From unknown Fri Jun 13 11:06:24 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#47413] [PATCH] Added DeaDBeeF package to music.scm Resent-From: Charlie Ruppe Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 26 Mar 2021 15:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47413@debbugs.gnu.org Cc: Charlie Ruppe X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161677423130614 (code B ref -1); Fri, 26 Mar 2021 15:58:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 15:57:11 +0000 Received: from localhost ([127.0.0.1]:42282 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPopi-0007xi-S2 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:57:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:47876) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPoph-0007xb-FG for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:57:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50938) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPoph-0003tl-7I for guix-patches@gnu.org; Fri, 26 Mar 2021 11:57:09 -0400 Received: from mail-qv1-xf36.google.com ([2607:f8b0:4864:20::f36]:42964) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPope-0006Ou-GN for guix-patches@gnu.org; Fri, 26 Mar 2021 11:57:08 -0400 Received: by mail-qv1-xf36.google.com with SMTP id 30so3133001qva.9 for ; Fri, 26 Mar 2021 08:57:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=yLtxNqbCRU1ZAcqGVHqcMtXeHz5zSZn4hg6QLhd/3s8=; b=XYT6Z9VnKEfcCu1pQOlejQYoRUuPkB/Gs9V1Q5/lh9Pxx0Vwrla6vvljuPBzZ63Ufs VUmuSQo++Jh5urfJamzPrJ2rabtdN+JeZxCDzC10oVapJl6LWTpInnQ7+nXbywZyL/uj mm/4aSCYddZDEfzz5VI+SmdwPSb70GbHcojX26kQQmxgc3JPRZHu7FYPpGKhaM/UB/vV 3ljLM2djdkNfZZgxRFJPbrcOkPCCXeYpOvSWh42J5yJ+vqRzn2bnSpG2Ol7mEwSYrGY8 gGe8Hjx2gOXx6PW/I3Oc63xUOcZPmh7RWdeaYzK5AKXLdyVsn+Oodfdw8tiiQnHbeLh5 w82Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=yLtxNqbCRU1ZAcqGVHqcMtXeHz5zSZn4hg6QLhd/3s8=; b=IzzlbVoljkOhQxKAtXRYnuRcHULOVJrnituYz3N6uacgocP1lR6/EgYgf8e+d/4MtC RZxZsP0NH3rzcBC57Vd9djEHTi6rRowvonJ6BxOMBy8RlOQRuXQUwnNBJT3790SPHzF5 WmCR3s8VdV8f97QLlmFHRcZM8BtyeqRC5NRATVP90zc6AE7M9pKxTG/g0n+J3iJxcvGk 2WcYZ69OjFKTPyuJnDeVJG2keOwHnBc4WQivKqylF8dsOaT1w1qZctE23G4dnZqNS0Lp 65lRzTi58pHa55xPgsD4IvaeRFd50bmiGgYJWs37yYoLwiSL8Ug/y0qH7ETvwhrMJsKW gCvA== X-Gm-Message-State: AOAM531/Fi1xMKNXBqL4YZTnAopIwW4X5YjfJl3Fvqi/St463QLopSH8 R8DVxtXxbxVizprDv6J2bV8pH0rILjMP0Q== X-Google-Smtp-Source: ABdhPJx2OLOxlcZO8XrlqLDa9M/UIw453mj/bxqeQ5K6PyFbuYgE3WznmTQTZ+7nwCv23XH7voplZw== X-Received: by 2002:ad4:4b0a:: with SMTP id r10mr13821329qvw.31.1616774222325; Fri, 26 Mar 2021 08:57:02 -0700 (PDT) Received: from ferris.fios-router.home (pool-173-73-14-169.washdc.fios.verizon.net. [173.73.14.169]) by smtp.googlemail.com with ESMTPSA id a187sm6942450qkd.69.2021.03.26.08.57.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Mar 2021 08:57:02 -0700 (PDT) From: Charlie Ruppe Date: Fri, 26 Mar 2021 11:56:59 -0400 Message-Id: <20210326155659.26806-1-ruppe.charlie@gmail.com> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::f36; envelope-from=ruppe.charlie@gmail.com; helo=mail-qv1-xf36.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --- gnu/packages/music.scm | 53 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm index 98cd3583cc..eb3933a5d6 100644 --- a/gnu/packages/music.scm +++ b/gnu/packages/music.scm @@ -598,6 +598,59 @@ It is a fork of Clementine aimed at music collectors and audiophiles.") many input formats and provides a customisable Vi-style user interface.") (license license:gpl2+))) +(define-public deadbeef + (package + (name "deadbeef") + (version "1.8.4") + (source (origin + (method git-fetch) + (uri (git-reference + (url "git://github.com/Alexey-Yakovenko/deadbeef.git") + (commit version) + (recursive? #t))) + (sha256 + (base32 + "1mwiblsfzlp2jhhj5mfcy84wxfna9nmx2ia0i5l570hnhj3gxpwn")))) + (build-system glib-or-gtk-build-system) + + (arguments '(#:configure-flags '("--enable-silent-rules") + #:tests? #f)) + (inputs `(("gettext" ,gettext-minimal) + ("libtool" ,libtool) + ("intltool" ,intltool) + ("autoconf" ,autoconf) + ("automake" ,automake) + ("pkg-config" ,pkg-config) + ("libsamplerate" ,libsamplerate) + ("gtk+" ,gtk+) + ("jansson" ,jansson) + ("alsa-lib" ,alsa-lib) + ("libvorbis" ,libvorbis) + ("libogg" ,libogg) + ("curl" ,curl) + ("imlib2" ,imlib2) + ("libjpeg-turbo" ,libjpeg-turbo) + ("libmad" ,libmad) + ("mpg123" ,mpg123) + ("flac" ,flac) + ("wavpack" ,wavpack) + ("libsndfile" ,libsndfile) + ("libcdio" ,libcdio) + ("ffmpeg" ,ffmpeg) + ("xlib" ,xorg-server) + ("dbus" ,dbus) + ("pulseaudio" ,pulseaudio) + ("faad2" ,faad2) + ("zlib" ,zlib) + ("libzip" ,libzip) + )) + (synopsis "Modular audio player for desktop operating systems") + (description "DeaDBeeF (as in 0xDEADBEEF) is a modular audio player for GNU/Linux, *BSD, OpenSolaris, macOS, and other UNIX-like systems. + +DeaDBeeF lets you play variety of audio formats, convert between them, customize the UI almost any way you want, and use many additional plugins which can extend it even more.") + (home-page "https://deadbeef.sourceforge.io/") + (license (list license:gpl2+ license:lgpl2.1 license:zlib)))) + (define-public denemo (package (name "denemo") -- 2.31.0 From unknown Fri Jun 13 11:06:24 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#47413] [PATCH] Added DeaDBeeF package to music.scm Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 26 Mar 2021 18:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Charlie Ruppe , 47413@debbugs.gnu.org Received: via spool by 47413-submit@debbugs.gnu.org id=B47413.161678426322014 (code B ref 47413); Fri, 26 Mar 2021 18:45:01 +0000 Received: (at 47413) by debbugs.gnu.org; 26 Mar 2021 18:44:23 +0000 Received: from localhost ([127.0.0.1]:42465 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPrRX-0005j0-7H for submit@debbugs.gnu.org; Fri, 26 Mar 2021 14:44:23 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:53674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPrRV-0005iq-0j for 47413@debbugs.gnu.org; Fri, 26 Mar 2021 14:44:22 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id l6kJ240040mfAB4016kJ4J; Fri, 26 Mar 2021 19:44:19 +0100 Message-ID: From: Maxime Devos Date: Fri, 26 Mar 2021 19:44:01 +0100 In-Reply-To: <20210326155659.26806-1-ruppe.charlie@gmail.com> References: <20210326155659.26806-1-ruppe.charlie@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-wwOsB6ClBtf+yGsu3NN8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1616784259; bh=lvpD0T5EA6/HfK4nwC4T5smI27Rjva1c9gXm7c8quYI=; h=Subject:From:To:Date:In-Reply-To:References; b=qNrRryMUBJfYOHnM3BDAtAGjC+RQfhfDINx/IylG9JXO7HaEwMyK1T/of9zwpApMJ TyWQ1k0YUjwaQrai/AJmiEl8/zKkGb0+rNEaqOiz0w5q94mVfdVQTP0dWOeItldT8O myqPns8GdGN67DZUgDpeTqqH22epDmBUPCu3nNpgJj8w0Zhb44+urrKhOy1g36gxRi 7eag2u1YuGtO46uQ/s9Rqx+YB0Mas5WY3Jvt8sXmtGouMXF6uwFxp2En+ptc+RJ7kK bGNyTVOCMXGi2LqeCY2UEuG1t0g5PqfLKaas+Uu5kHQdsMxkHY7nBKG0mKNTXcm3Tr h2DwvC5AlOwqg== X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-wwOsB6ClBtf+yGsu3NN8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-03-26 at 11:56 -0400, Charlie Ruppe wrote: > --- > gnu/packages/music.scm | 53 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) You need to write a commit message (see the git repository of guix for plenty of examples). It's in the manual: =E2=80=9816.1 Submitting Patc= hes=E2=80=99. > diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm > index 98cd3583cc..eb3933a5d6 100644 > --- a/gnu/packages/music.scm > +++ b/gnu/packages/music.scm > @@ -598,6 +598,59 @@ It is a fork of Clementine aimed at music collectors= and audiophiles.") > many input formats and provides a customisable Vi-style user interface."= ) > (license license:gpl2+))) > =20 > +(define-public deadbeef > + (package=20 > + (name "deadbeef") > + (version "1.8.4") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url "git://github.com/Alexey-Yakovenko/deadbeef.git") > + (commit version) > + (recursive? #t))) I looked at , and it seems this repository does not pin the commits used, so this will br= eak when the submodule repositories are updated. > + (sha256 > + (base32 > + "1mwiblsfzlp2jhhj5mfcy84wxfna9nmx2ia0i5l570hnhj3gxpwn")))) > + (build-system glib-or-gtk-build-system) > + =20 > + (arguments '(#:configure-flags '("--enable-silent-rules") > + #:tests? #f)) Why are tests disabled? When tests are disabled for a package, a comment explaining why should be added.=20 > + (inputs `(("gettext" ,gettext-minimal) These packages ... > + ("libtool" ,libtool) > + ("intltool" ,intltool) > + ("autoconf" ,autoconf) > + ("automake" ,automake) > + ("pkg-config" ,pkg-config) ... should be in native-inputs (see 8.2.1 =E2=80=98=E2=80=98package=E2=80= =98 Reference=E2=80=99 in the manual). These following packages should be sorted by name. > + ("libsamplerate" ,libsamplerate) > + ("gtk+" ,gtk+) > + ("jansson" ,jansson) > + ("alsa-lib" ,alsa-lib) > + ("libvorbis" ,libvorbis) > + ("libogg" ,libogg) > + ("curl" ,curl) > + ("imlib2" ,imlib2) > + ("libjpeg-turbo" ,libjpeg-turbo) > + ("libmad" ,libmad) > + ("mpg123" ,mpg123) > + ("flac" ,flac) > + ("wavpack" ,wavpack) > + ("libsndfile" ,libsndfile) > + ("libcdio" ,libcdio) > + ("ffmpeg" ,ffmpeg) > + ("xlib" ,xorg-server) > + ("dbus" ,dbus) > + ("pulseaudio" ,pulseaudio) > + ("faad2" ,faad2) > + ("zlib" ,zlib) > + ("libzip" ,libzip) > + )) Also, ("xlib" ,xorg-server) does not make much sense to me. Did you mean "libx11" or "xorg-server" here? Please move the trailing )) to after ,libzip). > + (synopsis "Modular audio player for desktop operating systems") =E2=80=98for desktop operating systems=E2=80=99 seems redundant. Since whe= n can I run Guix System on a so-called =E2=80=98smartphone=E2=80=99? (Why =E2=80=98= quotes=E2=80=99? They are just small computers that can access the wireless telephone network.) > + (description "DeaDBeeF (as in 0xDEADBEEF) is a modular audio player f= or GNU/Linux, *BSD, OpenSolaris, macOS, and other UNIX-like systems. > +DeaDBeeF lets you play variety of audio formats, convert between them, c= ustomize the UI almost any way you want, and use many additional plugins wh= ich can extend it even more.") >=20 This line is way to long. This would be pointed out to you if you ran "gui= x lint" (see the manual, 16.1 =E2=80=98Submitting Patches=E2=80=99) Avoid marketing wording (=E2=80=98almost any way you want=E2=80=99, =E2=80= =98even more=E2=80=99, =E2=80=98modular=E2=80=99). Everthing new is (supposedly) modular, well-written, supports many file for= mats, are customisable ... It's like it's the law or something. Just saying it i= s extensible should be ok, though. (See the manual, =E2=80=98Synopses and De= scriptions=E2=80=99 Also, I don't see much reason to mention the various operating systems it supports. GNU Guix only supports GNU (/Linux & /Hurd). It doesn't make much sense to mention DeaDBeeF has many plugins, if they aren't packaged in Guix. > + (home-page "https://deadbeef.sourceforge.io/") > + (license (list license:gpl2+ license:lgpl2.1 license:zlib)))) *** Bundling problems There is some bundling going on here! In tools/glade, there is an outdated copy of glade from 2007 (https://glade.gnome.org/), there are also a copy of gettext from 2010 (see intl/ChangeLog) The submodule deadbeef-osx-deps purely consists of bundling. There may be some other bundling issues as well (I think I saw some VLC code somewhere but I don't recall where. Some bundling of cURL: plugins/artwork/escape.c *** (Security) bugs Look e.g. at plugins/artwork/artwork.c. It assumes malloc always succeeds, never returning NULL. The function local_image_file does simply call strcpy and does some iteration with assignement without any comments on why everything is in bounds. I probably could find similar issues elsewher= e. This project has some systematic bad security practices, so I believe a pac= kage for this software should *not* be added to Guix proper (though feel free to define it in your own channel, see the manual), particularily as there are = plenty of other sound / video players in Guix already. That said, if "deadbeef" clears up it code base and the bundling issues are= addressed (as well as the much less serious issues of inputs vs. native-inputs and wh= at exactly goes into synopsis & description), I see no reason why the package couldn't= go into Guix. I'm sorry if this is rather harsh, but attackers are a very real thing *and= * we have alternative software (e.g. vlc and gnome-music) that works just fin= e and (I presume) are much more security-conscious and have more eyeballs loo= king at the code ... Greetings, Maxime --=-wwOsB6ClBtf+yGsu3NN8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF4rchccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7pN6AQDMAzIg6z/PGbutnO7PRPVryKSb bDyp1DV06NRw1qnw3wD/avXdmWi1xwT/t8rIoGAEeg9z4TXf8oZ/pTlVKpqJrg8= =8l6q -----END PGP SIGNATURE----- --=-wwOsB6ClBtf+yGsu3NN8--