Merge branch 'make-authenticate' into 'master'

Add git hook for checking commit signing.

See merge request nonguix/nonguix!399

Makefile

@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org>
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# nonguix channel
+channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc
+channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5
+
+authenticate:
+	echo "Authenticating Git checkout..." ;	\
+	guix git authenticate					\
+	    --cache-key=channels/nonguix --stats			\
+	    "$(channel_intro_commit)" "$(channel_intro_signer)"

etc/git/pre-push

@@ -0,0 +1,48 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# This hook script prevents the user from pushing to GitLab if any of the new
+# commits' OpenPGP signatures cannot be verified, or if a commit is signed
+# with an unauthorized key.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+# This is the "empty hash" used by Git when pushing a branch deletion.
+z40=0000000000000000000000000000000000000000
+
+while read local_ref local_hash remote_ref remote_hash
+do
+  # When deleting a remote branch, no commits are pushed to the remote, and
+  # thus there are no signatures to be verified.
+  if [ "$local_hash" != $z40 ]
+  then
+    # Only use the hook when pushing to the nonguix project on GitLab.
+    case "$2" in
+      *gitlab.com[:/]nonguix/*)
+        exec make authenticate
+        exit 127
+        ;;
+      *)
+        exit 0
+        ;;
+    esac
+  fi
+done
+
+exit 0

guix/import/firefox.scm

@@ -0,0 +1,47 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; Copyright © 2025 Nicolas Graves <ngraves@ngraves.fr>
+
+;;; This file is not part of GNU Guix but requires this naming scheme
+;;; so that the %firefox-updater is properly read when using
+;;; `guix refresh -L$(pwd) firefox' in nonguix root.
+
+(define-module (guix import firefox)
+  #:use-module (guix import json)
+  #:use-module (guix memoization)
+  #:use-module (guix packages)
+  #:use-module (guix upstream)
+  #:export (%firefox-updater))
+
+(define firefox-json-url "https://product-details.mozilla.org/1.0/firefox_versions.json")
+
+(define firefox-versions
+  (memoize
+   (lambda _
+     (let ((alist (json-fetch firefox-json-url)))
+       (list (cons "firefox" (assoc-ref alist "LATEST_FIREFOX_VERSION"))
+             (cons "firefox-esr" (assoc-ref alist "FIREFOX_ESR")))))))
+
+(define* (latest-release package #:key (version #f) partial-version?)
+  "Return an <upstream-source> for the latest-release of PACKAGE."
+  (let* ((name (package-name package))
+         (version (or version (assoc-ref (firefox-versions) name))))
+    (upstream-source
+      (package name)
+      (version version)
+      (urls
+       (list (string-append "https://archive.mozilla.org/pub/firefox/releases/"
+                            version "/source/firefox-"
+                            version ".source.tar.xz"))))))
+
+(define (firefox-package? package)
+  "Return true if PACKAGE is Firefox."
+  (member (package-name package) (list "firefox" "firefox-esr")))
+
+(define %firefox-updater
+  (upstream-updater
+   (name 'firefox)
+   (description "Updater for Firefox packages")
+   (pred firefox-package?)
+   (import latest-release)))
+
+;;; firefox.scm ends here.

nongnu/packages/game-client.scm

@@ -105,12 +105,13 @@
     (description "Heroic is an Open Source Game Launcher.  Right now it supports launching
 games from the Epic Games Store using Legendary, GOG Games using our custom
 implementation with gogdl and Amazon Games using Nile.")
-    (license license:gpl3)))
+    (license license:gpl3)
+    (supported-systems '("x86_64-linux"))))
 
 (define steam-client
   (package
     (name "steam-client")
-    (version "1.0.0.83")
+    (version "1.0.0.84")
     (source
      (origin
        (method url-fetch)
@@ -118,7 +119,7 @@ implementation with gogdl and Amazon Games using Nile.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "10lgmjsada0n2a4h1vgrnwcjcka7vp4igy82f1n99zbyrjq845kr"))
+         "0i3v0zz36x7v81qslvfbiby57hk96hn15w4xxal1lgvrb0npdyii"))
        (file-name (string-append name "-" version ".tar.gz"))))
     (build-system gnu-build-system)
     (arguments
@@ -160,7 +161,8 @@ implementation with gogdl and Amazon Games using Nile.")
     (home-page "https://store.steampowered.com")
     (synopsis "Digital distribution platform for managing and playing games")
     (description "Steam is a digital software distribution platform created by Valve.")
-    (license (license:nonfree "file:///share/doc/steam/steam_subscriber_agreement.txt"))))
+    (license (license:nonfree "file:///share/doc/steam/steam_subscriber_agreement.txt"))
+    (supported-systems '("x86_64-linux"))))
 
 (define steam-client-libs
   `(("at-spi2-core" ,at-spi2-core)      ; Required (often) for SteamVR interface.

nongnu/packages/linux.scm

@@ -180,9 +180,6 @@ on hardware which requires nonfree software to function."))))
 (define-public linux-6.16
   (corrupt-linux linux-libre-6.16))
 
-(define-public linux-6.15
-  (corrupt-linux linux-libre-6.15))
-
 (define-public linux-6.12
   (corrupt-linux linux-libre-6.12))
 
@@ -364,14 +361,14 @@ stable, responsive and smooth desktop experience.")))
 (define-public linux-firmware
   (package
     (name "linux-firmware")
-    (version "20250808")
+    (version "20250917")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/kernel/firmware/"
                                   "linux-firmware-" version ".tar.xz"))
               (sha256
                (base32
-                "0zw3vsmd07yr27y5fz0m357hci00ah5impx5sz4jcnd18ldmaaf0"))))
+                "0xgvb0fb4s48423asdb1dnkjjskbfmm336gm6vki2nliasvpa18j"))))
     (build-system gnu-build-system)
     (arguments
      (list #:tests? #f
@@ -418,8 +415,11 @@ if your hardware is supported by one of the smaller firmware packages.")
   #~(lambda _
       (use-modules (ice-9 regex))
       (substitute* "WHENCE"
-        (("^(File|RawFile|Link): *([^ ]*)(.*)" _ type file rest)
+        (("^(File|RawFile): *([^ ]*)(.*)" _ type file rest)
-         (string-append (if (string-match #$keep file) type "Skip") ": " file rest)))))
+         (string-append (if (string-match #$keep file) type "Skip") ": " file rest))
+        (("^Link: *(.*) *-> *(.*)" _ file target)
+         (string-append (if (string-match #$keep target) "Link" "Skip")
+                        ": " file " -> " target)))))
 
 (define-public amdgpu-firmware
   (package
@@ -708,7 +708,7 @@ laptops).")
               ((#:phases phases #~%standard-phases)
                #~(modify-phases #$phases
                    (add-after 'unpack 'select-firmware
-                     #$(select-firmware "^iwlwifi-")))))))
+                     #$(select-firmware "^intel/iwlwifi/")))))))
     (home-page "https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi")
     (synopsis "Nonfree firmware for Intel wifi chips")
     (description "The proprietary iwlwifi kernel module is required by many

nongnu/packages/messaging.scm

@@ -83,7 +83,7 @@ its core.")
 (define-public signal-desktop
   (package
     (name "signal-desktop")
-    (version "7.69.0")
+    (version "7.71.0")
     (source
      (origin
        (method url-fetch)
@@ -92,7 +92,7 @@ its core.")
          "https://updates.signal.org/desktop/apt/pool/s/" name "/" name "_" version
          "_amd64.deb"))
        (sha256
-        (base32 "02hrsgx5jwhm16nvmz2pm8n11jp56g9mn404mymn1kfi2qsxy5mm"))))
+        (base32 "14lk8s040alj2lxqw30hh54l4p3kpq1mxq64l8sqlph2y9c3hig3"))))
     (supported-systems '("x86_64-linux"))
     (build-system chromium-binary-build-system)
     (arguments

nongnu/packages/mozilla.scm

@@ -87,19 +87,19 @@
 
 ;; Update this id with every firefox update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
-(define %firefox-esr-build-id "20250818124956")
+(define %firefox-esr-build-id "20250915124517")
 
 (define-public firefox-esr
   (package
     (name "firefox-esr")
-    (version "140.2.0esr")
+    (version "140.3.0esr")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://archive.mozilla.org/pub/firefox/releases/"
                            version "/source/firefox-" version ".source.tar.xz"))
        (sha256
-        (base32 "0mgglah7inji8gyhswdy62w2lqxgm4yfs1xg7ib6sw1vbikwwvcm"))
+        (base32 "05i3czn3v2qnhir8apcphbqy7rmy1dn7kcwx5yyi2qvmjcyfpipg"))
        (patches
         (map (lambda (patch)
                (search-path
@@ -529,20 +529,20 @@ Release (ESR) version.")
 
 ;; Update this id with every firefox update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
-(define %firefox-build-id "20250818122500")
+(define %firefox-build-id "20250915125927")
 
 (define-public firefox
   (package
     (inherit firefox-esr)
     (name "firefox")
-    (version "142.0")
+    (version "143.0")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://archive.mozilla.org/pub/firefox/releases/"
                            version "/source/firefox-" version ".source.tar.xz"))
        (sha256
-        (base32 "03sblq1l5hjlwgqh1vyshrw1161cs5amlx7kjqzmjv1v1zqy2218"))
+        (base32 "10yz3rz2akf3b19hd2c5v77f038j0h6ci1asjb4w480q14wclibc"))
        (patches
         (map (lambda (patch)
                (search-path

nongnu/packages/nvidia.scm

@@ -228,9 +228,9 @@ ACTION==\"unbind\", SUBSYSTEM==\"pci\", ATTR{vendor}==\"0x10de\", ATTR{class}==\
 (define-public nvidia-driver
   (package
     (name "nvidia-driver")
-    (version "570.181")
+    (version "580.82.09")
     (source (nvidia-source
-             version "1yfwwfwbl5ph7s7zddixa0w8nb1wdg25sjysg98fl0hq7z72avgh"))
+             version "1dwmardvxb2w6mx7hich5wc06f50qz92jk63kbhf059fv8rgiv1y"))
     (build-system copy-build-system)
     (arguments
      (list #:modules '((guix build copy-build-system)
@@ -245,8 +245,8 @@ ACTION==\"unbind\", SUBSYSTEM==\"pci\", ATTR{vendor}==\"0x10de\", ATTR{class}==\
                     ("x86_64-linux" ".")
                     (_ "."))
                 "lib/" #:include-regexp ("^./[^/]+\\.so"))
-               ("." "lib/nvidia/wine/" #:include-regexp ("_?nvngx\\.dll$"))
+               ("." "lib/nvidia/wine/" #:include-regexp ("_?nvngx.*?\\.dll$"))
-               ("." "share/nvidia/" #:include-regexp ("nvidia-application-profiles"))
+               ("." "share/nvidia/" #:include-regexp ("nvidia-application-profiles|nvoptix.bin"))
                ("." "share/egl/egl_external_platform.d/" #:include-regexp ("(gbm|wayland|xcb|xlib)\\.json"))
                ("10_nvidia.json" "share/glvnd/egl_vendor.d/")
                ("90-nvidia.rules" "lib/udev/rules.d/")
@@ -287,6 +287,8 @@ ACTION==\"unbind\", SUBSYSTEM==\"pci\", ATTR{vendor}==\"0x10de\", ATTR{class}==\
                    (substitute* '("nvidia_icd.json"
                                   "nvidia_layers.json")
                      (("libGLX_nvidia\\.so\\.." all)
+                      (string-append #$output "/lib/" all))
+                     (("libnvidia-present\\.so\\.[0-9.]*" all)
                       (string-append #$output "/lib/" all)))
 
                    ;; VulkanSC ICD configuration
@@ -627,9 +629,9 @@ add @code{nvidia_drm.modeset=1} to @code{kernel-arguments} as well.")
 (define-public nvidia-settings
   (package
     (name "nvidia-settings")
-    (version "570.181")
+    (version "580.82.09")
     (source (nvidia-settings-source
-             name version "0fq72pj1b4iwlyivi9nmqr45iz6aqqdxgdbgk26x9m1yfxgpy748"))
+             name version "0sy3mrg3vmyba6m87nanzmpvv2hzhb6nqdckhlaxv8wppmr7fvms"))
     (build-system gnu-build-system)
     (arguments
      (list #:tests? #f ;no test suite
@@ -849,7 +851,7 @@ variables @code{__GLX_VENDOR_LIBRARY_NAME=nvidia} and
 (define-public egl-gbm
   (package
     (name "egl-gbm")
-    (version "1.1.2")
+    (version "1.1.2.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -858,7 +860,7 @@ variables @code{__GLX_VENDOR_LIBRARY_NAME=nvidia} and
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1rfgfi06ry7c7hnzdm4b0dc8r3hmbfn2rd37z3mc4wn38sgz5l3a"))))
+                "1zcr1jksnh0431marzvgg301aybli29r1xw5vs4wnxgcp9bigvn6"))))
     (build-system meson-build-system)
     (native-inputs (list pkg-config))
     (inputs (list eglexternalplatform mesa-for-nvda))
@@ -872,7 +874,7 @@ GBM EGL support.")
 (define-public egl-x11
   (package
     (name "egl-x11")
-    (version "1.0.2")
+    (version "1.0.3")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -881,7 +883,7 @@ GBM EGL support.")
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0s18xpylz16ry51xp1bs2s4hmvwsq49hcfc0gnmmvnymdzm041aq"))))
+                "1hh1wkdijjhsmym5ab5nw8wyi0w9x7aznnmyg8sczhwdfb5rdnrj"))))
     (build-system meson-build-system)
     (native-inputs (list pkg-config))
     (inputs (list eglexternalplatform mesa-for-nvda))