This reverts commit a7db92d9b3, this time with
the more careful command, to avoid a world rebuild:
grep -rl --exclude-dir=build --exclude-dir=patches --exclude=ld-wrapper.in \
--exclude=sitecustomize.py --exclude=guix-emacs.el maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
Change-Id: I0871f5cf9ace79e34e78e24154d0da6ea95a3a91
The change was automated via:
git grep -l maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
* .mailmap: New entry.
Change-Id: Iaa88b1e51c94159c49138fb43910badb990eb169
This one doesn't compile with gcc@11 because of a compiler bug:
checking that GCC bug 80431 is fixed... no
configure: error: Cannot build Nix with C++ compiler with this bug
* gnu/packages/package-management.scm (nix): Update to 2.19.7.
[arguments]{test-target}: Set it to run a subset of tests.
{phases}: Run 'check phase after 'install phase. Add a
'skip-failing-tests phase.
[native-inputs]: Add man-db, util-linux.
* gnu/packages/patches/nix-dont-build-html-doc.diff: Update accordingly.
Change-Id: I14e07ec7fce1b66d473ff084bf3dfc48d2e9284e
* gnu/packages/package-management.scm (guix): Update to 1.4.0-40.230ad0e33.
Since this revert: 230ad0e33, the guix package that is used in system tests
has to be updated.
Change-Id: I1cfd05285cad27f083dbf7902c943b48a9a0f65b
Previously, the builder of a fixed-output derivation could communicate with an
external process via an abstract Unix-domain socket. In particular, it could
send an open file descriptor to the store, granting write access to some of
its output files in the store provided the derivation build fails—the fix for
CVE-2024-27297 did not address this specific case. It could also send an open
file descriptor to a setuid program, which could then be executed using
execveat to gain the privileges of the build user.
With this change, fixed-output derivations other than “builtin:download”
and “builtin:git-download” always run in a separate network namespace
and have network access provided by a TAP device backed by slirp4netns,
thereby closing the abstract Unix-domain socket channel.
* nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new
fields.
* config-daemon.ac (SLIRP4NETNS): new C preprocessor definition.
* nix/libstore/globals.cc (Settings::Settings): initialize them to defaults.
* nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option.
* doc/guix.texi: document it.
* nix/libstore/build.cc (DerivationGoal)[slirp]: New field.
(setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction,
prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address,
remapIdsTo0Action): New functions.
(initializeUserNamespace): allow the guest UID and GID to be specified.
(DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’.
(DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS.
When ‘fixedOutput’ is true, spawn ‘slirp4netns’.
When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction,
waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup
phases.
Create a /etc/resolv.conf for fixed-output derivations that directs them to
slirp4netns's dns address.
When settings.useHostLoopback is true, supply fixed-output derivations with a
/etc/hosts that resolves "localhost" to slirp4netns's address for accessing
the host loopback.
* nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New functions.
* nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New declarations.
* gnu/packages/package-management.scm (guix): add slirp4netns input for linux
targets.
* tests/derivations.scm (builder-network-isolated?): new variable.
("fixed-output derivation, network access, localhost", "fixed-output
derivation, network access, external host"):
skip test case if fixed output derivations are isolated from the network.
Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
I am not sure relying on profile hooks works, since gnome-packagekit would not
start from guix shell. Using glib-or-gtk does make it start, which is better
to not rely on the profile.
* gnu/packages/package-management.scm (gnome-packagekit)
[source]: Use gnome mirrors.
[native-inputs]: Change gnu-gettext to gettext-minimal.
[inputs]: Remove polkit.
[arguments]: Use glib-or-gtk? phases.
Change-Id: I11c80d7470bd7f25888235afb4cadc9f1313ba31
Signed-off-by: Christopher Baines <mail@cbaines.net>
This reduces the number of dependents from close to 2000 packages to less than
100. This is done by substituting gtk-doc for gtk-doc/stable in a few
packages: the latter depends on inkscape/pinned rather than inkscape.
* gnu/packages/display-managers.scm (lightdm)
* gnu/packages/freedesktop.scm (accountsservice)
(libqrtr-glib, libappindicator)
* gnu/packages/gnome.scm (gcr, upower, libzapojit, gnome-software)
* gnu/packages/gtk.scm (cairo-with-documentation, gtk, libdbusmenu)
* gnu/packages/ibus.scm (ibus-minimal)
* gnu/packages/mail.scm (gmime)
* gnu/packages/music.scm (libgpod)
* gnu/packages/package-management.scm (flatpak)
* gnu/packages/xfce.scm (xfce4-dev-tools)
[propagated-inputs]: Remove gtk-doc; add gtk-doc/stable.
* gnu/packages/package-management.scm (flatpak)[inputs]: Add
gsettings-desktop-schemas.
<#:phases>: Set GSETTINGS_SCHEMA_DIR in wrap-phase.
This fixes an error that appeared when running system-wide Flatpak
operations such as 'sudo flatpak update':
GLib-GIO-ERROR [...] No GSettings schemas are installed on the system
The missing schemas from gsettings-desktop-schemas prevented proper GLib
configuration lookups (e.g., org.gnome.system.proxy). By setting
GSETTINGS_SCHEMA_DIR to point to gsettings-desktop-schemas' schema directory,
we ensure Flatpak can access required GLib configuration templates.
Change-Id: I9522c07b6c8ccf20a86ee966effb73eb61a2abc7
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages/package-management.scm (python-conda-inject): New variable.
Change-Id: Ic4b91e01b68c62fd91a0f6d77e57c6d32c4b5d03
Signed-off-by: Steve George <steve@futurile.net>
Keep urllib3@1.26.17 but under the dedicated variable name making it
less confusing with "-next" suffix which is meant to be higher version
of the current one.
* gnu/packages/python-web.scm (python-urllib3-next): Update to
2.3.0. Inherit from python-urllib3.
[native-inputs]: Add python-hatchling and python-hatch-vcs.
(python-urllib3-1.26): New variable.
(python-elasticsearch) [propagated-inputs]: Remove python-urllib3-next;
add python-urllib3-1.26.
* gnu/packages/android.scm (sdkmanager) [inputs]: Remove
python-urllib3-next; add python-urllib3-1.26.
* gnu/packages/package-management.scm (conan) [propagated-inputs]:
Likewise.
* gnu/packages/video.scm (yt-dlp) [inputs]: Likewise.
Change-Id: I2679dda98180815d4e3580d965b8db9c61e53f4a
