The rpm-for-tests would no longer build, due to the parent package having
migrated to CMake. Use the --dbpath argument instead of a variant test
package.
* tests/pack.scm (rpm-for-tests): Delete variable.
(rpm archive can be installed/uninstalled): Invoke rpm, not rpm-for-tests, but
with the --dbpath location specified.
Change-Id: I1b578db3ef8f1309c32c6ef92615814ca49fd22c
* guix/import/utils.scm: (git-origin, git->origin): Add procedures.
* guix/import/elpa.scm
(download-git-repository): Remove function download-git-repository.
(git-repository->origin): Remove function git-repository->origin.
(ref): Add function ref.
(melpa-recipe->origin): Use functions git->origin and ref.
* guix/import/go.scm
(git-checkout-hash): Remove function git-checkout-hash.
(transform-version): Add function transform-version.
(vcs->origin): Use functions git->origin and transform-version. Add
optional argument transform-version.
* tests/import/go.scm
(go-module->guix-package): Adapt test case to changes in guix/import/go.scm.
* guix/import/luanti.scm
(download-git-repository): Remove function download-git-repository.
(make-luanti-sexp): Use function git->origin.
* tests/luanti.scm
(make-package-sexp): Refresh function accordingly.
* guix/import/composer.scm
(make-php-sexp): Use function git->origin.
Change-Id: Ied05a63bdd60fbafe26fbbb4e115ff6f0bb9db3c
Signed-off-by: Liliana Marie Prikler <liliana.prikler@gmail.com>
This test broke with commit 8c9493cb31.
* tests/packages.scm ("package-transitive-supported-systems, implicit inputs"):
Change ‘%current-system’ to “riscv64-linux”.
Change-Id: Ia6d69f086cffea4144d2f032038b27ec91e904f3
At this point the value of 'st.st_mode' is from before canonicalization, so
restoring to that will undo the permissions aspect of the canonicalization for
a top-level directory store item.
Fixes#1104, introduced in
ae18b3d9e6 (ae18b3d9e6).
* nix/libstore/build.cc (DerivationGoal::registerOutputs): update 'st' with
post-canonicalization permissions before making actualPath
temporarily-writable.
* tests/store.scm ("build outputs aren't writable"): new test.
Change-Id: I5e5eaa79fa6b7f81e1d12fd285883c762a22ce5a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Fixesguix/guix#2450.
This reverts commit b5745a327e, which introduced
discrepancies in how substitutes are served; in particular, narinfos of
non-substitutable items would still be served, and likewise for narinfos and
nars of dependents of non-substitutable items.
This reverts commit a7db92d9b3, this time with
the more careful command, to avoid a world rebuild:
grep -rl --exclude-dir=build --exclude-dir=patches --exclude=ld-wrapper.in \
--exclude=sitecustomize.py --exclude=guix-emacs.el maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
Change-Id: I0871f5cf9ace79e34e78e24154d0da6ea95a3a91
The change was automated via:
git grep -l maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
* .mailmap: New entry.
Change-Id: Iaa88b1e51c94159c49138fb43910badb990eb169
Fixesguix/guix#1975.
When using ‘read’, ‘package-field-location’ would not get source location for
atoms such as symbols, typically making it impossible to get the location of
the value of a field list (build-system gnu-build-system). This fixes that.
* guix/packages.scm (field-value-location): New procedure.
(package-field-location): Use it instead of inline code.
* tests/packages.scm ("package-field-location"): Test the ‘build-system’
field.
Reported-by: Nicolas Graves <ngraves@ngraves.fr>
Change-Id: I98c694bb6f1999fa9ca80e145fa016640067af55
* guix/lint.scm (check-compiler-for-target): Adjust the logic when
checking the make-flags to actually determine if it is a gexp or not.
* tests/lint.scm (compiler-for-target: looks through G-expressions): Fix
test.
Change-Id: I0040cf29c8197d394e63ac90b2fba7ca5bcb5861
Previously, the builder of a fixed-output derivation could communicate with an
external process via an abstract Unix-domain socket. In particular, it could
send an open file descriptor to the store, granting write access to some of
its output files in the store provided the derivation build fails—the fix for
CVE-2024-27297 did not address this specific case. It could also send an open
file descriptor to a setuid program, which could then be executed using
execveat to gain the privileges of the build user.
With this change, fixed-output derivations other than “builtin:download”
and “builtin:git-download” always run in a separate network namespace
and have network access provided by a TAP device backed by slirp4netns,
thereby closing the abstract Unix-domain socket channel.
* nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new
fields.
* config-daemon.ac (SLIRP4NETNS): new C preprocessor definition.
* nix/libstore/globals.cc (Settings::Settings): initialize them to defaults.
* nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option.
* doc/guix.texi: document it.
* nix/libstore/build.cc (DerivationGoal)[slirp]: New field.
(setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction,
prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address,
remapIdsTo0Action): New functions.
(initializeUserNamespace): allow the guest UID and GID to be specified.
(DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’.
(DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS.
When ‘fixedOutput’ is true, spawn ‘slirp4netns’.
When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction,
waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup
phases.
Create a /etc/resolv.conf for fixed-output derivations that directs them to
slirp4netns's dns address.
When settings.useHostLoopback is true, supply fixed-output derivations with a
/etc/hosts that resolves "localhost" to slirp4netns's address for accessing
the host loopback.
* nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New functions.
* nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New declarations.
* gnu/packages/package-management.scm (guix): add slirp4netns input for linux
targets.
* tests/derivations.scm (builder-network-isolated?): new variable.
("fixed-output derivation, network access, localhost", "fixed-output
derivation, network access, external host"):
skip test case if fixed output derivations are isolated from the network.
Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache, fetch-vulnerabilities): Update the format version.
* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.
* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
Signed-off-by: Zheng Junjie <z572@z572.online>
Partly fixes <https://issues.guix.gnu.org/74583>.
Previously, passing an annotated tag to ‘--end’, as can happen when
‘guix git authenticate’ is invoked by the pre-push hook when pushing
tags, would lead to an error:
guix git: error: Git error: the requested type does not match the type in the ODB
* guix/scripts/git/authenticate.scm (ensure-commit-id): New procedure.
(guix-git-authenticate): Use it.
* tests/guix-git-authenticate.sh: Test with $v1_2_0_annotated_tag.
Change-Id: I22e8eb665609522c80c1f0dcb9e77a46c23c0c3c
This commit prevents Guix substitute servers from distributing binaries
which are marked non-substitutable. This prevents substitute servers
from accidentally committing copyright violations by distributing
binaries that are non-substitutable for copyright reasons.
* guix/scripts/publish.scm (render-nar): Query the derivers of
‘store-path’ and do nothing if one of them does not match
‘substitutable-derivation?’.
* tests/publish.scm ("non-substitutable derivation"): New test.
Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
* guix/scripts/environment.scm (launch-environment/container): Add
/run/user/UID to ‘file-systems’.
* tests/guix-environment-container.sh: Test it.
Change-Id: I44c70a7554a06f40d073c25929ea7c6ded356d08
* gnu/home/services.scm (files->files-directory): Build file union
without checking for existence of included items.
* tests/guix-home.sh: Verify symlinking files out of store works.
Change-Id: I94054003f4a6be944252ce7a397cf56f0b979554
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
* guix/scripts/refresh.scm (update-specification->update-spec): Flag the
update-spec as partial when it is prefixed with '~'.
* tests/guix-refresh.sh: Test it. Remove extraneous 'guix refresh'
invocation.
* doc/guix.texi (Invoking guix refresh): Document it.
Change-Id: Iab4482d9367105f6ffcd2d6a49148736c93d53e4
Reviewed-by: Florian Pelz <pelzflorian@pelzflorian.de>
Reviewed-by: Ludovic Courtès <ludo@gnu.org>
This can be useful when evaluating a scheme-file store output for example,
which has multiple top level expressions.
* guix/ui.scm (read/eval): Also accept a port object as argument. Read and
evaluate all expressions from input port or string.
Change-Id: I0213706fa4824c3a8ffe5d93f44f263048cb62c2
Fixes <https://issues.guix.gnu.org/78272>.
Fixes a bug caused by commit ce363c1dc7,
which inadvertently made /tmp read-only as well.
* guix/scripts/environment.scm (launch-environment/container)[tmpfs]:
New variable.
Add it to ‘file-systems’.
* guix/scripts/home.scm (spawn-home-container): Add /tmp file system
to #:mounts.
* tests/guix-environment-container.sh: Add test.
Reported-by: Tomas Volf <~@wolfsden.cz>
Change-Id: I5cb449e6d0c213d4b5866cbcbd14990437a7d4c5
* guix/import/texlive.scm (tlpdb->package): Use (package-version
package-source) instead of %texlive-revision when importing a meta package.
* tests/texlive.scm ("texlive->guix-package, meta-package"): Test it.
Change-Id: I2a5d2eb6529dafe0c888b2a7a5a1b38af1160235
