-references" test when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-04-25 | ||
| 0031-Disable-substitue-deduplication-test-when-network-is.patch | [PATCH 31/32] Disable "substitue, deduplication" test when network is unavailable. | Vagrant Cascadian <vagrant@debian.org> | no | 2021-04-25 | ||
| guix-daemon-openrc-fixes | Fix path to guix-daemon and use the _guixbuild group. =================================================================== |
no | ||||
| tests-disable-guix-shell-test | =================================================================== | no | ||||
| more-disabled-tests | =================================================================== | no | ||||
| use-c-utf8-locale | Use the C.UTF-8 locale for guix-daemon and guix-publish. https://bugs.debian.org/1012536 =================================================================== |
no | ||||
| tests-skip-guix-home-no-localstatedir | =================================================================== | no | ||||
| tests-disable-trivial-with-allowed-references | diff --git a/tests/packages.scm b/tests/packages.scm index 3506f94f91..3bc5ccb286 100644 |
no | ||||
| tests-disable-lower-object-computed-file | diff --git a/tests/gexp.scm b/tests/gexp.scm index ad8e1d57b8..9a2e144377 100644 |
no | ||||
| tests-disable-guix-hash-git | guix hash -S git requires disarchive, which is not yet available in Debian. diff --git a/tests/guix-hash.sh b/tests/guix-hash.sh index 8b03c7985d..bbde6b5c88 100644 |
no | ||||
| tests-disable-pypi-guix-package-no-wheel | =================================================================== | no | ||||
| tests-gexp.scm-references-file-Skip-test-depending-o.patch | [PATCH] tests/gexp.scm: references-file: Skip test depending on bootstrap binaries when network is not reachable. | Vagrant Cascadian <vagrant@reproducible-builds.org> | no | 2022-10-23 | ||
| tests-build-utils.scm-Disable-wrap-script-tests-if-n.patch | [PATCH 1/3] tests/build-utils.scm: Disable wrap-script tests if network unavailable. May require bootstrap binaries. |
Vagrant Cascadian <vagrant@debian.org> | no | 2022-10-26 | ||
| tests-guix-shell-export-manifest.sh-Disable-test-req.patch | [PATCH 2/3] tests/guix-shell-export-manifest.sh: Disable test, requires bootstrap binaries. | Vagrant Cascadian <vagrant@debian.org> | no | 2022-10-26 | ||
| tests-profiles.scm-Disable-profile-derivation-format.patch | [PATCH 3/3] tests/profiles.scm: Disable "profile-derivation format version 3" and "deduplication of repeated entries", requires bootstrap binaries. |
Vagrant Cascadian <vagrant@debian.org> | no | 2022-10-26 | ||
| security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch | [PATCH 01/36] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2024-03-11 | ||
| security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch | [PATCH 32/36] daemon: Address shortcoming in previous security fix for CVE-2024-27297. This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. |
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org> | no | 2024-03-12 | ||
| security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch | [PATCH 1/2] daemon: Sanitize failed build outputs prior to exposing them. The only thing keeping a rogue builder and a local user from collaborating to usurp control over the builder's user during the build is the fact that whatever files the builder may produce are not accessible to any other users yet. If we're going to make them accessible, we should probably do some sanity checking to ensure that sort of collaborating can't happen. Currently this isn't happening when failed build outputs are moved from the chroot as an aid to debugging. * nix/libstore/build.cc (secureFilePerms): new function. (DerivationGoal::buildDone): use it. |
Reepca Russelstein <reepca@russelstein.xyz> | no | 2024-10-20 | ||
| security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch | [PATCH 2/2] daemon: Sanitize successful build outputs prior to exposing them. There is currently a window of time between when the build outputs are exposed and when their metadata is canonicalized. * nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after metadata canonicalization to move successful build outputs to the store. |
Reepca Russelstein <reepca@russelstein.xyz> | no | 2024-10-20 |