Package: guix-patches;
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Tue, 11 Dec 2018 01:13:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Marius Bakke <mbakke <at> fastmail.com> To: 33701 <at> debbugs.gnu.org Subject: [bug#33701] [PATCH staging 00/23] Glib/GTK+ updates Date: Tue, 11 Dec 2018 21:42:09 +0100
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes: > This late series adds around 1000 rebuilds to the current staging > branch. They also bring many of the GNOME family libraries to the > latest upstream versions. > > The good: > * Latest Ghostscript, Poppler, Harfbuzz, GnuTLS, and other > security-critical libraries. Some of these have changed > build systems, or ABIs, so future patching is easier. > * Most/all regressions are already fixed. Whoops, I spoke too soon: I upgraded glib-networking from 2.58 to 2.59 in the last minute (to fix a test failure), but the change broke libsoup and possibly more. In v2 of this series, two patches have diverged. Libsoup was adjusted to cope with the new "certtool" API from GnuTLS 3.6:
[0019-gnu-GnuTLS-Update-to-3.6.5.patch (text/x-patch, inline)]
From cab3a4a7fe3e719f2991384c161043bbfae742d6 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Mon, 10 Dec 2018 02:38:32 +0100
Subject: [PATCH staging 19/23] gnu: GnuTLS: Update to 3.6.5.
* gnu/packages/patches/gnutls-skip-pkgconfig-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/tls.scm (gnutls): Update to 3.6.5.
[source](patches): Remove obsolete.
[source](snippet): Add Guile detection fix.
* gnu/packages/gnome.scm (libsoup)[arguments]: Adjust 'certtool' invokation to
cope with the new API.
---
gnu/local.mk | 1 -
gnu/packages/gnome.scm | 3 ++-
.../patches/gnutls-skip-pkgconfig-test.patch | 24 -------------------
gnu/packages/tls.scm | 17 +++++++++----
4 files changed, 14 insertions(+), 31 deletions(-)
delete mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0d279e55eb..3f2ca7a845 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -772,7 +772,6 @@ dist_patch_DATA = \
%D%/packages/patches/gnucash-price-quotes-perl.patch \
%D%/packages/patches/gnucash-disable-failing-tests.patch \
%D%/packages/patches/gnutls-skip-trust-store-test.patch \
- %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 9d8e4a8d33..cea9445191 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -2556,7 +2556,8 @@ libxml to ease remote use of the RESTful API.")
"" ;URI of subject
"127.0.0.1" ;IP address of subject
"" ;signing?
- "" ;encryption?
+ "" ;encryption (RSA)?
+ "" ;data encryption?
"" ;sign OCSP requests?
"" ;sign code?
"" ;time stamping?
diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
deleted file mode 100644
index 1fad7c14e3..0000000000
--- a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-FIXME: The static test fails with an error such as:
-
-/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main':
-c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init'
-collect2: error: ld returned 1 exit status
-FAIL pkgconfig.sh (exit status: 1)
-
-diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh
-index 6bd4e62f9..05aab8278 100755
---- a/tests/pkgconfig.sh
-+++ b/tests/pkgconfig.sh
-@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:"
- echo " * flags: $(${PKGCONFIG} --libs gnutls)"
- echo " * common: ${COMMON}"
- echo " * lib: ${CFLAGS}"
--cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
--
--echo ""
--echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)"
--cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
-+gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
-
- rm -f ${TMPFILE} ${TMPFILE_O}
-
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index d9971441c6..73be90d0d3 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,7 +162,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
- (version "3.5.18")
+ (version "3.6.5")
(source (origin
(method url-fetch)
(uri
@@ -171,12 +171,19 @@ living in the same process.")
(string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches
- (search-patches "gnutls-skip-trust-store-test.patch"
- "gnutls-skip-pkgconfig-test.patch"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf"))))
+ "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; XXX: The generated configure script in GnuTLS 3.6.5
+ ;; apparently does not know about Guile 2.2.
+ (substitute* "configure"
+ (("guile_versions_to_search=\"2\\.0 1\\.8\"")
+ "guile_versions_to_search=\"2.2 2.0 1.8\""))
+ #t))))
(build-system gnu-build-system)
(arguments
`(; Ensure we don't keep a reference to this buggy software.
--
2.20.0
[Message part 3 (text/plain, inline)]
...while Glib-Networking was downgraded to 2.58, and removes related code at the same time:
[0023-gnu-glib-networking-Update-to-2.58.0.patch (text/x-patch, inline)]
From ade89abc16f2247e6d5db633f001ff853fa989ba Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Mon, 10 Dec 2018 07:39:52 +0100
Subject: [PATCH staging 23/23] gnu: glib-networking: Update to 2.58.0.
* gnu/packages/gnome.scm (glib-networking): Update to 2.58.0.
[build-system]: Change to MESON-BUILD-SYSTEM.
[arguments]: Explicitly disable libproxy; add phase to appease tests.
(libgdata, libsoup)[arguments]: Remove phase that sets SSL_CERT_FILE.
* gnu/packages/spice.scm (spice)[arguments]: Likewise.
* gnu/packages/web.scm (uhttpmock)[arguments]: Likewise.
---
gnu/local.mk | 1 -
gnu/packages/gnome.scm | 43 +++++--------------
.../glib-networking-ssl-cert-file.patch | 29 -------------
gnu/packages/spice.scm | 6 +--
gnu/packages/web.scm | 9 ----
5 files changed, 12 insertions(+), 76 deletions(-)
delete mode 100644 gnu/packages/patches/glib-networking-ssl-cert-file.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3f2ca7a845..03627b98c1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -741,7 +741,6 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
%D%/packages/patches/giflib-make-reallocarray-private.patch \
- %D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
%D%/packages/patches/glibc-CVE-2015-5180.patch \
%D%/packages/patches/glibc-CVE-2015-7547.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index cea9445191..95bfcaf564 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -360,12 +360,6 @@ formats like PNG, SVG, PDF and EPS.")
(arguments
'(#:phases
(modify-phases %standard-phases
- (add-before 'check 'use-empty-ssl-cert-file
- (lambda _
- ;; The ca-certificates.crt is not available in the build
- ;; environment.
- (setenv "SSL_CERT_FILE" "/dev/null")
- #t))
(add-before 'check 'disable-failing-tests
(lambda _
;; The PicasaWeb API tests fail with gnome-online-accounts <at> 3.24.2.
@@ -2396,7 +2390,7 @@ library.")
(define-public glib-networking
(package
(name "glib-networking")
- (version "2.54.1")
+ (version "2.58.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnome/sources/glib-networking/"
@@ -2404,29 +2398,17 @@ library.")
name "-" version ".tar.xz"))
(sha256
(base32
- "0bq16m9nh3gcz9x2fvygr0iwxd2pxcbrm3lj3kihsnh1afv8g9za"))
- (patches
- (search-patches "glib-networking-ssl-cert-file.patch"))))
- (build-system gnu-build-system)
+ "0s006gs9nsq6mg31spqha1jffzmp6qjh10y27h0fxf1iw1ah5ymx"))))
+ (build-system meson-build-system)
(arguments
- `(#:configure-flags
- '("--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt")
- #:phases
- (modify-phases %standard-phases
- (add-before 'configure 'patch-giomoduledir
- ;; Install GIO modules into $out/lib/gio/modules.
- (lambda _
- (substitute* "configure"
- (("GIO_MODULE_DIR=.*")
- (string-append "GIO_MODULE_DIR=" %output
- "/lib/gio/modules\n")))
- #t))
- (add-before 'check 'use-empty-ssl-cert-file
- (lambda _
- ;; The ca-certificates.crt is not available in the build
- ;; environment.
- (setenv "SSL_CERT_FILE" "/dev/null")
- #t)))))
+ `(#:configure-flags '("-Dlibproxy_support=false")
+ #:phases (modify-phases %standard-phases
+ (add-before 'check 'disable-TLSv1.3
+ (lambda _
+ ;; XXX: One test fails when TLS 1.3 is enabled, fixed in 2.60.0:
+ ;; <https://gitlab.com/gnutls/gnutls/issues/615>.
+ (setenv "G_TLS_GNUTLS_PRIORITY" "NORMAL:-VERS-TLS1.3")
+ #t)))))
(native-inputs
`(("pkg-config" ,pkg-config)
("intltool" ,intltool)))
@@ -2516,9 +2498,6 @@ libxml to ease remote use of the RESTful API.")
;; The 'check-local' target runs 'env LANG=C sort -u',
;; unset 'LC_ALL' to make 'LANG' working.
(unsetenv "LC_ALL")
- ;; The ca-certificates.crt is not available in the build
- ;; environment.
- (setenv "SSL_CERT_FILE" "/dev/null")
;; HTTPD in Guix uses mod_event and does not build prefork.
(substitute* "tests/httpd.conf"
(("^LoadModule mpm_prefork_module.*$") "\n"))
diff --git a/gnu/packages/patches/glib-networking-ssl-cert-file.patch b/gnu/packages/patches/glib-networking-ssl-cert-file.patch
deleted file mode 100644
index 32bdd0790f..0000000000
--- a/gnu/packages/patches/glib-networking-ssl-cert-file.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From b010e41346d418220582c20ab8d7f3971e4fb78a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong <at> gmail.com>
-Date: Fri, 14 Aug 2015 17:28:36 +0800
-Subject: [PATCH] gnutls: Allow overriding the anchor file location by
- 'SSL_CERT_FILE'
-
----
- tls/gnutls/gtlsbackend-gnutls.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c
-index 55ec1a5..217d3c8 100644
---- a/tls/gnutls/gtlsbackend-gnutls.c
-+++ b/tls/gnutls/gtlsbackend-gnutls.c
-@@ -101,8 +101,10 @@ g_tls_backend_gnutls_real_create_database (GTlsBackendGnutls *self,
- GError **error)
- {
- const gchar *anchor_file = NULL;
-+ anchor_file = g_getenv ("SSL_CERT_FILE");
- #ifdef GTLS_SYSTEM_CA_FILE
-- anchor_file = GTLS_SYSTEM_CA_FILE;
-+ if (!anchor_file)
-+ anchor_file = GTLS_SYSTEM_CA_FILE;
- #endif
- return g_tls_file_database_new (anchor_file, error);
- }
---
-2.4.3
-
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 94e6aa8438..8ab5a335c8 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -213,11 +213,7 @@ which allows users to view a desktop computing environment.")
"--enable-automated-tests")
;; Several tests appear to be opening the same sockets concurrently.
- #:parallel-tests? #f
-
- #:phases (modify-phases %standard-phases
- (add-before 'check 'use-empty-ssl-cert-file
- (lambda _ (setenv "SSL_CERT_FILE" "/dev/null") #t)))))
+ #:parallel-tests? #f))
(synopsis "Server implementation of the SPICE protocol")
(description "SPICE is a remote display system built for virtual
environments which allows you to view a computing 'desktop' environment
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index f8315d4379..8dc6927897 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -4241,15 +4241,6 @@ you'd expect.")
(base32
"163py4klka423x7li2b685gmg3a6hjf074mlff2ajhmi3l0lm8x6"))))
(build-system glib-or-gtk-build-system)
- (arguments
- `(#:phases
- (modify-phases %standard-phases
- (add-before 'check 'use-empty-ssl-cert-file
- (lambda _
- ;; Search for ca-certificates.crt files
- ;; during the check phase.
- (setenv "SSL_CERT_FILE" "/dev/null")
- #t)))))
(native-inputs
`(("gobject-introspection" ,gobject-introspection)
;; For check phase.
--
2.20.0
[Message part 5 (text/plain, inline)]
The reason for removing SSL_CERT_FILE completely instead of adjusting the patch is that Glib-Networking no longer does any certificate handling by itself, instead everything is handed over to GnuTLS. Thus supporting such a patch is difficult, and it does not seem to be needed anymore in practice.
[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.