gnu: linux-libre 6.1: Update to 6.1.153.

* gnu/packages/linux.scm (linux-libre-6.1-version): Update to 6.1.153.
(linux-libre-6.1-pristine-source): Update hash.

Change-Id: Ibe36052df35e4f44e3e047d1350e3dd0469beba1

.guix-authorizations

@@ -98,6 +98,8 @@
    ;; <https://lists.gnu.org/archive/html/guix-devel/2020-01/msg00499.html>.
    "1EFB 0909 1F17 D28C CBF9  B13A 53D4 57B2 D636 EE82"
    (name "roptat"))
+  ("EAD1 89E4 799B 5E5E B20A  2A19 CDBC 0BD9 5943 A706"
+   (name "SameExpert"))
   (;; primary: "D6B0 C593 DA8C 5EDC A44C  7A58 C336 91F7 1188 B004"
    "A02C 2D82 0EF4 B25B A6B5  1D90 2AC6 A5EC 1C35 7C59"
    (name "samplet"))

doc/contributing.texi

@@ -2873,8 +2873,10 @@ Codeberg, a member of the ``Owners'' team can run:
 @end example
 
 @noindent
-... where @var{token} is a token created on the Codeberg interface
-granting access to the relevant settings.
+... where @var{token} is a token created via the
+@url{https://codeberg.org/user/settings/applications, Codeberg
+applications settings page}, granting read/write access to the
+@samp{organization} permission.
 
 @node Making Decisions
 @section Making Decisions

doc/guix.texi

@@ -22096,6 +22096,9 @@ resolver:
 @end lisp
 @end defvar
 
+
+@c %start of fragment
+
 @deftp {Data Type} dhcpcd-configuration
 Available @code{dhcpcd-configuration} fields are:
 
@@ -22150,11 +22153,15 @@ refer to @uref{https://www.rfc-editor.org/rfc/rfc2132#section-9.13,RFC
 
 @item @code{client-id} (type: maybe-string)
 Use the interface hardware address or the given string as a client
-identifier, this is matually exclusive with the @code{duid} option.
+identifier, this is mutually exclusive with the @code{duid} option.
 
 @item @code{extra-content} (type: maybe-string)
 Extra content to append to the configuration as-is.
 
+@item @code{shepherd-provision} (default: @code{(networking)}) (type: list-of-symbols)
+This is a list of symbols naming Shepherd services provided by this
+service.
+
 @item @code{shepherd-requirement} (default: @code{()}) (type: list-of-symbols)
 This is a list of symbols naming Shepherd services that this service
 will depend on.
@@ -22163,6 +22170,9 @@ will depend on.
 
 @end deftp
 
+
+@c %end of fragment
+
 @cindex NetworkManager
 
 @defvar network-manager-service-type
@@ -46432,8 +46442,7 @@ user need to enter a passphrase or use the REPL, this happens using the
 intended keyboard layout.
 
 When @var{qemu-networking?} is true, set up networking with the standard QEMU
-parameters.  When @var{virtio?} is true, load additional modules so that the
-initrd can be used as a QEMU guest with para-virtualized I/O drivers.
+parameters.
 
 When @var{volatile-root?} is true, the root file system is writable but any changes
 to it are lost.

etc/guix-install.sh

@@ -293,6 +293,9 @@ chk_sys_arch()
         ppc64le | powerpc64le)
             local arch=powerpc64le
             ;;
+        riscv64)
+            local arch=riscv64
+            ;;
         *)
             die "Unsupported CPU type: ${arch}"
     esac

etc/teams.scm

@@ -1256,7 +1256,8 @@ the \"texlive\" importer."
   core-packages qt kde)
 
 (define-member (person "Sughosha"
-                       "sughosha@disroot.org")
+                       "sughosha@disroot.org"
+                       "SameExpert")
   audio kde)
 
 (define-member (person "Jelle Licht"

gnu/home/services/sway.scm

@@ -34,15 +34,62 @@
 
             ;; Configuration records.
             sway-configuration
+            sway-configuration-keybindings
+            sway-configuration-gestures
+            sway-configuration-packages
+            sway-configuration-variables
+            sway-configuration-inputs
+            sway-configuration-outputs
+            sway-configuration-bar
+            sway-configuration-modes
+            sway-configuration-startup+reload-programs
+            sway-configuration-startup-programs
+            sway-configuration-extra-content
             sway-bar
+            sway-bar-identifier
+            sway-bar-position
+            sway-bar-hidden-state
+            sway-bar-binding-mode-indicator
+            sway-bar-colors
+            sway-bar-status-command
+            sway-bar-mouse-bindings
+            sway-bar-extra-content
             sway-output
+            sway-output-identifier
+            sway-output-resolution
+            sway-output-position
+            sway-output-background
+            sway-output-extra-content
             sway-input
-            point
+            sway-input-identifier
+            sway-input-layout
+            sway-input-disable-while-typing
+            sway-input-disable-while-trackpointing
+            sway-input-tap
+            sway-input-extra-content
             sway-color
+            sway-color-background
+            sway-color-statusline
+            sway-color-focused-background
+            sway-color-focused-statusline
+            sway-color-focused-workspace
+            sway-color-active-workspace
+            sway-color-inactive-workspace
+            sway-color-urgent-workspace
+            sway-color-binding-mode
             sway-border-color
+            sway-border-color-border
+            sway-border-color-background
+            sway-border-color-text
+            sway-mode
+            sway-mode-mode-name
+            sway-mode-keybindings
+            sway-mode-mouse-bindings
+            point
+
+            ;; Service type and helper function.
             home-sway-service-type
             sway-configuration->file
-            sway-mode
 
             ;; Default values.
             %sway-default-variables

gnu/local.mk

@@ -17,7 +17,7 @@
 # Copyright © 2017, 2020 Mathieu Othacehe <m.othacehe@gmail.com>
 # Copyright © 2017, 2018, 2019 Gábor Boskovits <boskovits@gmail.com>
 # Copyright © 2018 Amirouche Boubekki <amirouche@hypermove.net>
-# Copyright © 2018, 2019, 2020, 2021, 2022, 2024 Oleg Pykhalov <go.wigust@gmail.com>
+# Copyright © 2018, 2019, 2020, 2021, 2022, 2024, 2025 Oleg Pykhalov <go.wigust@gmail.com>
 # Copyright © 2018 Stefan Stefanović <stefanx2ovic@gmail.com>
 # Copyright © 2018, 2020-2025 Maxim Cournoyer <maxim@guixotic.coop>
 # Copyright © 2019, 2020, 2021, 2022, 2024 Guillaume Le Vaillant <glv@posteo.net>
@@ -1244,6 +1244,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/exercism-disable-self-update.patch	\
   %D%/packages/patches/extempore-unbundle-external-dependencies.patch	\
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
+  %D%/packages/patches/fail2ban-fix-sshd-filter.patch           \
   %D%/packages/patches/fail2ban-paths-guix-conf.patch		\
   %D%/packages/patches/faiss-tests-CMakeLists-find-googletest.patch	\
   %D%/packages/patches/falcosecurity-libs-shared-build.patch	\
@@ -1706,7 +1707,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/kodi-set-libcurl-ssl-parameters.patch		\
   %D%/packages/patches/krita-bump-sip-abi-version-to-12.8.patch	\
   %D%/packages/patches/krita-xsimd-13-compat.patch	\
-  %D%/packages/patches/kvmfr-linux-module-fix-build.patch	\
   %D%/packages/patches/kwayland-5-fix-build.patch		\
   %D%/packages/patches/kwin-unwrap-executable-name-for-dot-desktop-search.patch\
   %D%/packages/patches/laby-make-install.patch			\
@@ -1995,6 +1995,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/openssl-hurd64.patch			\
   %D%/packages/patches/opentaxsolver-file-browser-fix.patch     \
   %D%/packages/patches/open-zwave-hidapi.patch			\
+  %D%/packages/patches/opusfile-CVE-2022-47021.patch		\
   %D%/packages/patches/orangeduck-mpc-fix-pkg-config.patch	\
   %D%/packages/patches/orbit2-fix-array-allocation-32bit.patch \
   %D%/packages/patches/orpheus-cast-errors-and-includes.patch	\
@@ -2418,6 +2419,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/unzip-32bit-zipbomb-fix.patch    \
   %D%/packages/patches/ustr-fix-build-with-gcc-5.patch		\
   %D%/packages/patches/util-linux-tests.patch			\
+  %D%/packages/patches/vagrant-bin-vagrant-silence-warning-about-installer.patch	\
+  %D%/packages/patches/vagrant-Support-system-installed-plugins.patch	\
+  %D%/packages/patches/vagrant-Use-a-private-temporary-dir.patch	\
   %D%/packages/patches/vboot-utils-fix-format-load-address.patch	\
   %D%/packages/patches/vboot-utils-fix-tests-show-contents.patch	\
   %D%/packages/patches/vboot-utils-skip-test-workbuf.patch	\

gnu/packages/admin.scm

@@ -4420,7 +4420,7 @@ you are running, what theme or icon set you are using, etc.")
 (define-public hyfetch
   (package
     (name "hyfetch")
-    (version "2.0.1")
+    (version "2.0.2")
     (source
      (origin
        (method git-fetch)
@@ -4429,7 +4429,7 @@ you are running, what theme or icon set you are using, etc.")
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1c81425jaa2i0jdkfp2v7rsb0z7vzgba3735lgf5m921618k18rr"))))
+        (base32 "1h3s8m6csmxj815cpzh30m59132n8drxya0s2lh5ngjkpazgdnv3"))))
     (build-system pyproject-build-system)
     (native-inputs
      (list python-pytest
@@ -4640,7 +4640,7 @@ information tool.")
 (define-public fastfetch-minimal
   (package
     (name "fastfetch-minimal")
-    (version "2.51.1")
+    (version "2.53.0")
     (source
      (origin
        (method git-fetch)
@@ -4649,7 +4649,7 @@ information tool.")
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1c5z1mgpgm8nzxkdjfh0412zdnv1f8i1vvic2h5v99f9cmdjwr25"))
+        (base32 "0w260lscjy3rqahhr2637hb3fqsklv2qx59f2v66wy99nnmqvbha"))
        (modules '((guix build utils)))
        (snippet '(begin
                    (delete-file-recursively "src/3rdparty")))))
@@ -6242,7 +6242,8 @@ alias cysdig=sudo csysdig --modern-bpf
                                 '("paths-arch.conf" "paths-debian.conf"
                                   "paths-fedora.conf" "paths-freebsd.conf"
                                   "paths-opensuse.conf" "paths-osx.conf")))))
-       (patches (search-patches "fail2ban-paths-guix-conf.patch"))))
+       (patches (search-patches "fail2ban-fix-sshd-filter.patch"
+                                "fail2ban-paths-guix-conf.patch"))))
     (build-system pyproject-build-system)
     (arguments
      (list

gnu/packages/electronics.scm

@@ -248,6 +248,42 @@ individual low-level driver modules.")
     (home-page "https://www.comedi.org/")
     (license license:lgpl2.1)))
 
+(define-public ieee-p1076
+  (package
+    (name "ieee-p1076")
+    (version "2019")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://opensource.ieee.org/vasg/Packages/")
+             (commit (string-append "1076-" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "1va626i5ww2ziw3dghw0d2mq7mrj5dwcn0h019h77866yw2pq9xn"))))
+    (build-system copy-build-system)
+    (native-inputs (list python-minimal-wrapper nvc python-vunit))
+    (arguments
+     (list
+      ;; Not all 2019 features are supported by nvc compiler.
+      ;; pass 1055 of 1648
+      #:tests? #f
+      #:install-plan
+      #~'(("ieee" "share/ieee/p1076/ieee" #:include ("vhdl"))
+          ("std" "share/ieee/p1076/std" #:include ("vhdl")))))
+    (native-search-paths
+     (list (search-path-specification
+             (variable "IEEE-1076")
+             (separator #f)
+             (files (list "share/ieee/p1076")))))
+    (home-page "https://IEEE-P1076.gitlab.io")
+    (synopsis "VHDL libraries corresponding to the IEEE 1076 standard")
+    (description
+     "Open source materials intended for reference by the IEEE standard 1076,
+as approved and published by the @acronym{VHDL, Very High Speed Hardware
+Description Language} Analysis and Standardization Group.")
+    (license license:asl2.0)))
+
 (define-public fftgen
   (let ((commit "3378b77d83a98b06184656a5cb9b54e50dfe4485") ;no releases
         (revision "1"))
@@ -371,68 +407,69 @@ For synthesis, the compiler generates netlists in the desired format.")
     (license (list license:gpl2 license:lgpl2.1+))))
 
 (define-public icestorm
-  (let ((commit "3cdcf4b009bb8681ab7e2e09d65043f04334b60e")
-        (revision "5"))
-    (package
-      (name "icestorm")
-      (version (git-version "0.0" revision commit))
-      (source
-       (origin
-         (method git-fetch)
-         (uri (git-reference
-                (url "https://github.com/YosysHQ/icestorm/")
-                (commit commit)))
-         (file-name (git-file-name name version))
-         (sha256
-          (base32 "0ygp6cj7grlnyji572kx215p2mw4crllskif9g795f390bp38g68"))))
-      (build-system gnu-build-system)
-      (arguments
-       (list
-        #:tests? #f               ;avoid a cyclic dependency with nextpr-ice40
-        #:make-flags
-        #~(list (string-append "CC="
-                               #$(cc-for-target))
-                (string-append "CXX="
-                               #$(cxx-for-target))
-                (string-append "PREFIX="
-                               #$output)
-                "ICEPROG=1")
-        #:phases
-        #~(modify-phases %standard-phases
-            (add-after 'unpack 'fix-usr-local
-              (lambda* (#:key outputs #:allow-other-keys)
-                (substitute* "icepack/Makefile"
-                  (("/usr/local")
-                   #$output))
-                (substitute* "icebox/Makefile"
-                  (("/usr/local")
-                   #$output))
-                (substitute* "icebox/icebox_vlog.py"
-                  (("/usr/local")
-                   #$output))))
-            (add-after 'build 'make-info
-              (lambda* (#:key outputs #:allow-other-keys)
-                (with-directory-excursion "docs"
-                  (invoke "make" "info")
-                  (install-file "build/texinfo/projecticestorm.info"
-                                (string-append #$output "/share/info"))
-                  (copy-recursively "build/texinfo/projecticestorm-figures"
-                                    (string-append #$output
-                                                   "/share/info/projecticestorm-figures")))))
-            (delete 'configure))))
-      (inputs (list libftdi))
-      (native-inputs (list pkg-config
-                           python
-                           python-sphinx
-                           python-sphinx-rtd-theme
-                           texinfo))
-      (home-page "https://prjicestorm.readthedocs.io/")
-      (synopsis "Bitstream tools for Lattice iCE40 FPGAs")
-      (description
-       "Project IceStorm aims at documenting the bitstream format of
-Lattice iCE40 FPGAs and providing simple tools for analyzing and creating bitstream
+  (package
+    (name "icestorm")
+    (version "1.1")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+              (url "https://github.com/YosysHQ/icestorm/")
+              (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "0yh36kd23y4sk65g34r1h244ax9fj5c668y6pwqwaq3c0nmb3d28"))))
+    (build-system gnu-build-system)
+    (arguments
+     (list
+      #:tests? #f               ;no tests
+      #:make-flags
+      #~(list (string-append "CC=" #$(cc-for-target))
+              (string-append "CXX=" #$(cxx-for-target))
+              (string-append "PREFIX=" #$output)
+              "ICEPROG=1")
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'fix-usr-local
+            (lambda _
+              (substitute* "config.mk"
+                (("/usr/local")
+                 #$output))
+              (substitute* "icepack/Makefile"
+                (("/usr/local")
+                 #$output))
+              (substitute* "icebox/Makefile"
+                (("/usr/local")
+                 #$output))
+              (substitute* "icebox/icebox_vlog.py"
+                (("/usr/local")
+                 #$output))))
+          (add-after 'build 'make-info
+            (lambda _
+              (with-directory-excursion "docs"
+                (invoke "make" "info")
+                (install-file "build/texinfo/projecticestorm.info"
+                              (string-append #$output "/share/info"))
+                (copy-recursively
+                 "build/texinfo/projecticestorm-figures"
+                 (string-append #$output
+                                "/share/info/projecticestorm-figures")))))
+          (delete 'configure))))
+    (inputs
+     (list libftdi))
+    (native-inputs
+     (list pkg-config
+           python-minimal
+           python-sphinx-rtd-theme
+           python-sphinxcontrib-svg2pdfconverter
+           texinfo))
+    (home-page "https://prjicestorm.readthedocs.io/")
+    (synopsis "Bitstream tools for Lattice iCE40 FPGAs")
+    (description
+     "Project IceStorm aims at documenting the bitstream format of Lattice
+iCE40 FPGAs and providing simple tools for analyzing and creating bitstream
 files.")
-      (license license:isc))))
+    (license license:isc)))
 
 (define-public json-for-vhdl
   ;; No tagged releases.

gnu/packages/geo.scm

@@ -890,7 +890,7 @@ OpenGeoSys")
 (define-public ogs-serial
   (package
     (name "ogs-serial")
-    (version "6.5.5")
+    (version "6.5.6")
     (source
      (origin
        (method git-fetch)
@@ -899,7 +899,7 @@ OpenGeoSys")
               (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1zph6vlkcq6ph23hlwk4gx3xpdf98a2iz25viah429hm1agziqi4"))))
+        (base32 "0dpj0m1hp7pn8j5avk4gip80ccx08ik3jw5bknz722d7i9hm78dz"))))
     (build-system cmake-build-system)
     (arguments
      (list

gnu/packages/gnuzilla.scm

@@ -603,11 +603,9 @@ in the case of Firefox, it is browser/locales/all-locales."
     "zh-CN"
     "zh-TW"))
 
-(define %icecat-base-version (package-version mozjs))
-;;; See <https://product-details.mozilla.org/1.0/firefox_versions.json>
-;;; for the source of truth regarding Firefox releases.
+(define %icecat-base-version "140.3.1")
 (define %icecat-version (string-append %icecat-base-version "-gnu1"))
-(define %icecat-build-id "20250916000000") ;must be of the form YYYYMMDDhhmmss
+(define %icecat-build-id "20250923000000") ;must be of the form YYYYMMDDhhmmss
 
 ;; 'icecat-source' is a "computed" origin that generates an IceCat tarball
 ;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat'
@@ -618,9 +616,18 @@ in the case of Firefox, it is browser/locales/all-locales."
          (sub-version   (third  (string-split %icecat-base-version #\.)))
 
          (upstream-firefox-version (string-append %icecat-base-version "esr"))
-         (upstream-firefox-source (package-source mozjs))
+         (upstream-firefox-source
+          (origin
+            (method url-fetch)
+            (uri (string-append
+                  "https://ftp.mozilla.org/pub/firefox/releases/"
+                  upstream-firefox-version "/source/"
+                  "firefox-" upstream-firefox-version ".source.tar.xz"))
+            (sha256
+             (base32
+              "0db7qgcvw4knl6qbkn0a52vh2pcghcw4s2djdvcna1zlqjhv6hqb"))))
 
-         (gnuzilla-commit "c939d76c33294791cce8ce1722bd6747dadbe31f")
+         (gnuzilla-commit "b7f0c6b7d19ececd92640f26eaa43cfec29cf728")
          (gnuzilla-source
           (origin
             (method git-fetch)
@@ -631,7 +638,7 @@ in the case of Firefox, it is browser/locales/all-locales."
                                       (string-take gnuzilla-commit 8)))
             (sha256
              (base32
-              "03ly055r77fprm53474998hyjhb1a78spyxjs7998npyqzv3fscs"))))
+              "1hzwa4dbk5pvwas867vp2iivdr9zqppr9zbw2xgyd2mdf2kj4a20"))))
 
          ;; 'search-patch' returns either a valid file name or #f, so wrap it
          ;; in 'assume-valid-file-name' to avoid 'local-file' warnings.

gnu/packages/image.scm

@@ -770,15 +770,15 @@ maximum quality factor.")
       (if (and (target-riscv64?)
                (%current-target-system))
           (list #:phases
-                (modify-phases %standard-phases
-                  (add-after 'unpack 'update-config-scripts
-                    (lambda* (#:key native-inputs inputs #:allow-other-keys)
-                      (for-each (lambda (file)
-                                  (install-file
-                                   (search-input-file
-                                    (or native-inputs inputs)
-                                    (string-append "/bin/" file)) "."))
-                                '("config.guess" "config.sub"))))))
+                #~(modify-phases %standard-phases
+                    (add-after 'unpack 'update-config-scripts
+                      (lambda* (#:key native-inputs inputs #:allow-other-keys)
+                        (for-each (lambda (file)
+                                    (install-file
+                                     (search-input-file
+                                      (or native-inputs inputs)
+                                      (string-append "/bin/" file)) "."))
+                                  '("config.guess" "config.sub"))))))
           '())))
     (native-inputs
      (if (and (target-riscv64?)

gnu/packages/linux.scm

@@ -526,17 +526,17 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
 ;; The current "stable" kernels. That is, the most recently released major
 ;; versions that are still supported upstream.
 
-(define-public linux-libre-6.16-version "6.16.7")
+(define-public linux-libre-6.16-version "6.16.8")
 (define-public linux-libre-6.16-gnu-revision "gnu")
 (define deblob-scripts-6.16
   (linux-libre-deblob-scripts
    linux-libre-6.16-version
    linux-libre-6.16-gnu-revision
-   (base32 "1s44yaxib45834mjmvqkl70s2lazbzvpxhp4z7qwxkrkpw94mdxx")
+   (base32 "0qwh82z5bjmq7hhx7s41mnybpr8ihdk2g0bgjb3hzd95x6pw4w51")
    (base32 "1i4kba2wpkc7jmj7b2qjkrgqsl0g0s1h7j9pfvc7zqyyn9v3kkqr")))
 (define-public linux-libre-6.16-pristine-source
   (let ((version linux-libre-6.16-version)
-        (hash (base32 "108sk9r6ac0sc7h6ydvlyv7kib6z3af4v2f46kdinys2z6hxmqsv")))
+        (hash (base32 "17x6pylbrbh4fyk088gvhbd3gy3gpr1vn9jdjhlk3p44f2yi24r3")))
    (make-linux-libre-source version
                             (%upstream-linux-source version hash)
                             deblob-scripts-6.16)))
@@ -545,7 +545,7 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
 ;; Here are the support timelines:
 ;; <https://www.kernel.org/category/releases.html>
 
-(define-public linux-libre-6.12-version "6.12.47")
+(define-public linux-libre-6.12-version "6.12.48")
 (define-public linux-libre-6.12-gnu-revision "gnu")
 (define deblob-scripts-6.12
   (linux-libre-deblob-scripts
@@ -555,12 +555,12 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "1yl447396g454116j8v17wsqg5i0gyb2rrxvaygw6xdkbwrrj28j")))
 (define-public linux-libre-6.12-pristine-source
   (let ((version linux-libre-6.12-version)
-        (hash (base32 "099fj9qd8knafbl400drm8aqn5h7y6g39gc7d4i4hc3lf44f8bz8")))
+        (hash (base32 "1chx8ycj609pdpnkhl3d6dsimd4q49vkqdiqisbligsicxkypyav")))
    (make-linux-libre-source version
                             (%upstream-linux-source version hash)
                             deblob-scripts-6.12)))
 
-(define-public linux-libre-6.6-version "6.6.106")
+(define-public linux-libre-6.6-version "6.6.107")
 (define-public linux-libre-6.6-gnu-revision "gnu")
 (define deblob-scripts-6.6
   (linux-libre-deblob-scripts
@@ -570,12 +570,12 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "11i7pvm5n31rvp05msbm3ciclr84cz9c94f5r5aa6mmzhslwpbxk")))
 (define-public linux-libre-6.6-pristine-source
   (let ((version linux-libre-6.6-version)
-        (hash (base32 "18584vys8qmbqj4hndiyhwbsn6z3832djm1mx07vgl6wv3i80c8c")))
+        (hash (base32 "0iz4kvnsvs5fx9m2zm93xla2pkr0hqqyahm5d6f7p1n7scbk1dy9")))
    (make-linux-libre-source version
                             (%upstream-linux-source version hash)
                             deblob-scripts-6.6)))
 
-(define-public linux-libre-6.1-version "6.1.152")
+(define-public linux-libre-6.1-version "6.1.153")
 (define-public linux-libre-6.1-gnu-revision "gnu")
 (define deblob-scripts-6.1
   (linux-libre-deblob-scripts
@@ -585,7 +585,7 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "0f3jgbfd2j7sz7h1hb30s1r9147g1cbb3ia09k9834fvbiz1ihaa")))
 (define-public linux-libre-6.1-pristine-source
   (let ((version linux-libre-6.1-version)
-        (hash (base32 "1ndpnlmpsp2137aqis8bpa2cvdl28jg66pi0p2c6d26cm7i3n5qs")))
+        (hash (base32 "0j4yzkhkbcsa9pgwcyqyfxi73avi7m0hd6xfaql73zwrb3hbvsvn")))
    (make-linux-libre-source version
                             (%upstream-linux-source version hash)
                             deblob-scripts-6.1)))

gnu/packages/package-management.scm

@@ -194,8 +194,8 @@
   ;; Note: the 'update-guix-package.scm' script expects this definition to
   ;; start precisely like this.
   (let ((version "1.4.0")
-        (commit "9202921e812708b23788b2209cdb576d456f56db")
-        (revision 43))
+        (commit "a68bcfd2f53a409c530629d8ec0d9d152a56e16b")
+        (revision 44))
     (package
       (name "guix")
 
@@ -211,7 +211,7 @@
                       (commit commit)))
                 (sha256
                  (base32
-                  "02cvf6rndj9fwp13gqrqw2r9icpls8p2pq8cxpqs6j7ayj0pj1hy"))
+                  "10ri7f1pwq43ix0k59fqrrgdipz67sx9kyi3yw9x9n89v3k1ns62"))
                 (file-name (string-append "guix-" version "-checkout"))))
       (build-system gnu-build-system)
       (arguments

gnu/packages/password-utils.scm

@@ -1671,20 +1671,21 @@ your online accounts makes it necessary.")
 (define-public hashcat
   (package
     (name "hashcat")
-    (version "6.2.6")
+    (version "7.1.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://hashcat.net/files/hashcat-" version
                                   ".tar.gz"))
               (sha256
                (base32
-                "0akv1cgbmwyw8h8zbw5w5ixh92y95sdadh8qiz60hjgkpivi0pmj"))
+                "15lbzjfb6n3d06090g1dyf3llc20mnmrn1yc9ys30xbldlracilm"))
               (modules '((guix build utils)))
               ;; Delete bundled libraries.
               (snippet
                ;; TODO: Unbundle LZMA-SDK as well
                #~(for-each delete-file-recursively
-                           '("deps/zlib" "deps/xxHash" "deps/OpenCL-Headers")))))
+                           '("deps/unrar" ;; nonfree license
+                             "deps/zlib" "deps/xxHash" "deps/OpenCL-Headers")))))
     (inputs (list minizip opencl-headers xxhash zlib))
     (build-system gnu-build-system)
     (arguments
@@ -1692,6 +1693,7 @@ your online accounts makes it necessary.")
            #:make-flags #~(list (string-append "PREFIX=" #$output)
                                 (string-append "AR=" #$(ar-for-target))
                                 (string-append "CC=" #$(cc-for-target))
+                                (string-append "ENABLE_UNRAR=0")
                                 (string-append "USE_SYSTEM_ZLIB=1")
                                 (string-append "USE_SYSTEM_OPENCL=1")
                                 (string-append "USE_SYSTEM_XXHASH=1"))
@@ -1702,6 +1704,7 @@ your online accounts makes it necessary.")
                               (("\\$\\(shell date \\+%s\\)")
                                "0"))))
                         (delete 'configure))))
+    (supported-systems %64bit-supported-systems)
     (home-page "https://hashcat.net/hashcat/")
     (synopsis "Advanced password recovery utility")
     (description

gnu/packages/patches/fail2ban-fix-sshd-filter.patch

@@ -0,0 +1,96 @@
+Retrieved from https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
+With ChangeLog hunk removed since it would not apply cleanly.
+
+From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
+From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
+Date: Tue, 2 Jul 2024 07:54:15 +0200
+Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 1c8a02deb5..a1fd749aed 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = (?:sshd(?:-session)?)
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:09:28 +0200
+Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
+
+---
+ fail2ban/tests/files/logs/sshd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
+index ed54ded4d4..7d3948ed80 100644
+--- a/fail2ban/tests/files/logs/sshd
++++ b/fail2ban/tests/files/logs/sshd
+@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
+ # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
+ Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
+ 
++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
++Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
++
+ #3
+ # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
+ Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+
+From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:33:39 +0200
+Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
+ sshd-session log format
+
+---
+ fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+index ad8adeb69f..14256ba68c 100644
+--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:35:28 +0200
+Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index a1fd749aed..3a84b1ba52 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = (?:sshd(?:-session)?)
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?

gnu/packages/patches/kvmfr-linux-module-fix-build.patch

@@ -1,41 +0,0 @@
-Copied from
-https://github.com/gnif/LookingGlass/issues/1075#issuecomment-1546422678 and
-https://github.com/gnif/LookingGlass/issues/1134 with adjustments for current
-kvmfr source version.
-
-From c4950a830fbe2ca27337793aa227c86f5c044f46 Mon Sep 17 00:00:00 2001
-From: Oleg Pykhalov <go.wigust@gmail.com>
-Date: Sat, 5 Oct 2024 16:11:45 +0300
-Subject: [PATCH] Fix build
-
----
- module/kvmfr.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/module/kvmfr.c b/module/kvmfr.c
-index 121aae5..4c386f9 100644
---- a/module/kvmfr.c
-+++ b/module/kvmfr.c
-@@ -30,6 +30,7 @@
- #include <linux/highmem.h>
- #include <linux/memremap.h>
- #include <linux/version.h>
-+#include <linux/vmalloc.h>
- 
- #include <asm/io.h>
- 
-@@ -539,7 +540,11 @@ static int __init kvmfr_module_init(void)
-   if (kvmfr->major < 0)
-     goto out_free;
- 
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
-   kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
-+#else
-+  kvmfr->pClass = class_create(KVMFR_DEV_NAME);
-+#endif
-   if (IS_ERR(kvmfr->pClass))
-     goto out_unreg;
- 
--- 
-2.41.0
-

gnu/packages/patches/opusfile-CVE-2022-47021.patch

@@ -0,0 +1,40 @@
+From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001
+From: Ralph Giles <giles@thaumas.net>
+Date: Tue, 6 Sep 2022 19:04:31 -0700
+Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer.
+
+Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
+a null pointer. This allows more graceful recovery by the caller
+in the unlikely event of a fallible ogg_malloc call.
+
+We do check the return value elsewhere in the code, so the new
+checks make the code more consistent.
+
+Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
+
+Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
+Signed-off-by: Mark Harris <mark.hsj@gmail.com>
+---
+ src/opusfile.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/opusfile.c b/src/opusfile.c
+index ca219b2..3c3c81e 100644
+--- a/src/opusfile.c
++++ b/src/opusfile.c
+@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){
+   int            nbytes;
+   OP_ASSERT(_nbytes>0);
+   buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes);
++  if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
+   nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes);
+   OP_ASSERT(nbytes<=_nbytes);
+   if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes);
+@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of,
+   if(_initial_bytes>0){
+     char *buffer;
+     buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
++    if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
+     memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
+     ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
+   }

gnu/packages/patches/vagrant-Support-system-installed-plugins.patch

@@ -0,0 +1,172 @@
+From: Hartmut Goebel <h.goebel@crazy-compilers.com>
+Date: Mon, 07 Aug 2023 18:09:09 +0200
+Subject: Support system-installed plugins
+
+Plugins must be installed as regular Ruby libraries, and they must
+contain share/vagrant-plugins/plugins.d/$PLUGINNAME.json with the
+following content:
+
+{
+  "${PLUGINNAME}": {
+    "ruby_version":"$(ruby -e 'puts RUBY_VERSION')",
+    "vagrant_version":"$(cat /usr/share/vagrant/version.txt)",
+    "gem_version":"",
+    "require":"",
+    "sources":[]
+  }
+}
+
+This patch was based on the respective patch from Debian, anyhow heavily
+adjusted to Guix and to support GUIX_VAGRANT_PLUGINS_PATH.
+
+Orignal-Author: Antonio Terceiro <terceiro@debian.org>
+Co-authored-by: Antonio Terceiro <terceiro@debian.org>
+---
+ bin/vagrant                      | 15 +++++++++++++++
+ lib/vagrant/bundler.rb           |  2 +-
+ lib/vagrant/plugin/manager.rb    |  4 ++--
+ lib/vagrant/plugin/state_file.rb | 30 ++++++++++++++++++++++++++++--
+ lib/vagrant/shared_helpers.rb    |  8 ++++++++
+ 5 files changed, 54 insertions(+), 5 deletions(-)
+
+diff --git a/bin/vagrant b/bin/vagrant
+index d3f4ea6..cc00efa 100755
+--- a/bin/vagrant
++++ b/bin/vagrant
+@@ -86,6 +86,21 @@ $stderr.sync = true
+ # so we can provide correct resolutions later
+ builtin_specs = []
+ 
++# Add the gem paths of vagrant plugins to the Gem search path
++# TODO: find a better way to add paths to the Gem search path
++gempath = []
++if ENV['GEM_PATH']
++  gempath.append(ENV['GEM_PATH'])
++end
++ENV['GUIX_VAGRANT_PLUGINS_PATH'].split(File::PATH_SEPARATOR).each do |pluginsdir|
++  gemdir = File.absolute_path(File.join(pluginsdir, "../../lib/ruby/vendor_ruby"))
++  gempath.append(gemdir)
++end
++ENV['GEM_PATH'] = gempath.join(':')
++gemdir = nil
++gempath = nil
++Gem.clear_paths()  # make GEM_PATH be reevaluated
++
+ vagrant_spec = Gem::Specification.find_all_by_name("vagrant").detect do |spec|
+   spec.version == Gem::Version.new(Vagrant::VERSION)
+ end
+diff --git a/lib/vagrant/bundler.rb b/lib/vagrant/bundler.rb
+index 46ef69f..27979b9 100644
+--- a/lib/vagrant/bundler.rb
++++ b/lib/vagrant/bundler.rb
+@@ -665,7 +665,7 @@ module Vagrant
+         spec_dir = Gem::Specification.default_specifications_dir
+       end
+       directories = [spec_dir]
+-      if Vagrant.in_bundler?
++      if Vagrant.in_bundler? || Vagrant.in_guix_package?
+         Gem::Specification.find_all{true}.each do |spec|
+           list[spec.full_name] = spec
+         end
+diff --git a/lib/vagrant/plugin/manager.rb b/lib/vagrant/plugin/manager.rb
+index b73f07f..94cd609 100644
+--- a/lib/vagrant/plugin/manager.rb
++++ b/lib/vagrant/plugin/manager.rb
+@@ -18,7 +18,7 @@ module Vagrant
+ 
+       # Returns the path to the [StateFile] for system plugins.
+       def self.system_plugins_file
+-        dir = Vagrant.installer_embedded_dir
++        dir = nil
+         return nil if !dir
+         Pathname.new(dir).join("plugins.json")
+       end
+@@ -38,7 +38,7 @@ module Vagrant
+ 
+         system_path  = self.class.system_plugins_file
+         @system_file = nil
+-        @system_file = StateFile.new(system_path) if system_path && system_path.file?
++        @system_file = StateFile.new(system_path, true) #if system_path && system_path.file?
+ 
+         @local_file = nil
+         @globalized = @localized = false
+diff --git a/lib/vagrant/plugin/state_file.rb b/lib/vagrant/plugin/state_file.rb
+index c6872d4..b927fd8 100644
+--- a/lib/vagrant/plugin/state_file.rb
++++ b/lib/vagrant/plugin/state_file.rb
+@@ -11,11 +11,17 @@ module Vagrant
+       # @return [Pathname] path to file
+       attr_reader :path
+ 
+-      def initialize(path)
++      def initialize(path, system = false)
+         @path = path
++        @system = system
+ 
+         @data = {}
+-        if @path.exist?
++        if system
++          if  ENV.has_key?('GUIX_VAGRANT_PLUGINS_PATH')
++            @data["installed"] = {}
++            load_system_plugins
++          end
++        elsif @path.exist?
+           begin
+             @data = JSON.parse(@path.read)
+           rescue JSON::ParserError => e
+@@ -30,6 +36,22 @@ module Vagrant
+         @data["installed"] ||= {}
+       end
+ 
++      def load_system_plugins
++        ENV['GUIX_VAGRANT_PLUGINS_PATH'].split(File::PATH_SEPARATOR).each do |pluginsdir|
++          extra_plugins = Dir.glob(File.join(pluginsdir, 'plugins.d', '*.json'))
++          extra_plugins.each do |filename|
++            json = File.read(filename)
++            begin
++              plugin_data = JSON.parse(json)
++              @data["installed"].merge!(plugin_data)
++            rescue JSON::ParserError => e
++              raise Vagrant::Errors::PluginStateFileParseError,
++                path: filename, message: e.message
++            end
++          end
++        end
++      end
++
+       # Add a plugin that is installed to the state file.
+       #
+       # @param [String] name The name of the plugin
+@@ -107,6 +129,10 @@ module Vagrant
+           f.close
+           FileUtils.mv(f.path, @path)
+         end
++      rescue Errno::EACCES
++        # Ignore permission denied against system-installed plugins; regular
++        # users are not supposed to write there.
++        raise unless @system
+       end
+ 
+       protected
+diff --git a/lib/vagrant/shared_helpers.rb b/lib/vagrant/shared_helpers.rb
+index 7b0b87c..eb9a21e 100644
+--- a/lib/vagrant/shared_helpers.rb
++++ b/lib/vagrant/shared_helpers.rb
+@@ -43,6 +43,14 @@ module Vagrant
+       !defined?(::Bundler).nil?
+   end
+ 
++  # This returns a true/false if we are running from a Guix package
++  #
++  # @return [Boolean]
++  def self.in_guix_package?
++    # FIXME write a proper check if this ever goes upstream
++    true
++  end
++
+   # Returns the path to the embedded directory of the Vagrant installer,
+   # if there is one (if we're running in an installer).
+   #
+-- 
+2.30.9
+

gnu/packages/patches/vagrant-Use-a-private-temporary-dir.patch

@@ -0,0 +1,119 @@
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Wed, 22 Oct 2014 09:40:14 -0200
+Subject: Use a private temporary directory that is cleanup up on exit
+
+This avoids vagrant from cluttering $TMPDIR with dozens of even hundreds
+of temporary files (~4 per vagrant invocation).
+---
+ lib/vagrant/box.rb           |  3 ++-
+ lib/vagrant/util.rb          |  1 +
+ lib/vagrant/util/caps.rb     |  2 +-
+ lib/vagrant/util/platform.rb |  2 +-
+ lib/vagrant/util/tempfile.rb | 39 +++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 44 insertions(+), 3 deletions(-)
+ create mode 100644 lib/vagrant/util/tempfile.rb
+
+diff --git a/lib/vagrant/box.rb b/lib/vagrant/box.rb
+index 90dc69d..4ee79b9 100644
+--- a/lib/vagrant/box.rb
++++ b/lib/vagrant/box.rb
+@@ -12,6 +12,7 @@ require "vagrant/util/downloader"
+ require "vagrant/util/platform"
+ require "vagrant/util/safe_chdir"
+ require "vagrant/util/subprocess"
++# require "vagrant/util/tempfile"
+ 
+ module Vagrant
+   # Represents a "box," which is a package Vagrant environment that is used
+@@ -153,7 +154,7 @@ module Vagrant
+     # @param [Hash] download_options Options to pass to the downloader.
+     # @return [BoxMetadata]
+     def load_metadata(download_options={})
+-      tf = Tempfile.new("vagrant-load-metadata")
++      tf = Util::Tempfile.new("vagrant-load-metadata")
+       tf.close
+ 
+       url = @metadata_url
+diff --git a/lib/vagrant/util.rb b/lib/vagrant/util.rb
+index 4b3e0ff..36eb671 100644
+--- a/lib/vagrant/util.rb
++++ b/lib/vagrant/util.rb
+@@ -57,6 +57,7 @@ module Vagrant
+     autoload :SilenceWarnings,           'vagrant/util/silence_warnings'
+     autoload :SSH,                       'vagrant/util/ssh'
+     autoload :StackedProcRunner,         'vagrant/util/stacked_proc_runner'
++    autoload :Tempfile,                  'vagrant/util/tempfile'
+     autoload :StringBlockEditor,         'vagrant/util/string_block_editor'
+     autoload :Subprocess,                'vagrant/util/subprocess'
+     autoload :TemplateRenderer,          'vagrant/util/template_renderer'
+diff --git a/lib/vagrant/util/caps.rb b/lib/vagrant/util/caps.rb
+index 310add3..55afc49 100644
+--- a/lib/vagrant/util/caps.rb
++++ b/lib/vagrant/util/caps.rb
+@@ -31,7 +31,7 @@ module Vagrant
+ 
+         def ensure_output_iso(file_destination)
+           if file_destination.nil?
+-            tmpfile = Tempfile.new(["vagrant", ".iso"])
++            tmpfile = Util::Tempfile.new(["vagrant", ".iso"])
+             file_destination = Pathname.new(tmpfile.path)
+             tmpfile.close
+             tmpfile.unlink
+diff --git a/lib/vagrant/util/platform.rb b/lib/vagrant/util/platform.rb
+index c8658e1..0421c70 100644
+--- a/lib/vagrant/util/platform.rb
++++ b/lib/vagrant/util/platform.rb
+@@ -388,7 +388,7 @@ module Vagrant
+ 
+           if wsl?
+             # Mark our filesystem with a temporary file having an unique name.
+-            marker = Tempfile.new(Time.now.to_i.to_s)
++            marker = Util::Tempfile.new(Time.now.to_i.to_s)
+             logger = Log4r::Logger.new("vagrant::util::platform::wsl")
+ 
+             # Check for lxrun installation first
+diff --git a/lib/vagrant/util/tempfile.rb b/lib/vagrant/util/tempfile.rb
+new file mode 100644
+index 0000000..0cbbb53
+--- /dev/null
++++ b/lib/vagrant/util/tempfile.rb
+@@ -0,0 +1,39 @@
++require 'fileutils'
++require 'tmpdir'
++
++module Vagrant
++  module Util
++    class Tempfile < ::Tempfile
++
++      def initialize(basename)
++        super(basename, private_tmpdir)
++      end
++
++      def private_tmpdir
++        self.class.private_tmpdir
++      end
++
++      def self.private_tmpdir
++        @private_tmpdir ||=
++          begin
++            user = Etc.getpwuid.name
++            pid = Process.pid
++            tmpdir = File.join(Dir.tmpdir, "vagrant-#{user}-#{pid}")
++            FileUtils.mkdir_p(tmpdir)
++            FileUtils.chmod(0700, tmpdir)
++            tmpdir
++          end
++      end
++
++      def self.mktmpdir(prefix_suffix)
++        Dir.mktmpdir(prefix_suffix, private_tmpdir)
++      end
++
++
++    end
++  end
++end
++
++at_exit do
++  FileUtils.rm_rf(Vagrant::Util::Tempfile.private_tmpdir)
++end

gnu/packages/patches/vagrant-bin-vagrant-silence-warning-about-installer.patch

@@ -0,0 +1,24 @@
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Sat, 11 Oct 2014 16:54:58 -0300
+Subject: bin/vagrant: silence warning about installer
+
+---
+ bin/vagrant | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/bin/vagrant b/bin/vagrant
+index 7ca30b3..d3f4ea6 100755
+--- a/bin/vagrant
++++ b/bin/vagrant
+@@ -221,11 +221,6 @@ begin
+       end
+     end
+ 
+-    if !Vagrant.in_installer? && !Vagrant.very_quiet?
+-      # If we're not in the installer, warn.
+-      env.ui.warn(I18n.t("vagrant.general.not_in_installer") + "\n", prefix: false)
+-    end
+-
+     # Acceptable experimental flag values include:
+     #
+     # Unset  - Disables experimental features

gnu/packages/prolog.scm

@@ -185,7 +185,7 @@ it.")
 (define-public trealla
   (package
     (name "trealla")
-    (version "2.82.40")
+    (version "2.83.4")
     (source
      (origin
        (method git-fetch)
@@ -194,7 +194,7 @@ it.")
          (url "https://github.com/trealla-prolog/trealla")
          (commit (string-append "v" version))))
        (sha256
-        (base32 "1n8yi49nlqqjwzrnriz1j6kajlxs17qakjgijw6qq1cxvq5c1iw4"))
+        (base32 "021cf2fi1zm5iyhk8s5i9xsxj7z0i23nsibm5nj5zijwnpwpvhvv"))
        (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (native-inputs

gnu/packages/ruby-xyz.scm

@@ -34,7 +34,7 @@
 ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev@gmail.com>
 ;;; Copyright © 2023, 2024 Janneke Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2023, 2024 Zheng Junjie <873216071@qq.com>
-;;; Copyright © 2023, 2024 Hartmut Goebel <h.goebel@crazy-compilers.com>
+;;; Copyright © 2023-2025 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2025 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -8970,7 +8970,15 @@ source projects must be able to link to it.")
                 "0bnjd8b86lrgj5ar1l7pg5if95bv0sxa75mz7x2ikqyz6q8rmjb3"))))
     (build-system ruby-build-system)
     (arguments
-     `(#:test-target "spec"))
+     (list
+      #:test-target "spec"
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'extract-gemspec 'relax-requirements
+            (lambda _
+              (substitute* "vagrant_cloud.gemspec"
+                (("dependency 'rexml', .*")
+                 "dependency 'rexml'\n")))))))
     (native-inputs (list ruby-rspec ruby-webmock))
     (propagated-inputs (list ruby-excon ruby-log4r ruby-rexml))
     (synopsis "Vagrant Cloud API library")

gnu/packages/video.scm

@@ -34,7 +34,7 @@
 ;;; Copyright © 2019 Timo Eisenmann <eisenmann@fn.de>
 ;;; Copyright © 2019 Arne Babenhauserheide <arne_bab@web.de>
 ;;; Copyright © 2019 Riku Viitanen <riku.viitanen@protonmail.com>
-;;; Copyright © 2020, 2021, 2023, 2024 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020, 2021, 2023, 2024, 2025 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Josh Holland <josh@inv.alid.pw>
 ;;; Copyright © 2020, 2021 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2020 Vincent Legoll <vincent.legoll@gmail.com>
@@ -3144,7 +3144,7 @@ video streaming services of the Finnish national broadcasting company Yle.")
 (define-public yt-dlp
   (package
     (name "yt-dlp")
-    (version "2025.09.05")
+    (version "2025.09.23")
     (source
      (origin
        (method git-fetch)
@@ -3156,7 +3156,7 @@ video streaming services of the Finnish national broadcasting company Yle.")
        (snippet #~(substitute* "pyproject.toml"
                     (("^.*Programming Language :: Python :: 3\\.13.*$") "")))
        (sha256
-        (base32 "0cjcii3d7pj0wbz3166jpcr81j8x8ggrjiciig9x915sb58qwbpp"))))
+        (base32 "0x6yjvv0wwyx10bpk2s06k8amah4q6v1g2plwrng1ap2jza539x6"))))
     (build-system pyproject-build-system)
     (arguments
      (list
@@ -4320,7 +4320,7 @@ to OBS Studio.")
 (define-public obs-looking-glass
   (package
     (name "obs-looking-glass")
-    (version "B6")
+    (version "B7")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://looking-glass.io/artifact/" version
@@ -4328,7 +4328,7 @@ to OBS Studio.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "15d7wwbzfw28yqbz451b6n33ixy50vv8acyzi8gig1mq5a8gzdib"))))
+                "11crsvy783ig7kzmr2cr68wv9zsjkcbp1akcs28rc6yc1ik0dr89"))))
     (build-system cmake-build-system)
     (arguments
      (list
@@ -4392,7 +4392,7 @@ your host privately.")
 (define-public kvmfr-linux-module
   (package
     (name "kvmfr-linux-module")
-    (version "B6")
+    (version "B7")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://looking-glass.io/artifact/" version
@@ -4400,8 +4400,7 @@ your host privately.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "15d7wwbzfw28yqbz451b6n33ixy50vv8acyzi8gig1mq5a8gzdib"))
-              (patches (search-patches "kvmfr-linux-module-fix-build.patch"))))
+                "11crsvy783ig7kzmr2cr68wv9zsjkcbp1akcs28rc6yc1ik0dr89"))))
     (build-system linux-module-build-system)
     (inputs (list bash-minimal))
     (arguments

gnu/packages/virtualization.scm

@@ -24,14 +24,14 @@
 ;;; Copyright © 2021 Vincent Legoll <vincent.legoll@gmail.com>
 ;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
-;;; Copyright © 2022, 2024 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2022, 2024, 2025 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2022, 2023 Ekaitz Zarraga <ekaitz@elenq.tech>
 ;;; Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2022 Zhu Zihao <all_but_last@163.com>
 ;;; Copyright © 2023 Juliana Sims <juli@incana.org>
 ;;; Copyright © 2023 Ahmad Draidi <a.r.draidi@redscript.org>
 ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
-;;; Copyright © 2023, 2024 Hartmut Goebel <h.goebel@crazy-compilers.com>
+;;; Copyright © 2023-2025 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;; Copyright © 2024 Janneke Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2024 Raven Hallsby <karl@hallsby.com>
@@ -117,6 +117,7 @@
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages graphviz)
   #:use-module (gnu packages gtk)
+  #:use-module (gnu packages guile)
   #:use-module (gnu packages java)
   #:use-module (gnu packages haskell)
   #:use-module (gnu packages haskell-apps)
@@ -2269,7 +2270,7 @@ Machine Protocol.")
 (define-public looking-glass-client
   (package
     (name "looking-glass-client")
-    (version "B6")
+    (version "B7")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://looking-glass.io/artifact/" version
@@ -2277,7 +2278,7 @@ Machine Protocol.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "15d7wwbzfw28yqbz451b6n33ixy50vv8acyzi8gig1mq5a8gzdib"))))
+                "11crsvy783ig7kzmr2cr68wv9zsjkcbp1akcs28rc6yc1ik0dr89"))))
     (build-system cmake-build-system)
     (inputs (list bash-minimal
                   font-dejavu
@@ -2623,6 +2624,322 @@ helpers that let you write your own unit and acceptance tests for Vagrant.")
     (home-page "https://github.com/hashicorp/vagrant-spec")
     (license license:mpl2.0)))
 
+(define-public vagrant
+  (package
+    (name "vagrant")
+    (version "2.3.7")  ;; last release under BSD-3 license
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/hashicorp/vagrant")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "0c674c5v70skh38lpydz8cdmcp8wgr9h7rn00rxdpgizrzbfxl82"))
+              (patches (search-patches
+                        "vagrant-bin-vagrant-silence-warning-about-installer.patch"
+                        "vagrant-Support-system-installed-plugins.patch"
+                        "vagrant-Use-a-private-temporary-dir.patch"))))
+    (build-system ruby-build-system)
+    (arguments
+     (list
+      #:tests? #f  ; test require ruby-grpc-tools which are not packaged yet
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'patch-gemfile
+            (lambda _
+              (substitute* "Gemfile"
+                ((", git:.*") "\n"))))
+          (add-after 'unpack 'pin-executables
+            (lambda* (#:key inputs outputs #:allow-other-keys)
+              (let* ((bsdtar (search-input-file inputs "/bin/bsdtar"))
+                     (curl (search-input-file inputs "/bin/curl"))
+                     (dnsmasq (search-input-file inputs "/sbin/dnsmasq"))
+                     (grep (search-input-file inputs "/bin/grep"))
+                     (modinfo (search-input-file inputs "/bin/modinfo"))
+                     (ps (search-input-file inputs "/bin/ps")))
+                ;; bsdtar
+                (for-each
+                 (lambda (rbfile)
+                   (substitute* rbfile
+                     (("\"bsdtar\",") (string-append "\"" bsdtar "\","))))
+                 (find-files "lib/vagrant/" "\\.rb$"))
+                ;; curl
+                (substitute* "lib/vagrant/util/downloader.rb"
+                  (("\"curl\",") (string-append "\"" curl "\",")))
+                (substitute* "lib/vagrant/util/uploader.rb"
+                  (("\"curl\",") (string-append "\"" curl "\",")))
+                (substitute* "plugins/hosts/linux/cap/nfs.rb"
+                  ;; grep
+                  (("\\| grep #\\{nfs_service")
+                   (string-append "| " grep " #{nfs_service"))
+                  (("\"grep\",") (string-append "\"" grep "\","))
+                  ;; modinfo
+                  (("Vagrant::Util::Which.which\\(\"modinfo\"\\)")
+                   (string-append "\"" modinfo "\"")))
+                ;; ssh, rsync:
+                ;; Don't pin ssh to allow different clients and to avoid
+                ;; configuration conflicts when running on a foreign distro.
+                ;; (substitute* "lib/vagrant/util/ssh.rb"
+                ;;   (("Which.which\\(\"ssh\", original_path: true\\)")
+                ;;    (string-append "\"" ssh "\"")))
+                ;; ps
+                (substitute* "lib/vagrant/util/platform.rb"
+                  (("\"ps\",") (string-append "\"" ps "\","))))))
+          (add-after 'extract-gemspec 'relax-requirements
+            (lambda _
+              (substitute* "vagrant.gemspec"
+                ;; Relax some version specification.
+                (("s\\.required_ruby_version ") "# s.required_ruby_version ")
+                (("dependency \"rgl\", \"~> 0.5.10\"")
+                 "dependency \"rgl\"")
+                (("dependency \"vagrant_cloud\", \"~> 3.0.5\"")
+                 "dependency \"vagrant_cloud\"")
+                (("dependency \"rexml\", .*")
+                 "dependency \"rexml\"\n")
+                ;; Remove Windows specific dependencies
+                ((".*dependency \"(wdm|winrm(|-elevated|-fs))\".*") "")
+                ;; Remove BSD dependency
+                ((".*dependency \"rb-kqueue\".*") "")
+                ;; Remove cyclic inclusion of gem
+                (("^  gitignore_path = " line)
+                 (string-append
+                  "all_files.reject! { |file| file.match?(\"vagrant-.*\\.gem\") }\n"
+                  line))))))))
+    (native-search-paths
+     (list (search-path-specification
+            (variable "GUIX_VAGRANT_PLUGINS_PATH")
+            (files '("share/vagrant-plugins")))))
+    ;; TODO: install bash/zsh completions, man-page, etc.
+    ;; see http://svnweb.mageia.org/packages/cauldron/vagrant/current/SPECS/vagrant.spec
+    (native-inputs (list ruby-fake-ftp ruby-webrick bundler ruby-vagrant-spec))
+    (inputs (list curl dnsmasq grep kmod libarchive openssh procps))
+    (propagated-inputs
+     (list ruby-bcrypt-pbkdf ruby-childprocess ruby-ed25519 ruby-erubi
+           ruby-googleapis-common-protos-types ruby-grpc
+           ruby-hashicorp-checkpoint ruby-i18n ruby-listen ruby-log4r
+           ruby-mime-types ruby-net-ftp ruby-net-ssh ruby-net-sftp
+           ruby-net-scp ruby-ipaddr ruby-rexml ruby-rgl ruby-rubyzip
+           ruby-vagrant-cloud ruby-vagrant-spec))
+    (synopsis "Build and distribute virtualized development environments")
+    (description "Vagrant is the command line utility for managing the
+lifecycle of virtual machines.  Isolate dependencies and their configuration
+within a single disposable and consistent environment.
+
+Note: Make sure to have @code{ssh} and @code{rsync} installed — if you use the
+respective Vagrant functions.  This package does not link to any specific
+implementation of these to allow different clients and to avoid configuration
+conflicts when running on a `foreign distribution'.")
+    (home-page "https://www.vagrantup.com")
+    ;; CVE-2021-21361 is related to the gradle-vagrant-plugin
+    (properties '((lint-hidden-cve . ("CVE-2021-21361"))))
+    (license license:bsd-3)))
+
+(define-public vagrant-cachier
+  (package
+    (name "vagrant-cachier")
+    (version "1.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri (rubygems-uri "vagrant-cachier" version))
+              (sha256
+               (base32
+                "0v11nf2d2y2knwm4zackd5ap8h2927n8rc1q73b6ii4hndv98fh9"))))
+    (build-system ruby-build-system)
+    (arguments
+     (list
+      #:tests? #f ; neither gem nor source actually has tests
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-plugin.json
+            (lambda _
+              (let* ((plugins.d (string-append
+                                 #$output "/share/vagrant-plugins/plugins.d"))
+                     (plugin.json (string-append
+                                   plugins.d "/" #$name ".json")))
+                (mkdir-p plugins.d)
+                #$(with-extensions (list guile-json-4)
+                    #~(begin
+                        (use-modules (json))
+                        (call-with-output-file plugin.json
+                          (lambda (port)
+                            (scm->json
+                             '((#$name
+                                .
+                                (("ruby_version"
+                                  . #$(package-version (this-package-input "ruby")))
+                                 ("vagrant_version"
+                                  . #$(package-version (this-package-input "vagrant")))
+                                 ("gem_version" .  "")
+                                 ("require" . "")
+                                 ("installed_gem_version" . #$version)
+                                 ("sources" . #()))))
+                             port)))))))))))
+    (inputs (list ruby vagrant))
+    (synopsis "Share a common package cache among similar VM instances")
+    (description "This package provides a Vagrant plugin that helps you reduce
+the amount of coffee you drink while waiting for boxes to be provisioned by
+sharing a common package cache among similar VM instances.  Kinda like
+vagrant-apt_cache or this magical snippet but targeting multiple package
+managers and Linux distros.")
+    (home-page "https://github.com/fgrehm/vagrant-cachier")
+    (license license:expat)))
+
+(define-public vagrant-libvirt
+  (package
+    (name "vagrant-libvirt")
+    (version "0.12.2")
+    (source (origin
+              (method url-fetch)
+              (uri (rubygems-uri "vagrant-libvirt" version))
+              (sha256
+               (base32
+                "013g6wn24k01lwwkzcb0vvxj959lws8c52bkyqi6b8shnn793j1l"))))
+    (build-system ruby-build-system)
+    (arguments
+     (list
+      #:tests? #f ; tests involve running vagrant, downloading a box and
+                  ; access to libvirt socket
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-plugin.json
+            (lambda _
+              (let* ((plugins.d (string-append
+                                 #$output "/share/vagrant-plugins/plugins.d"))
+                     (plugin.json (string-append
+                                   plugins.d "/" #$name ".json")))
+                (mkdir-p plugins.d)
+                #$(with-extensions (list guile-json-4)
+                    #~(begin
+                        (use-modules (json))
+                        (call-with-output-file plugin.json
+                          (lambda (port)
+                            (scm->json
+                             '((#$name
+                                .
+                                (("ruby_version"
+                                  . #$(package-version (this-package-input "ruby")))
+                                 ("vagrant_version"
+                                  . #$(package-version (this-package-input "vagrant")))
+                                 ("gem_version" .  "")
+                                 ("require" . "")
+                                 ("installed_gem_version" . #$version)
+                                 ("sources" . #()))))
+                             port)))))))))))
+    (inputs (list ruby vagrant))
+    (propagated-inputs (list ruby-diffy
+                             ruby-fog-core
+                             ruby-fog-libvirt
+                             ruby-nokogiri
+                             ruby-rexml
+                             ruby-xml-simple))
+    (synopsis "Libvirt provider for Vagrant")
+    (description "This is a Vagrant plugin that adds a Libvirt provider to
+Vagrant, allowing Vagrant to control and provision machines via the Libvirt
+toolkit.")
+    (home-page "https://github.com/vagrant-libvirt/vagrant-libvirt")
+    (license license:expat)))
+
+(define-public vagrant-reload
+  (package
+    (name "vagrant-reload")
+    (version "0.0.1")
+    (source (origin
+              (method url-fetch)
+              (uri (rubygems-uri "vagrant-reload" version))
+              (sha256
+               (base32
+                "0smy0px20xgakcyki5hdbk3n63k9c6ychh5pvbannn1p4zjxa0xa"))))
+    (build-system ruby-build-system)
+    (arguments
+     (list
+      #:tests? #f ; has no tests, testing as described in the Readme requires
+                  ; running vagrant, a provider and downloading a box
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'patch-gemfile
+            (lambda _
+              (substitute* "Gemfile"
+                ((", :git.*") "\n"))))
+          (add-after 'install 'install-plugin.json
+            (lambda _
+              (let* ((plugins.d (string-append
+                                 #$output "/share/vagrant-plugins/plugins.d"))
+                     (plugin.json (string-append
+                                   plugins.d "/" #$name ".json")))
+                (mkdir-p plugins.d)
+                #$(with-extensions (list guile-json-4)
+                    #~(begin
+                        (use-modules (json))
+                        (call-with-output-file plugin.json
+                          (lambda (port)
+                            (scm->json
+                             '((#$name
+                                .
+                                (("ruby_version"
+                                  . #$(package-version (this-package-input "ruby")))
+                                 ("vagrant_version"
+                                  . #$(package-version (this-package-input "vagrant")))
+                                 ("gem_version" .  "")
+                                 ("require" . "")
+                                 ("installed_gem_version" . #$version)
+                                 ("sources" . #()))))
+                             port)))))))))))
+    (inputs (list ruby vagrant))
+    (synopsis "Reload a Vagrant VM as a provisioning step")
+    (description "This Vagrant plugin enables reloading a Vagrant VM as a
+provisioning step.")
+    (home-page "http://www.vagrantup.com")
+    (license license:expat)))
+
+(define-public vagrant-vai
+  (package
+    (name "vagrant-vai")
+    (version "0.9.3")
+    (source (origin
+              (method url-fetch)
+              (uri (rubygems-uri "vai" version))
+              (sha256
+               (base32
+                "041bi8hk03ybhacqzhw153j3knqhwvxn8aczzq6nikmpklcs4m4a"))))
+    (build-system ruby-build-system)
+    (arguments
+     (list
+      #:tests? #f ; tests involve running vagrant and downloading a box
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-plugin.json
+            (lambda _
+              (let* ((plugins.d (string-append
+                                 #$output "/share/vagrant-plugins/plugins.d"))
+                     (plugin.json (string-append
+                                   plugins.d "/" #$name ".json")))
+                (mkdir-p plugins.d)
+                #$(with-extensions (list guile-json-4)
+                    #~(begin
+                        (use-modules (json))
+                        (call-with-output-file plugin.json
+                          (lambda (port)
+                            (scm->json
+                             '(("vai" ;; #$name
+                                .
+                                (("ruby_version"
+                                  . #$(package-version (this-package-input "ruby")))
+                                 ("vagrant_version"
+                                  . #$(package-version (this-package-input "vagrant")))
+                                 ("gem_version" .  "")
+                                 ("require" . "")
+                                 ("installed_gem_version" . #$version)
+                                 ("sources" . #()))))
+                             port)))))))))))
+    (inputs (list ruby vagrant))
+    (synopsis "Vagrant provisioning plugin to output an Ansible inventory")
+    (description "This plugin creates an Ansible inventory file containing the
+created virtual machines and the respective ssh-parameters.")
+    (home-page "https://github.com/MatthewMi11er/vai")
+    (license license:expat)))
+
 (define-public python-vagrant
   (package
     (name "python-vagrant")

gnu/packages/xiph.scm

@@ -438,7 +438,8 @@ decoding .opus files.")
                     ".tar.gz"))
               (sha256
                (base32
-                "02smwc5ah8nb3a67mnkjzqmrzk43j356hgj2a97s9midq40qd38i"))))
+                "02smwc5ah8nb3a67mnkjzqmrzk43j356hgj2a97s9midq40qd38i"))
+              (patches (search-patches "opusfile-CVE-2022-47021.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")

gnu/services/networking.scm

@@ -629,13 +629,18 @@ to @uref{https://www.rfc-editor.org/rfc/rfc2132#section-9.13,RFC 2132}.")
   (client-id
     maybe-string
     "Use the interface hardware address or the given string as a client identifier,
-this is matually exclusive with the @code{duid} option.")
+this is mutually exclusive with the @code{duid} option.")
 
   ;; Escape hatch for the generated configuration file.
   (extra-content
     maybe-string
     "Extra content to append to the configuration as-is.")
 
+  (shepherd-provision
+   (list-of-symbols '(networking))
+   "This is a list of symbols naming Shepherd services provided by this service."
+   empty-serializer)
+
   (shepherd-requirement
    (list-of-symbols '())
    "This is a list of symbols naming Shepherd services that this service
@@ -662,11 +667,11 @@ will depend on."
 
 (define (dhcpcd-shepherd-service config)
   (match-record config <dhcpcd-configuration>
-                (command-arguments interfaces shepherd-requirement)
+                (command-arguments interfaces shepherd-provision shepherd-requirement)
     (let ((config-file (dhcpcd-config-file config)))
       (list (shepherd-service
              (documentation "dhcpcd daemon.")
-             (provision '(networking))
+             (provision shepherd-provision)
              (requirement `(user-processes udev ,@shepherd-requirement))
              (actions (list (shepherd-configuration-action config-file)))
              (start

gnu/services/security.scm

@@ -378,13 +378,17 @@ provided as a list of file-like objects."))
   (service-type (name 'fail2ban)
                 (extensions
                  (list (service-extension shepherd-root-service-type
-                                          fail2ban-shepherd-service)))
+                                          fail2ban-shepherd-service)
+                       ;; For the fail2ban-client and fail2ban-regex commands.
+                       (service-extension
+                        profile-service-type
+                        (compose list fail2ban-configuration-fail2ban))))
                 (compose concatenate)
                 (extend (lambda (config jails)
                           (fail2ban-configuration
-                           (inherit config)
-                           (jails (append (fail2ban-configuration-jails config)
-                                          jails)))))
+                            (inherit config)
+                            (jails (append (fail2ban-configuration-jails config)
+                                           jails)))))
                 (default-value (fail2ban-configuration))
                 (description "Run the fail2ban server.")))
 

guix/channels.scm

@@ -72,6 +72,7 @@
             channel-commit
             channel-introduction
             channel-location
+            channel-reference
 
             channel-introduction?
             make-channel-introduction

guix/git.scm

@@ -593,16 +593,19 @@ current settings unchanged."
      ;; left unchanged when cloning and pulling.
      (set-config-string config "core.autocrlf" "input")
 
-     ;; Only fetch remote if it has not been cloned just before.
+     ;; When using symrefs, fetch remote again even if it has been cloned just
+     ;; before as the requested reference are not fetched when cloning.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
        (remote-fetch (remote-lookup repository "origin")
                      #:fetch-options (make-default-fetch-options
                                       #:verify-certificate?
                                       verify-certificate?)
-                     ;; Symbolic references are not fetched from the remote by
-                     ;; default.
-                     #:refspecs symref-list))
+                     ;; Build refspecs from symbolic references so they are
+                     ;; created locally and updated if necessary.
+                     #:refspecs (map (lambda (ref)
+                                       (string-append "+" ref ":" ref))
+                                     symref-list)))
      (when recursive?
        (update-submodules repository #:log-port log-port
                           #:fetch-options

guix/inferior.scm

@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2018-2024 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018-2025 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -860,9 +860,13 @@ failing when GUIX is too old and lacks the 'guix repl' command."
 ;;;
 
 (define %inferior-cache-directory
-  ;; Directory for cached inferiors (GC roots).
-  (make-parameter (string-append (cache-directory #:ensure? #f)
-                                 "/inferiors")))
+  ;; Directory for cached inferiors (GC roots).  It must be world-readable so
+  ;; the daemon can traverse it.
+  (make-parameter (string-append %profile-directory "/inferiors")))
+
+(define %legacy-inferior-cache-directory
+  ;; Former directory for cached inferiors, by default under $HOME/.cache.
+  (string-append (cache-directory #:ensure? #f) "/inferiors"))
 
 (define* (channel-full-commit channel #:key (verify-certificate? #t))
   "Return the commit designated by CHANNEL as quickly as possible.  If
@@ -872,7 +876,8 @@ prefix, resolve it; and if 'commit' is unset, fetch CHANNEL's branch tip."
         (branch (channel-branch channel)))
     (if (and commit (commit-id? commit))
         commit
-        (let* ((ref (if commit `(tag-or-commit . ,commit) `(branch . ,branch)))
+        (let* ((ref (if commit `(tag-or-commit . ,commit)
+                        (channel-reference channel)))
                (cache commit relation
                      (update-cached-checkout (channel-url channel)
                                              #:ref ref
@@ -949,6 +954,14 @@ X.509 host certificate; otherwise, warn about the problem and keep going."
                                       #:entry-expiration
                                       (file-expiration-time ttl))
 
+  ;; Clean the legacy cache directory as well.  Remove this call once at least
+  ;; one year has passed.
+  (maybe-remove-expired-cache-entries %legacy-inferior-cache-directory
+                                      cache-entries
+                                      #:entry-expiration
+                                      (file-expiration-time ttl))
+
+
   (if (file-exists? cached)
       cached
       (run-with-store store

guix/packages.scm

@@ -437,8 +437,7 @@ from forcing GEXP-PROMISE."
   ;;
   ;; XXX: MIPS is unavailable in CI:
   ;; <https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00790.html>.
-  (fold delete %supported-systems '("mips64el-linux" "powerpc-linux"
-                                    "x86_64-gnu")))
+  (fold delete %supported-systems '("mips64el-linux" "powerpc-linux")))
 
 (define (maybe-add-input-labels inputs)
   "Add labels to INPUTS unless it already has them."

guix/scripts/environment.scm

@@ -793,11 +793,24 @@ WHILE-LIST."
 
   (define (nesting-mappings)
     ;; Files shared with the host when enabling nesting.
+
+    ;; Make sure these two directories exist so they can be shared.
+    (mkdir-p (string-append %profile-directory "/profiles"))
+    (mkdir-p (string-append %profile-directory "/inferiors"))
+
     (cons* (file-system-mapping
             (source (%store-prefix))
             (target source))
            (file-system-mapping
-            (source (cache-directory))
+            (source (cache-directory))           ;~/.cache/guix/checkouts etc.
+            (target source)
+            (writable? #t))
+           (file-system-mapping                  ;'guix shell' cached GC roots
+            (source (string-append %profile-directory "/profiles"))
+            (target source)
+            (writable? #t))
+           (file-system-mapping           ;'guix time-machine' cached GC roots
+            (source (string-append %profile-directory "/inferiors"))
             (target source)
             (writable? #t))
            (let ((uri (string->uri (%daemon-socket-uri))))

guix/scripts/shell.scm

@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2021-2024 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2021-2025 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -327,10 +327,13 @@ echo ~a >> ~a
 ;;;
 
 (define %profile-cache-directory
-  ;; Directory where profiles created by 'guix shell' alone (without extra
-  ;; options) are cached.
-  (make-parameter (string-append (cache-directory #:ensure? #f)
-                                 "/profiles")))
+  ;; Directory where profiles (GC roots) created by 'guix shell' are cached.
+  ;; It must be world-readable so the daemon can traverse it.
+  (make-parameter (string-append %profile-directory "/profiles")))
+
+(define %legacy-cache-directory
+  ;; Former cache directory, by default under $HOME/.cache.
+  (string-append (cache-directory #:ensure? #f) "/profiles"))
 
 (define (profile-cache-primary-key)
   "Return the \"primary key\" used when computing keys for the profile cache.
@@ -592,6 +595,13 @@ to make sure your shell does not clobber environment variables."))) )
                  (maybe-remove-expired-cache-entries
                   (%profile-cache-directory)
                   cache-entries
+                  #:entry-expiration entry-expiration)
+
+                 ;; Clean the legacy cache directory as well.  Remove this
+                 ;; call once at least one year has passed.
+                 (maybe-remove-expired-cache-entries
+                  %legacy-cache-directory
+                  cache-entries
                   #:entry-expiration entry-expiration)))
 
     (if (assoc-ref opts 'export-manifest?)

nix/libstore/build.cc

@@ -3139,10 +3139,14 @@ void DerivationGoal::registerOutputs()
               replaceValidPath(path, actualPath);
             else
 		if (buildMode != bmCheck) {
-		    if (S_ISDIR(st.st_mode))
+		    if (S_ISDIR(st.st_mode)) {
+                        if (lstat(actualPath.c_str(), &st) == -1)
+                            throw SysError(format("getting canonicalized permissions of directory `%1%'") % actualPath);
 			/* Change mode on the directory to allow for
 			   rename(2).  */
-			chmod(actualPath.c_str(), st.st_mode | 0700);
+			if (chmod(actualPath.c_str(), st.st_mode | 0700) == -1)
+                            throw SysError(format("making `%1%' writable for move from chroot to store") % actualPath);
+                    }
 		    if (rename(actualPath.c_str(), path.c_str()) == -1)
 			throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
 		    if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1)

tests/packages.scm

@@ -511,7 +511,11 @@
                (build-system gnu-build-system)
                (supported-systems
                 `("does-not-exist" "foobar" ,@%supported-systems)))))
-    (parameterize ((%current-system "armhf-linux")) ; a traditionally-bootstrapped architecture
+    ;; For '%current-system', pick an old-style-bootstrap (not full-source
+    ;; bootstrap) architecture, and one that uses a version of
+    ;; 'libstdc++-boot0' that has all of %SUPPORTED-SYSTEMS in its
+    ;; 'supported-systems' field.
+    (parameterize ((%current-system "riscv64-linux"))
       (package-transitive-supported-systems p))))
 
 (test-equal "package-transitive-supported-systems: reduced binary seed, implicit inputs"

tests/store.scm

@@ -417,6 +417,17 @@
                      get-string-all)
                    a))))
 
+;; https://codeberg.org/guix/guix/issues/1104
+(test-equal "build outputs aren't writable"
+  #o555
+  (let ((drv (build-expression->derivation %store "writable-output"
+                                           `(begin
+                                              ,(random-text)
+                                              (mkdir %output)
+                                              (chmod %output #o755)))))
+    (build-derivations %store (list drv))
+    (stat:perms (stat (derivation->output-path drv "out")))))
+
 (unless (unprivileged-user-namespace-supported?)
   (test-skip 1))
 (test-equal "isolated environment"