From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 14:00:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 27308@debbugs.gnu.org Cc: Marius Bakke X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.149710316318277 (code B ref -1); Sat, 10 Jun 2017 14:00:03 +0000 Received: (at submit) by debbugs.gnu.org; 10 Jun 2017 13:59:23 +0000 Received: from localhost ([127.0.0.1]:38998 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJgv5-0004kb-PN for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:23 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJgv1-0004kM-Jy for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJguv-0005X0-1L for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45046) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dJguu-0005Wu-Tq for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54982) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dJgut-00070Y-6z for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJgup-0005VY-Ui for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:03 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56141) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dJgup-0005V4-EQ for guix-patches@gnu.org; Sat, 10 Jun 2017 09:58:59 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 915D820761; Sat, 10 Jun 2017 09:58:58 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 09:58:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=5I/8/M6zgSeXfNeNJb7/3+cv8URZsviGCAESjz+09 f0=; b=tMQW2wAtwEK6TApzjZFLYXntA6Jr2bccWhuzmWXAAv8iLwlTKonljomic mvIQOANEiSx4FntvpWeSnNF178qknk/b83c9bDn2wKtsha10/giHdApLBI8CH103 cVhSu63G872jtG2zWa66joRziX/TWPeD/09F1NTA9d2b++NShoJ4yLEc9IEj0Gpo FndmuKWF0KmQIZh8AK5HxwGaPiweawyoZj5qnAb8g/7U8fOVOVXESrSFqu1/i/0/ GhmjvHT6/lmwEz+lkmlAJPcWVrZtM8Jr8earc2uiJqPwhpn/k/lPNKEohBeaPMSW X6gReO9CkQZNZYnDNJGJoNU1r1Pnw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=5I/8/M6zgSeXfNeNJb 7/3+cv8URZsviGCAESjz+09f0=; b=N9hzQGiMoHu/S/3P2k9m0NouWZRmzw5VYk ivYpLxe+30G4TNmBG4+W/GLo3d8h6CK99f9CvV3lHk688ip9zJn0J/7H7KJWZjcF 1qqS6nD1/No0GW8ForAvOaIMeswjLjjkPJPZlbPurKASwAfNMlQrDV/1Aplsccjt TdVzpRnp8kDkrE3N9b4cEU8VRpfwK2KsSOlqrvwWdsNsixezg/NaloCNQN9j5M6o mix8A5F0dNUJvXCIDdBMSmL22ZseNQEPPL92cdTFcrxB4TO5u+o2R+Z+NPB9L3xl naUydGh/vBliqF5otuhAU6EtlGxWfv3zlardeJNHuvIX3Dvmhi8A== X-ME-Sender: X-Sasl-enc: uySjgQTy9IKBL0RQ0V67J8sK0FOGz5oM3QLi5hK91nCm 1497103138 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 204E924772; Sat, 10 Jun 2017 09:58:58 -0400 (EDT) From: Marius Bakke Date: Sat, 10 Jun 2017 15:58:51 +0200 Message-Id: <20170610135851.6341-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.13.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) This update addresses the following security advisories: GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4. These links contain more information about the vulnerabilities and releases: https://gnutls.org/security.html https://gnutls.org/news.html * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch, gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files. * gnu/local.mk (dist_patch_DATA): Register patches. * gnu/packages/tls.scm (gnutls)[replacement]: New field. (gnutls-3.5.13): New variable. --- gnu/local.mk | 2 ++ .../patches/gnutls-skip-pkgconfig-test.patch | 24 ++++++++++++++++++++++ .../patches/gnutls-skip-trust-store-test.patch | 15 ++++++++++++++ gnu/packages/tls.scm | 20 ++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch create mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch diff --git a/gnu/local.mk b/gnu/local.mk index 686c3c639..70b4a44a1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -640,6 +640,8 @@ dist_patch_DATA = \ %D%/packages/patches/gmp-faulty-test.patch \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ + %D%/packages/patches/gnutls-skip-trust-store-test.patch \ + %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch new file mode 100644 index 000000000..1fad7c14e --- /dev/null +++ b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch @@ -0,0 +1,24 @@ +FIXME: The static test fails with an error such as: + +/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main': +c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init' +collect2: error: ld returned 1 exit status +FAIL pkgconfig.sh (exit status: 1) + +diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh +index 6bd4e62f9..05aab8278 100755 +--- a/tests/pkgconfig.sh ++++ b/tests/pkgconfig.sh +@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:" + echo " * flags: $(${PKGCONFIG} --libs gnutls)" + echo " * common: ${COMMON}" + echo " * lib: ${CFLAGS}" +-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} +- +-echo "" +-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)" +-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} ++gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} + + rm -f ${TMPFILE} ${TMPFILE_O} + diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch new file mode 100644 index 000000000..e0536712a --- /dev/null +++ b/gnu/packages/patches/gnutls-skip-trust-store-test.patch @@ -0,0 +1,15 @@ +Version 3.5.11 added a test to check that the default trust store is readable. +It does not exist in the build environment, so pretend everything is fine. + +diff a/tests/trust-store.c b/tests/trust-store.c +--- a/tests/trust-store.c ++++ b/tests/trust-store.c +@@ -61,7 +61,7 @@ + } else if (ret < 0) { + fail("error loading system trust store: %s\n", gnutls_strerror(ret)); + } else if (ret == 0) { +- fail("no certificates were found in system trust store!\n"); ++ success("no trust store in the Guix build environment!\n"); + } + + gnutls_certificate_free_credentials(x509_cred); diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 8964abb2f..69dcb015b 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016, 2017 ng0 ;;; Copyright © 2016 Hartmut Goebel +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -142,6 +143,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") + (replacement gnutls-3.5.13) (version "3.5.9") (source (origin (method url-fetch) @@ -214,6 +216,24 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) +(define gnutls-3.5.13 + (package + (inherit gnutls) + (version "3.5.13") + (replacement #f) + (source (origin + (method url-fetch) + (uri + (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (patches + (search-patches "gnutls-skip-trust-store-test.patch" + "gnutls-skip-pkgconfig-test.patch")) + (sha256 + (base32 + "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr")))))) + (define-public gnutls/guile-2.2 ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5. (package -- 2.13.1 From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 14:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.149710500121035 (code B ref 27308); Sat, 10 Jun 2017 14:30:02 +0000 Received: (at 27308) by debbugs.gnu.org; 10 Jun 2017 14:30:01 +0000 Received: from localhost ([127.0.0.1]:39024 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJhOq-0005TD-N3 for submit@debbugs.gnu.org; Sat, 10 Jun 2017 10:30:00 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40001) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJhOm-0005Sw-QQ for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 10:29:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJhOd-0006kK-Pw for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 10:29:51 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57243) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dJhOd-0006kE-MT; Sat, 10 Jun 2017 10:29:47 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:60572 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dJhOc-00015r-QQ; Sat, 10 Jun 2017 10:29:47 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170610135851.6341-1-mbakke@fastmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Prairial an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sat, 10 Jun 2017 16:29:44 +0200 In-Reply-To: <20170610135851.6341-1-mbakke@fastmail.com> (Marius Bakke's message of "Sat, 10 Jun 2017 15:58:51 +0200") Message-ID: <87bmpvykyv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Marius, Marius Bakke skribis: > This update addresses the following security advisories: > > GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4. > > These links contain more information about the vulnerabilities and releas= es: > > https://gnutls.org/security.html > https://gnutls.org/news.html > > * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch, > gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files. > * gnu/local.mk (dist_patch_DATA): Register patches. > * gnu/packages/tls.scm (gnutls)[replacement]: New field. > (gnutls-3.5.13): New variable. Assuming binary compatibility, that looks good to me. While you=E2=80=99re at it, could you update GnuTLS in =E2=80=98core-update= s=E2=80=99? For the trust-store.c test, we could ask upstream to arrange so that the test is skipped when the trust store doesn=E2=80=99t exist; would the test = still make sense? Thanks, Ludo=E2=80=99. From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 16:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.149711137611783 (code B ref 27308); Sat, 10 Jun 2017 16:17:02 +0000 Received: (at 27308) by debbugs.gnu.org; 10 Jun 2017 16:16:16 +0000 Received: from localhost ([127.0.0.1]:39104 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJj3g-00033z-1d for submit@debbugs.gnu.org; Sat, 10 Jun 2017 12:16:16 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33545) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJj3Z-00033n-Ms for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 12:16:13 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 75811206DA; Sat, 10 Jun 2017 12:16:09 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 12:16:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=1O3oqGQAgSo4GJeB3ZFGoM3vaOgVk69wTVZZTTmxH 1M=; b=UD9TGF1c6zgO/JBLRcndVcVVMRAyoUFlg9ZMFfISZS93PDxEwnBK9VYEu 4adNv5hc5YBIrKiu4MHcUyVA5+VYZtkP3q2UpRUJQNygj1doXBoUU2uLYX5nf0bd KJTLPPQR0B/jXqx8dMJGumIVR5rtZW4DrBJk8P0Q6G4rK2JWkQL0xBt3toC8jesy tNTeVr8Y9gosaMOrRBGj4+WDOsH+kBYSfwDng1VGOH8WqaknMDgZLDaFD8QDm8+p oV5qyDg9ZuFUJcaOm6ct2bT4TICqb3MJXwBd1l/v7wkrmJZewqEjMZbOgR+cZj5J 3woEhmmcjY1sFNQa1aQCj9n+tdrxw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=1O3oqGQAgSo4GJeB3Z FGoM3vaOgVk69wTVZZTTmxH1M=; b=lqSDuBRFN0W0lwybU0cd+Q65H9OBvK1Si0 mC//r7RG8Zf6D6Lvp9X4DVDKIuKToY7sU/mHCTTosuy+vyfsiTpEyU6ranzHm+p2 Qqk8Vx7Eb/338hnR7kPHU9xy+Mhb3FOD6a0iemKp7DNfMyMWqlakow3BEML2I8az hLmY3l4Pv1MDUmd/7du6vZMCTsSJDlg8nxZJITIBWjrm6FmFBnP1hCN1Ml41bI8u NZWPzw4zZXplexeKErMipuRIqupKtuHtOOBBGYNYQgYDbXAlyC6sPqy3XvNhqxhR Db/ZczKIfe9aWZHu9O8U2dxHsOk6fcB24F8QlFGoQe6G1XGXEH2w== X-ME-Sender: X-Sasl-enc: XHf1BbZOeQuLC8CofLuHfwd7o6a0+9wPPleOj+RRR9yU 1497111369 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 0A735248B0; Sat, 10 Jun 2017 12:16:08 -0400 (EDT) From: Marius Bakke In-Reply-To: <87bmpvykyv.fsf@gnu.org> References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> User-Agent: Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sat, 10 Jun 2017 18:16:07 +0200 Message-ID: <87poeblsxk.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hi Marius, > > Marius Bakke skribis: > >> This update addresses the following security advisories: >> >> GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4. >> >> These links contain more information about the vulnerabilities and relea= ses: >> >> https://gnutls.org/security.html >> https://gnutls.org/news.html >> >> * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch, >> gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Register patches. >> * gnu/packages/tls.scm (gnutls)[replacement]: New field. >> (gnutls-3.5.13): New variable. > > Assuming binary compatibility, that looks good to me. The release notes since version 3.5.9 explicitly mention no API or ABI changes. > While you=E2=80=99re at it, could you update GnuTLS in =E2=80=98core-upda= tes=E2=80=99? Indeed; that was the intention. Will merge-and-ungraft after committing. > For the trust-store.c test, we could ask upstream to arrange so that the > test is skipped when the trust store doesn=E2=80=99t exist; would the tes= t still > make sense? The test *only* checks that the --default-trust-store exists. However, the current solution is rather hacky, will check for proper skipping mechanisms. I tested this graft on my profile, but apparently the grafting code checks the store item length and refuses since the .13 is one byte longer than .9: Backtrace: In ice-9/boot-9.scm: 160: 14 [catch #t # ...] In unknown file: ?: 13 [apply-smob/1 #] In ice-9/boot-9.scm: 66: 12 [call-with-prompt prompt0 ...] In ice-9/eval.scm: 432: 11 [eval # #] In ice-9/boot-9.scm: 2412: 10 [save-module-excursion #] 4089: 9 [#] 1734: 8 [%start-stack load-stack #] 1739: 7 [#] In unknown file: ?: 6 [primitive-load "/gnu/store/aaxbysgk1j098i8i6ag24jslnizwmdlw-ffmpeg= -3.3.2-guile-builder"] In ice-9/eval.scm: 387: 5 [eval # ()] In ice-9/boot-9.scm: 797: 4 [for-each # # #] In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/gra= ft.scm: 262: 3 [rewrite-directory "/gnu/store/kx3gc2swra9f2clkrgxall1bb5mcxhpc-ffm= peg-3.3.2" ...] In srfi/srfi-1.scm: 575: 2 [map # ...] In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/gra= ft.scm: 268: 1 [# #] In unknown file: ?: 0 [scm-error misc-error #f ...] ERROR: In procedure scm-error: ERROR: replacement length differs from the original length "56dbd2gw33g3wdx= mq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.= 5.13" builder for `/gnu/store/hjzqpxdirqv5hmlyc2cg1pisnchnfisi-ffmpeg-3.3.2.drv' = failed with exit code 1 cannot build derivation `/gnu/store/dn6qzxbp9xk659ypldnpgdb07fvx4343-profil= e.drv': 1 dependencies couldn't be built guix package: error: build failed: build of `/gnu/store/dn6qzxbp9xk659ypldn= pgdb07fvx4343-profile.drv' failed Not sure what to do about it. Ideas? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8G0cACgkQoqBt8qM6 VPrjMgf/RIkLPCPnDkKGHlEwRA9wCJ5ADPFHgsgPcnjQkNBWg2iSqhGiSPztBLBO 5Ms8iVUfHhE3p1ZPWqgXr/BMUMNXYZ84DnYtcQ/EN/9XyxAR3tY3qqLrsfBstHGh GvfSHbQ2jEVF+FacaD1/QjJC5oMZpRz/uW30AxFpruUafvW59ewAYwSo512TOUos j1EMUmticNBeTgUBG8pRHMqRuLcd9231BS/U6U5nb8iqJGJnIB4xL1C3F+Jhs8fy 8uV2TLSOZGFN/XsCQ9EZuZZ2yS3IToCaOs56nW83ZxDkhr0HW3XuV4VtdOvNtJ9C XQeGYSW5c3MuNR5PJ5aw9vXeqBfPfg== =RUd+ -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 16:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.149711264313624 (code B ref 27308); Sat, 10 Jun 2017 16:38:02 +0000 Received: (at 27308) by debbugs.gnu.org; 10 Jun 2017 16:37:23 +0000 Received: from localhost ([127.0.0.1]:39123 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJjO6-0003Xg-M2 for submit@debbugs.gnu.org; Sat, 10 Jun 2017 12:37:22 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36343) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJjO5-0003XZ-ML for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 12:37:22 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 735F920767; Sat, 10 Jun 2017 12:37:21 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 12:37:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=FkXs7KPHWkQeWV3ayGVO4FCc52mrZl1X2Z9KnVBlQ Ck=; b=v2reNzf10PgAycSFkNTu4eUQtHdry4/fmcXChcpeybhoF3Up8c3zDaq1u +cYN4ufDoRQCB7Z9s/gibZormLbiHzmJkTLBTF3ONMgjDFkJ2KxHcJNGgmITkBSU q2PkHusY0PjIGgXSdp7tB86ikPUFlgqHiVRNUocPTogxIkYA89oE/IobYKrv9AAt lmtiiNaIhJcc42fs984tWOxKi20+5c3/OIzzflEYZcmLhVh4YOuBVNhVGYHZGawO Uwq2NLFFpT8BzzqW2gS0c9DlRJoiFBKg83AD2qq/0TohwI/y6D+TQlo2I6bUCiTI PC4W5GeUaftKLA87qxyBRRcN7c/aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=FkXs7KPHWkQeWV3ayG VO4FCc52mrZl1X2Z9KnVBlQCk=; b=qFJQ4bXsLTL+TTIwlB92o365ah4DuVMD3r +tm3SF7YoIsKvLltyiGuZvozd92uGnR2z9/E1EQIDAknMIbAymHaMQEI18gJj5oP dnC+nDnshCdvoaHHxG4QCLXahYzJp+C+sUjf0kf9QeaHXFISFO21iQZC73k3nW8s UiJJbDlyGcWKILI9llZMRHACyRssup4oyPcQK1CmnIrL+tbLAcV1XQeVBm5kIprY 8ftnOaQBS7z9g29Xd9eOQ7cY+l7GzDnCmvjKToT9BYm/L7kD7t3SikrfK11I+4PH tiBbN4J18aEWR48ktDvdsW2E3YOM0Qk3IugnE8WJ55wM6HCXKMcQ== X-ME-Sender: X-Sasl-enc: ypp7On4/0rOUPGUc1apsG7OO8XOCrL+2vjEVn0ersMC2 1497112641 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 012D624772; Sat, 10 Jun 2017 12:37:20 -0400 (EDT) From: Marius Bakke In-Reply-To: <87poeblsxk.fsf@fastmail.com> References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> <87poeblsxk.fsf@fastmail.com> User-Agent: Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sat, 10 Jun 2017 18:37:19 +0200 Message-ID: <87mv9flry8.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Marius Bakke writes: > I tested this graft on my profile, but apparently the grafting code > checks the store item length and refuses since the .13 is one byte > longer than .9: [...] > ERROR: In procedure scm-error: > ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13" The attached patch allows the graft to proceed, but I'm not sure about the sanity of it all. Thoughts? --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-build-graft-Allow-longer-replacement-store-names.patch Content-Transfer-Encoding: quoted-printable From=205f122f6e1b73fb7a664142a20ac70890cb6956f9 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 10 Jun 2017 18:31:03 +0200 Subject: [PATCH] build: graft: Allow longer replacement store names. * guix/build/graft.scm (rewrite-directory): Only fail if replacement name i= s shorter. =2D-- guix/build/graft.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/guix/build/graft.scm b/guix/build/graft.scm index 16df169ec..2b3b99cb1 100644 =2D-- a/guix/build/graft.scm +++ b/guix/build/graft.scm @@ -263,9 +263,9 @@ file name pairs." (((=3D hash+rest (origin-hash origin-string)) . (=3D hash+rest (replacement-hash replacement-string))) =2D (unless (=3D (string-length origin-string) =2D (string-length replacement-string)) =2D (error "replacement length differs from the original len= gth" + (unless (<=3D (string-length origin-string) + (string-length replacement-string)) + (error "replacement length is shorter than the original le= ngth" origin-string replacement-string)) (cons origin-hash (string->utf8 replacement-string))) ((origin . replacement) =2D-=20 2.13.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8ID8ACgkQoqBt8qM6 VPpZywf/WmooWOcauuE080e2xREfgj1IZ90r3Iy9OKUbsXnCsWv3kqh79lQX7y0R 2RBOAnWuevF73mmL0M7HBE8e8wDyry6HiqZJ+Fk1dFpBpsBsW8aUBLo6qMpkpsQP KboENh5vrRUbxFMB3LAv3KqKw4aaYaFaMEmF/MYzS8SIlZv6ojb+exH3lBVG2GE8 fuUCu+znXZOj2z4Sy1c948NGRx3NPaGJYXh0kn3kI+eL2kxVaIpNR929RlIpEbwn fX/cNzZVBUMYtWNsHuxo3+HKS060AsiAmgZzqMD+nXXxSVqLL1Dgu3D/YGr7quTz AK21gse2KpQol5BeL9VXsulAX5561Q== =bisz -----END PGP SIGNATURE----- --==-=-=-- From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 18:09:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.149711808228749 (code B ref 27308); Sat, 10 Jun 2017 18:09:01 +0000 Received: (at 27308) by debbugs.gnu.org; 10 Jun 2017 18:08:02 +0000 Received: from localhost ([127.0.0.1]:39330 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJknq-0007TY-2H for submit@debbugs.gnu.org; Sat, 10 Jun 2017 14:08:02 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:34915) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJkno-0007TG-3d for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 14:08:01 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 7E2A620789; Sat, 10 Jun 2017 14:07:59 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 14:07:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=k9AGqtqqY2HOBVFwOhh/6MsWHYJH51PHLwizdW5ri 38=; b=VUcPyQtwXcdH+Lh+O8VOjqd0miNmKnTZzBnBl9SjfzFkTJ+CqVzB+STTw kupUKSnp3xpt3G/SE0ZNuelryDfLqyXhA32H2Pd6cj7eR8b1n48a3pJg/RIPnJ0V NpNSNwGK7iN8T5u+vWOYtvPkPqlbK4bGUb6m1eF5+DNbevl9Pwl+fLdQsDfQfpIs e15Y3TTnIcnirsQwqA46CbTnCNtnBeyUP/W8tUS+nZ39LEDa8q97gr9XGr/I/eFW Qq0soaDQZMRkyrms2mX9ZHLV6ikdT65D0vVHItnyAR59zfHxvXDr4FCX9nHFIGjl T17ESLVfGfwH7M4FYE0sxn2anJP0g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=k9AGqtqqY2HOBVFwOh h/6MsWHYJH51PHLwizdW5ri38=; b=N4lrivD+gqTf6YCUDHyvlfOPJMmxAZVIPc PFdyfZPNGIN+P2dsCdppUn7LjZWInDhH0drW1tN0IGtHxUmgy0zQJYNf+zJJoLVx 4IvikG0Dka3wrnmNrsuiUeOHLBnQ+dRDeAdQWCDv1sjEt3oPF73nEsZp9+DtBEkr oPiaRKgMbyJho3egJINVs+0ePgfn+XwGW5Vas0FtjGJKZmeDODqupoIsOvfxe7Ux hJaYX0gMXfzI7JU8d/RzDJm0U9YfJxAmKTvwfhxk/u4Tl6Qr2czB1DFzogXcME9L w43etObqqOu/SdRF3guAP3By/QxyixHnmcBtaPIcoHmMWZ6y/Csw== X-ME-Sender: X-Sasl-enc: V3rOi2fGuxCbgclWBnV7Tm3AwQS27i9PaEkVhn418nZA 1497118079 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 0E047248B0; Sat, 10 Jun 2017 14:07:58 -0400 (EDT) From: Marius Bakke In-Reply-To: <87mv9flry8.fsf@fastmail.com> References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> <87poeblsxk.fsf@fastmail.com> <87mv9flry8.fsf@fastmail.com> User-Agent: Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sat, 10 Jun 2017 20:07:57 +0200 Message-ID: <87ink3lnr6.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Marius Bakke writes: > Marius Bakke writes: > >> I tested this graft on my profile, but apparently the grafting code >> checks the store item length and refuses since the .13 is one byte >> longer than .9: > > [...] > >> ERROR: In procedure scm-error: >> ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13" > > The attached patch allows the graft to proceed, but I'm not sure about > the sanity of it all. Thoughts? [...] > Subject: [PATCH] build: graft: Allow longer replacement store names. Thinking further about this, replacing a string of a fixed length with that of another sounds highly unsafe. So I'm not sure what the best approach here is. Maybe some dummy version number like 3.5.a? Or simply keep 3.5.9? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8NX0ACgkQoqBt8qM6 VPoc3AgAh6TfQYb/1CYDtP4MpgxFDAgDOnL+6sWqkfEQEdvsWPEjfCiY/9f/lSDK Qam3Y9YmJEOZ6Lx0qCQFYg2daYol7KrVVNqBdjmzRRWLZAO3jtCVLdXm7fR4qQ+Q CYbMIWDi429RoAnd7s3SHLgqvNVk8HzcA9QiYa7oGTldwM3Cnj2V0p5VjmHItv8V bg7Qws7LIW8HOliFgo9yDONOF2xJjcZBmbaOxkwpjHtu7EmEDpSvovoPIC1C7N+i R/jHxophqVsdtreNSY4N8tEnyDMGZbIFR4CgAbEzb5Hk7cBW+ssRtgOvZon6CQyl SYsGU00Q9JEPUrKch91ExsQtmFu9qw== =K2B6 -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 10 Jun 2017 23:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.14971359463322 (code B ref 27308); Sat, 10 Jun 2017 23:06:02 +0000 Received: (at 27308) by debbugs.gnu.org; 10 Jun 2017 23:05:46 +0000 Received: from localhost ([127.0.0.1]:39470 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJpRy-0000rW-F5 for submit@debbugs.gnu.org; Sat, 10 Jun 2017 19:05:46 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:52225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJpRu-0000rK-B5 for 27308@debbugs.gnu.org; Sat, 10 Jun 2017 19:05:44 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3BD4D2092C; Sat, 10 Jun 2017 19:05:40 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 10 Jun 2017 19:05:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=oU2Linb6Tyj/yzyzQCSzMA51sYT+au/p7szchX ipF6g=; b=nYgy9hfrAs/Kb3yJ6+2qKF/9H2/N383wsRajPwwKtDPdwj4adDeFCq GxnmcsLWUwajm4GCodDcQgEf/E7d2lPAKec9Ys8YU76tBf6jIwXDxVcSwPO9hOft MNV4nz/mycNf5FHZ41vTxGe8odNjMblNr4U9pfDzgm/AqT+HswbTc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=oU2Linb6Tyj/yzyzQC SzMA51sYT+au/p7szchXipF6g=; b=DgBmpdqVtwePQ2CqiXhBXMvhIcyPZBRPEF hS0j49xwgCCG+jshifaOOQcJAw1FcNWm8RgXzXsBRScN5+7t5bTRhjAeK02mVog2 ZwequJjISy5zUgDOwENVffS8XSB7MbruA3q2paRTXZRrhQGtKgHdsUNe0OP8uDjE JRFfrZJlofImhupvsqhWjxxOwXH/C9pflGAFReWTjDP9xT/UUaz+KlwppYkzHHqq zdCTFs8hxfGoYzbmtA0FqPKoqF9DkKzdFtJwRBnHVrfrgDe+VQSfAClXBgfzkqZ4 9xDqdLBGJJGceJ994yjOv/132+3pwAkU229N9A2rUmPTT6F4aETQ== X-ME-Sender: X-Sasl-enc: vAoCHzM37lymCve4R9th4Xeakm9AsSnL3WDnR5DBKnH6 1497135939 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id F14BF7E766; Sat, 10 Jun 2017 19:05:39 -0400 (EDT) Date: Sat, 10 Jun 2017 19:05:37 -0400 From: Leo Famulari Message-ID: <20170610230537.GA14865@jasmine> References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> <87poeblsxk.fsf@fastmail.com> <87mv9flry8.fsf@fastmail.com> <87ink3lnr6.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: <87ink3lnr6.fsf@fastmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote: > Thinking further about this, replacing a string of a fixed length with > that of another sounds highly unsafe. So I'm not sure what the best > approach here is. Maybe some dummy version number like 3.5.a? Or simply > keep 3.5.9? We did something similar when grafting bash [0], changing 4.4.0 to 4.4.A. It's not great, but it worked. [0] commit 50b8a527efe375ac5377670ff0f159fbbce45312 (gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].). https://git.savannah.gnu.org/cgit/guix.git/commit/?id=50b8a527efe375ac5377670ff0f159fbbce45312 --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlk8ez0ACgkQJkb6MLrK fwgwCA/8DG6sbMD6vJl9bvGDNVE27EnMl5CspCWcr1MISuzqC15MjeoF0kMdD+Bu 1Z3Bm1tHebjE+glAz61JomK3lTCHR8UHDOLOxA1gDii4Q/Sxs65vp0E5lRASGC4A Met83CR9NsFBqHbyumdtPGrJi13R4AlQzs08G2rJSKMVHQDemhjOLpY72z21eKlY 24dQEo2VEpfzV7OU8B/XBDI6GRB4Fm0LCEpupx9/YxF3YkcuFFkEbMnIfV7wmr9O ZFTyhoR0xiPVlrHS2Oz1lD4xm3MGVTg9dJmwBwnEHwG1EJFZ+7m8jyDJERHAThoE J9pDnHpwQSubAK+a4ahe2IKeLPWIQJQFWItKjhFsSxGKR3/7Bm+TyOXH+YxH+fQP kyRCqTjIHOzJZG2eM4eLWMjhjs2CQ6r+2F4C8qpQfwwiDRmXEesU6kexCf3FcYFp 7WfirFvQDFtaiwek8ezAFVvDqgeql+7Gh2ZJ0pQ0QqE//kubR8ZZ76TwobCRXzSe qOJYVtKqC/No0PHW011HVlK2dALfSB26DAZiys+vjKf0+x2UzqUAFc+mn9sSPVdS EyVYgD7IMin+0H2vXYcGPh5Kwe358eXiPHZxdV4MpYgSjF8e5NEsjXq2P1aF7vci OTDfdJlpa+mzISgQCcWS32imxfVOfKjGlT6HwuwfKunxsfn6m1M= =3QBP -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- From unknown Fri Jun 20 20:11:52 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Marius Bakke Subject: bug#27308: closed (Re: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.) Message-ID: References: <87efurl91p.fsf@fastmail.com> <20170610135851.6341-1-mbakke@fastmail.com> X-Gnu-PR-Message: they-closed 27308 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 27308@debbugs.gnu.org Date: Sat, 10 Jun 2017 23:26:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1497137161-5075-1" This is a multi-part message in MIME format... ------------=_1497137161-5075-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #27308: [PATCH] gnu: gnutls: Replace with 3.5.13. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 27308@debbugs.gnu.org. --=20 27308: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D27308 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1497137161-5075-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 27308-done) by debbugs.gnu.org; 10 Jun 2017 23:25:43 +0000 Received: from localhost ([127.0.0.1]:39502 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJplH-0001JN-IT for submit@debbugs.gnu.org; Sat, 10 Jun 2017 19:25:43 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:46683) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJplF-0001JG-NX for 27308-done@debbugs.gnu.org; Sat, 10 Jun 2017 19:25:42 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 5982020A43; Sat, 10 Jun 2017 19:25:41 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 19:25:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=VTPieIoDWdZ4fwzHIqwlWw3gUXAHGftQG3jpEi9i6 24=; b=a+sXv1XQ8iDCHaxkO6ZAqKvL9TW0Eb8F4qyg0V81yJ8jLFeFxybnbFuBN WnjOSupch84V0HnxFZAXxaaQtGlXDSvXOCgK0RMaoThrd41JhNtXXuww6Zqi0n8/ sHGq2PVsne3HILRBsWdER2RqF7XtXkYxu7WvZFPOazJKynctJ+06sSjHmLkp/5WC bR74ojSFvTw8vmDJmidPw9cJ/4PohfSFfl9CrZ4jdWfXqYv735ESH83FHTUXCqAj SziIhymf3UQDfyfIcWgiXJrqhVilbHgPzUzr77iPGU6K+Zl6SffDNreXyDnYqJ/M ZT326ZfPUwONV2KaJ2y+C8+lQ/mvw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=VTPieIoDWdZ4fwzHIq wlWw3gUXAHGftQG3jpEi9i624=; b=K3VQeKkawNuoCTCZCGJpNku4gmUwZKaNec Dq750A8K3o3umO2wK7cTagKF4TdXx78F+UmhNeyXvUFinJhPF2/NdtAlMmDSWDSs y/ycQTB1E/L/Zs+KvIBcUcjFG818+iO5Q8mlFtSIUh27WAb6/H8OfDk8BETlEJFn vemG5pC6h+TPislboq3t8gzJct/VYOnH2Py64Dsh2ur7iIQeq+pOydwxkfw9xBV7 v9Rp7ODWKxbo5XKXN+QMZgseyuRjkkAPN6CZ6pRbTkbjmiSenBs65jwxBFTszKC0 R7yBN+OozVzRhoE/DGj5ljPOjfg7FK+Z3mX3007S1l05Kvhj2SdQ== X-ME-Sender: X-Sasl-enc: QE4NTIEiKwM/HKHMU5gGGLb9LSDuJvUT1R5EtLdF90P+ 1497137140 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id DF54C2475E; Sat, 10 Jun 2017 19:25:40 -0400 (EDT) From: Marius Bakke To: Leo Famulari Subject: Re: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. In-Reply-To: <20170610230537.GA14865@jasmine> References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> <87poeblsxk.fsf@fastmail.com> <87mv9flry8.fsf@fastmail.com> <87ink3lnr6.fsf@fastmail.com> <20170610230537.GA14865@jasmine> User-Agent: Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sun, 11 Jun 2017 01:25:38 +0200 Message-ID: <87efurl91p.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27308-done Cc: 27308-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote: >> Thinking further about this, replacing a string of a fixed length with >> that of another sounds highly unsafe. So I'm not sure what the best >> approach here is. Maybe some dummy version number like 3.5.a? Or simply >> keep 3.5.9? > > We did something similar when grafting bash [0], changing 4.4.0 to > 4.4.A. It's not great, but it worked. Ha, I already settled on 'D'. Works until version .16 ;-) I realized 'guile2.2-gnutls' needed (replacement #f) and inheriting the fixed sources as well. Pushed! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8f/MACgkQoqBt8qM6 VPp2PQf+Km1psLjnvfBFFtk1Hy09fh2O4ZMrc0S4kVlsypps4PcJxvrX5JOrnr7p 4IHBzePURlMqBmFqByQ1B+j81UobayrcWjumUBRWRSdnogkYH7PquoWyAmM40XTW bo775F+AT7Hn3jse+ejZMDmz1sHezBxPE05Qm8zWzn0pkS8lMd4CToBsWhI+d3MK Z0DgmO6ahHPKarQ5r+xeVDcfnRCm5y5BLRtH+rsMztwgiVX0BsfnE+sMc24Hm1UJ lDFPehepteRE7ptL2ZAUFo5mx3q1wE+bMlstpz5snH24ObMcjBXuSRW2jLY1BaG0 1KxrvIjPGGb7Qu/oYa8RROFWbaPvBA== =ggxu -----END PGP SIGNATURE----- --=-=-=-- ------------=_1497137161-5075-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 10 Jun 2017 13:59:23 +0000 Received: from localhost ([127.0.0.1]:38998 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJgv5-0004kb-PN for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:23 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dJgv1-0004kM-Jy for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJguv-0005X0-1L for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45046) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dJguu-0005Wu-Tq for submit@debbugs.gnu.org; Sat, 10 Jun 2017 09:59:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54982) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dJgut-00070Y-6z for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJgup-0005VY-Ui for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:03 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56141) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dJgup-0005V4-EQ for guix-patches@gnu.org; Sat, 10 Jun 2017 09:58:59 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 915D820761; Sat, 10 Jun 2017 09:58:58 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Jun 2017 09:58:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=5I/8/M6zgSeXfNeNJb7/3+cv8URZsviGCAESjz+09 f0=; b=tMQW2wAtwEK6TApzjZFLYXntA6Jr2bccWhuzmWXAAv8iLwlTKonljomic mvIQOANEiSx4FntvpWeSnNF178qknk/b83c9bDn2wKtsha10/giHdApLBI8CH103 cVhSu63G872jtG2zWa66joRziX/TWPeD/09F1NTA9d2b++NShoJ4yLEc9IEj0Gpo FndmuKWF0KmQIZh8AK5HxwGaPiweawyoZj5qnAb8g/7U8fOVOVXESrSFqu1/i/0/ GhmjvHT6/lmwEz+lkmlAJPcWVrZtM8Jr8earc2uiJqPwhpn/k/lPNKEohBeaPMSW X6gReO9CkQZNZYnDNJGJoNU1r1Pnw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=5I/8/M6zgSeXfNeNJb 7/3+cv8URZsviGCAESjz+09f0=; b=N9hzQGiMoHu/S/3P2k9m0NouWZRmzw5VYk ivYpLxe+30G4TNmBG4+W/GLo3d8h6CK99f9CvV3lHk688ip9zJn0J/7H7KJWZjcF 1qqS6nD1/No0GW8ForAvOaIMeswjLjjkPJPZlbPurKASwAfNMlQrDV/1Aplsccjt TdVzpRnp8kDkrE3N9b4cEU8VRpfwK2KsSOlqrvwWdsNsixezg/NaloCNQN9j5M6o mix8A5F0dNUJvXCIDdBMSmL22ZseNQEPPL92cdTFcrxB4TO5u+o2R+Z+NPB9L3xl naUydGh/vBliqF5otuhAU6EtlGxWfv3zlardeJNHuvIX3Dvmhi8A== X-ME-Sender: X-Sasl-enc: uySjgQTy9IKBL0RQ0V67J8sK0FOGz5oM3QLi5hK91nCm 1497103138 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 204E924772; Sat, 10 Jun 2017 09:58:58 -0400 (EDT) From: Marius Bakke To: guix-patches@gnu.org Subject: [PATCH] gnu: gnutls: Replace with 3.5.13. Date: Sat, 10 Jun 2017 15:58:51 +0200 Message-Id: <20170610135851.6341-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.13.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit Cc: Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) This update addresses the following security advisories: GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4. These links contain more information about the vulnerabilities and releases: https://gnutls.org/security.html https://gnutls.org/news.html * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch, gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files. * gnu/local.mk (dist_patch_DATA): Register patches. * gnu/packages/tls.scm (gnutls)[replacement]: New field. (gnutls-3.5.13): New variable. --- gnu/local.mk | 2 ++ .../patches/gnutls-skip-pkgconfig-test.patch | 24 ++++++++++++++++++++++ .../patches/gnutls-skip-trust-store-test.patch | 15 ++++++++++++++ gnu/packages/tls.scm | 20 ++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch create mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch diff --git a/gnu/local.mk b/gnu/local.mk index 686c3c639..70b4a44a1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -640,6 +640,8 @@ dist_patch_DATA = \ %D%/packages/patches/gmp-faulty-test.patch \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ + %D%/packages/patches/gnutls-skip-trust-store-test.patch \ + %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch new file mode 100644 index 000000000..1fad7c14e --- /dev/null +++ b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch @@ -0,0 +1,24 @@ +FIXME: The static test fails with an error such as: + +/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main': +c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init' +collect2: error: ld returned 1 exit status +FAIL pkgconfig.sh (exit status: 1) + +diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh +index 6bd4e62f9..05aab8278 100755 +--- a/tests/pkgconfig.sh ++++ b/tests/pkgconfig.sh +@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:" + echo " * flags: $(${PKGCONFIG} --libs gnutls)" + echo " * common: ${COMMON}" + echo " * lib: ${CFLAGS}" +-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} +- +-echo "" +-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)" +-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} ++gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON} + + rm -f ${TMPFILE} ${TMPFILE_O} + diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch new file mode 100644 index 000000000..e0536712a --- /dev/null +++ b/gnu/packages/patches/gnutls-skip-trust-store-test.patch @@ -0,0 +1,15 @@ +Version 3.5.11 added a test to check that the default trust store is readable. +It does not exist in the build environment, so pretend everything is fine. + +diff a/tests/trust-store.c b/tests/trust-store.c +--- a/tests/trust-store.c ++++ b/tests/trust-store.c +@@ -61,7 +61,7 @@ + } else if (ret < 0) { + fail("error loading system trust store: %s\n", gnutls_strerror(ret)); + } else if (ret == 0) { +- fail("no certificates were found in system trust store!\n"); ++ success("no trust store in the Guix build environment!\n"); + } + + gnutls_certificate_free_credentials(x509_cred); diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 8964abb2f..69dcb015b 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016, 2017 ng0 ;;; Copyright © 2016 Hartmut Goebel +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -142,6 +143,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") + (replacement gnutls-3.5.13) (version "3.5.9") (source (origin (method url-fetch) @@ -214,6 +216,24 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) +(define gnutls-3.5.13 + (package + (inherit gnutls) + (version "3.5.13") + (replacement #f) + (source (origin + (method url-fetch) + (uri + (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (patches + (search-patches "gnutls-skip-trust-store-test.patch" + "gnutls-skip-pkgconfig-test.patch")) + (sha256 + (base32 + "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr")))))) + (define-public gnutls/guile-2.2 ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5. (package -- 2.13.1 ------------=_1497137161-5075-1-- From unknown Fri Jun 20 20:11:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13. Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Jun 2017 13:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27308 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 27308@debbugs.gnu.org Received: via spool by 27308-submit@debbugs.gnu.org id=B27308.149718949431917 (code B ref 27308); Sun, 11 Jun 2017 13:59:02 +0000 Received: (at 27308) by debbugs.gnu.org; 11 Jun 2017 13:58:14 +0000 Received: from localhost ([127.0.0.1]:41227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dK3Ne-0008Ij-0W for submit@debbugs.gnu.org; Sun, 11 Jun 2017 09:58:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dK3Nc-0008IV-2J for 27308@debbugs.gnu.org; Sun, 11 Jun 2017 09:58:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dK3NQ-0002jO-3c for 27308@debbugs.gnu.org; Sun, 11 Jun 2017 09:58:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53846) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dK3NQ-0002jI-0Q; Sun, 11 Jun 2017 09:58:00 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:32854 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dK3NP-0002EC-CF; Sun, 11 Jun 2017 09:57:59 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170610135851.6341-1-mbakke@fastmail.com> <87bmpvykyv.fsf@gnu.org> <87poeblsxk.fsf@fastmail.com> <87mv9flry8.fsf@fastmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 23 Prairial an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sun, 11 Jun 2017 15:57:57 +0200 In-Reply-To: <87mv9flry8.fsf@fastmail.com> (Marius Bakke's message of "Sat, 10 Jun 2017 18:37:19 +0200") Message-ID: <87zidesk2i.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Marius Bakke skribis: > Marius Bakke writes: > >> I tested this graft on my profile, but apparently the grafting code >> checks the store item length and refuses since the .13 is one byte >> longer than .9: [...] > index 16df169ec..2b3b99cb1 100644 > --- a/guix/build/graft.scm > +++ b/guix/build/graft.scm > @@ -263,9 +263,9 @@ file name pairs." > (((=3D hash+rest (origin-hash origin-string)) > . > (=3D hash+rest (replacement-hash replacement-string))) > - (unless (=3D (string-length origin-string) > - (string-length replacement-string)) > - (error "replacement length differs from the original len= gth" > + (unless (<=3D (string-length origin-string) > + (string-length replacement-string)) > + (error "replacement length is shorter than the original = length" That won=E2=80=99t work. The workaround is to use a version string with the right length, say =E2=80=9C3.5.A=E2=80=9D. It=E2=80=99s enough to allow users to distinguish= it from the affected version, so that=E2=80=99s okay IMO. Ludo=E2=80=99.