Fixes <https://bugs.gnu.org/47007>.
Reported by Jelle Licht <jlicht@fsfe.org>.
Since commit dcb640f02b, we could end up
applying the wrong mount flags because the (find ...) expression could
pick the "wrong" mount point in the presence of bind mounts.
* gnu/build/file-systems.scm (mount-file-system): Use 'statfs' to
compute FLAGS whe FS is a bind mount.
Non-exhaustively, fixes CVE-2021-21772.
* gnu/packages/engineering.scm (lib3mf): Update to 2.1.1.
[arguments]<#:phases>: Remove.
[arguments]<#:configure-flags>: Do not use zlib, libzip, gtest and libressl
vendored sources.
[native-inputs]: Remove googletest-source, add googletest and pkg-config.
[inputs]: Add libzip, libressl and zlib.
This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files. However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.
Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>
* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
(%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This is a follow-up of 6ee7e3d26b.
* guix/inferior.scm (cached-channel-instance): Introduce "symlink/safe" and
use it instead of symlink. Remove the duplicated "file-exists?" call.
* gnu/packages/python-check.scm (python-pytest-sanic) [version]: Update to
1.7.0.
[propagated-inputs]: Replace python-aiohttp with python-httpx and add
python-websockets.
Unmaintained upstream and its only dependent (python-gssapi) dropped it.
* gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch: Remove.
* gnu/local.mk: Drop patch file.
* gnu/packages/python-xyz.scm (python-shouldbe): Remove.
* gnu/packages/python-xyz.scm (python-gssapi) [version]: Update to 1.6.12.
[arguments]: Tests have been fixed upstream, remove.
[native-inputs]: python-shouldbea is not required any more, remove.
* gnu/packages/embedded.scm (sdcc): Update to 4.1.0.
* gnu/packages/patches/sdcc-disable-non-free-code.patch: Update to match new
version.
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
* gnu/packages/crypto.scm (botan): Update to 2.17.3.
[arguments]: Add 'library-path-for-tests phase to fix 'check phase by setting
LD_LIBRARY_PATH to intermediate build directory so tests can find libbotan.
* gnu/packages/patches/bsdiff-CVE-2014-9862.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (bsdiff): Apply it.
The Cuirass configuration has been simplified so that this is no longer
needed.
* gnu/services/cuirass.scm (<build-manifest>, <simple-cuirass-configuration>,
simple-cuirass-configuration->specs): Remove them.
This removes hydra support to use Cuirass as the only continuous integration
system.
* build-aux/hydra/gnu-system.scm: Remove it.
* build-aux/hydra/guix-modular.scm: Ditto.
* build-aux/hydra/guix.scm: Ditto.
* build-aux/cuirass/hydra-to-cuirass.scm: Ditto.
* Makefile.am (EXTRA_DIST): Update it.
(hydra-jobs.scm): Remove it.
(cuirass-jobs.scm): Update it.
* build-aux/hydra/evaluate.scm: Move it to ...
* build-aux/cuirass/evaluate.scm: ... here.
* build-aux/cuirass/guix-modular.scm: Remove it.
* build-aux/cuirass/gnu-system.scm: Ditto.
* guix/packages.scm (%hydra-supported-systems): Rename it to ...
(%cuirass-supported-systems): ... this variable.
* build-aux/check-final-inputs-self-contained: Adapt it.
* etc/release-manifest.scm: Ditto.
* gnu/ci.scm (package->alist): Remove it.
(derivation->job): New procedure.
(package-job, package-cross-job, cross-jobs, image-jobs, system-test-jobs,
tarball-jobs): Use it.
(guix-jobs): New procedure.
(hydra-jobs): Rename it to ...
(cuirass-jobs): ... this procedure.
