This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files. However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.
Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>
* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
(%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages/python-check.scm (python-pytest-sanic) [version]: Update to
1.7.0.
[propagated-inputs]: Replace python-aiohttp with python-httpx and add
python-websockets.
Unmaintained upstream and its only dependent (python-gssapi) dropped it.
* gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch: Remove.
* gnu/local.mk: Drop patch file.
* gnu/packages/python-xyz.scm (python-shouldbe): Remove.
* gnu/packages/python-xyz.scm (python-gssapi) [version]: Update to 1.6.12.
[arguments]: Tests have been fixed upstream, remove.
[native-inputs]: python-shouldbea is not required any more, remove.
* gnu/packages/embedded.scm (sdcc): Update to 4.1.0.
* gnu/packages/patches/sdcc-disable-non-free-code.patch: Update to match new
version.
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
* gnu/packages/crypto.scm (botan): Update to 2.17.3.
[arguments]: Add 'library-path-for-tests phase to fix 'check phase by setting
LD_LIBRARY_PATH to intermediate build directory so tests can find libbotan.
* gnu/packages/patches/bsdiff-CVE-2014-9862.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (bsdiff): Apply it.
The Cuirass configuration has been simplified so that this is no longer
needed.
* gnu/services/cuirass.scm (<build-manifest>, <simple-cuirass-configuration>,
simple-cuirass-configuration->specs): Remove them.
This removes hydra support to use Cuirass as the only continuous integration
system.
* build-aux/hydra/gnu-system.scm: Remove it.
* build-aux/hydra/guix-modular.scm: Ditto.
* build-aux/hydra/guix.scm: Ditto.
* build-aux/cuirass/hydra-to-cuirass.scm: Ditto.
* Makefile.am (EXTRA_DIST): Update it.
(hydra-jobs.scm): Remove it.
(cuirass-jobs.scm): Update it.
* build-aux/hydra/evaluate.scm: Move it to ...
* build-aux/cuirass/evaluate.scm: ... here.
* build-aux/cuirass/guix-modular.scm: Remove it.
* build-aux/cuirass/gnu-system.scm: Ditto.
* guix/packages.scm (%hydra-supported-systems): Rename it to ...
(%cuirass-supported-systems): ... this variable.
* build-aux/check-final-inputs-self-contained: Adapt it.
* etc/release-manifest.scm: Ditto.
* gnu/ci.scm (package->alist): Remove it.
(derivation->job): New procedure.
(package-job, package-cross-job, cross-jobs, image-jobs, system-test-jobs,
tarball-jobs): Use it.
(guix-jobs): New procedure.
(hydra-jobs): Rename it to ...
(cuirass-jobs): ... this procedure.
Fixes: <https://issues.guix.gnu.org/46683>.
* gnu/services/cuirass.scm (cuirass-activation): Since the PostgreSQL switch,
it is no longer needed to create the database directory.
* gnu/packages/cobol.scm (gnucobol): Update to 3.1.2.
[arguments]: Add 'set-TERM phase before 'check to set the TERM environment
variable for tests that expect it.
