Package: guix-patches;
Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Date: Sun, 22 Dec 2024 15:54:02 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To reply to this bug, email your comments to 75026 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 15:54:02 GMT) Full text and rfc822 format available.Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:guix-patches <at> gnu.org.
(Sun, 22 Dec 2024 15:54:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: guix-patches <at> gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 0/7] Update gnutls and curl. Date: Mon, 23 Dec 2024 00:52:54 +0900
Maxim Cournoyer (7): gnu: gnutls: Update to 3.8.8. gnu: gnutls: Enable zstd compression. gnu: gnutls: Streamline mips64el conditionals. gnu: brotli: Update to 1.1.0. gnu: libidn: Update to 1.42. gnu: curl: Update to 8.11.1 and ungraft. gnu: curl: Enable zstd support. gnu/local.mk | 2 - gnu/packages/compression.scm | 47 ++-- gnu/packages/curl.scm | 59 +++--- gnu/packages/libidn.scm | 4 +- gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------ .../gnutls-skip-trust-store-test.patch | 15 -- gnu/packages/tls.scm | 50 ++--- 7 files changed, 74 insertions(+), 303 deletions(-) delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch base-commit: 42ba1aa8b3090f3a4957d36be14e93c5e36f1825 -- 2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:01 GMT) Full text and rfc822 format available.Message #8 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression. Date: Mon, 23 Dec 2024 01:01:00 +0900
* gnu/packages/tls.scm [inputs]: Add zstd:lib.
Change-Id: I7cfce764181eebe12a32019107061c88edaa877a
---
gnu/packages/tls.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ecdfb5c0e5..c0efb66d96 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -283,7 +283,7 @@ (define-public gnutls
iproute ;for 'ss'
socat ;several tests rely on it
datefudge)))) ;tests rely on 'datefudge'
- (inputs (list libunistring))
+ (inputs (list libunistring `(,zstd "lib")))
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:02 GMT) Full text and rfc822 format available.Message #11 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8. Date: Mon, 23 Dec 2024 01:00:59 +0900
* gnu/packages/tls.scm (gnutls): Update to 3.8.8.
[source]: Delete patches.
[arguments]: Mark failing tests via XFAIL_TESTS make flag.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
---
gnu/local.mk | 1 -
.../gnutls-skip-trust-store-test.patch | 15 -----------
gnu/packages/tls.scm | 25 ++++++++++---------
3 files changed, 13 insertions(+), 28 deletions(-)
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8155a5ae34..a4f2e71134 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1477,7 +1477,6 @@ dist_patch_DATA = \
%D%/packages/patches/gnumach-version.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
- %D%/packages/patches/gnutls-skip-trust-store-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- } else if (ret < 0) {
- fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- } else if (ret == 0) {
-- fail("no certificates were found in system trust store!\n");
-+ success("no trust store in the Guix build environment!\n");
- }
-
- gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5f3bc72f6e..ecdfb5c0e5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,7 +201,7 @@ (define-public p11-kit
(define-public gnutls
(package
(name "gnutls")
- (version "3.8.3")
+ (version "3.8.8")
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -209,10 +209,9 @@ (define-public gnutls
(uri (string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))
+ "1yyq74lzlnkgwbr269mddi9vqi1j0dcnw8pdh09vb01qb0704kxc"))))
(build-system gnu-build-system)
(arguments
(list #:tests? (not (or (%current-target-system)
@@ -242,17 +241,19 @@ (define-public gnutls
;; not working on mips64el.
"--without-p11-kit")
'())))
-
+ #:make-flags
+ #~(list (string-append
+ "XFAIL_TESTS="
+ ;; This test checks that the default trust store is
+ ;; readable; expect it to fail since the trust store
+ ;; doesn't exist in the build environment.
+ "trust-store "
+ ;; This one fails only inside the build environment, for
+ ;; reasons unknown (see:
+ ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
+ "tls13/compress-cert-neg2 "))
#:phases
#~(modify-phases %standard-phases
- ;; fastopen.sh fails to connect to the server in the builder
- ;; environment (see:
- ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
- (add-after 'unpack 'disable-failing-tests
- (lambda _
- (substitute* "tests/fastopen.sh"
- (("^unset RETCODE")
- "exit 77\n")))) ;skip
#$@(if (target-ppc32?)
;; https://gitlab.com/gnutls/gnutls/-/issues/1354
;; Extend the test timeout from the default of 20 * 1000
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:02 GMT) Full text and rfc822 format available.Message #14 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals. Date: Mon, 23 Dec 2024 01:01:01 +0900
* gnu/packages/tls.scm (gnutls) [arguments]: Use target-mips64el? procedure in
#:configure-flags.
[propagated-inputs]: Likewise.
Change-Id: Ia4b603ef57cebe78df1d3e40222fe9c49d9ee8cc
---
gnu/packages/tls.scm | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index c0efb66d96..90d6ad5c95 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -232,15 +232,12 @@ (define-public gnutls
;; fallback, and users have to configure each program
;; independently. This seems suboptimal.
"--with-default-trust-store-dir=/etc/ssl/certs"
-
- (let ((system #$(or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- (list
- ;; FIXME: Temporarily disable p11-kit support since it is
- ;; not working on mips64el.
- "--without-p11-kit")
- '())))
+ (if #$(target-mips64el?)
+ (list
+ ;; FIXME: Temporarily disable p11-kit support since it is
+ ;; not working on mips64el.
+ "--without-p11-kit")
+ '()))
#:make-flags
#~(list (string-append
"XFAIL_TESTS="
@@ -287,11 +284,9 @@ (define-public gnutls
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
- (let ((system (or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- '()
- (list p11-kit)))))
+ (if (target-mips64el?)
+ '()
+ (list p11-kit))))
(home-page "https://gnutls.org")
(synopsis "Transport layer security library")
(description
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:03 GMT) Full text and rfc822 format available.Message #17 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0. Date: Mon, 23 Dec 2024 01:01:02 +0900
* gnu/packages/compression.scm (brotli): Update to 1.1.0.
[source]: Delete obsolete snippet.
[arguments]: Use gexps.
Change-Id: I4fe13683ff33f528ef897bb65bbb239d4d4985c6
---
gnu/packages/compression.scm | 47 +++++++++++++++---------------------
1 file changed, 19 insertions(+), 28 deletions(-)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 44461bb87c..93b6cd070b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2351,7 +2351,7 @@ (define-public isa-l
(define-public brotli
(package
(name "brotli")
- (version "1.0.9")
+ (version "1.1.0")
(source
(origin
(method git-fetch)
@@ -2360,35 +2360,26 @@ (define-public brotli
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1fikasxf7r2dwlk8mv8w7nmjkn0jw5ic31ky3mvpkdzwgd4xfndl"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Cherry-picked from upstream since the latest release
- ;; https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc
- (substitute* (find-files "scripts" "^lib.*pc\\.in")
- (("-R\\$\\{libdir\\} ") ""))
- #t))))
+ (base32 "0cvcq302wpjpd1a2cmxcp9a01lwvc2kkir8vsdb3x11djnxc0nsk"))))
(build-system cmake-build-system)
(arguments
- `(#:phases
- (modify-phases %standard-phases
- (add-after 'install 'rename-static-libraries
- ;; The build tools put a 'static' suffix on the static libraries, but
- ;; other applications don't know how to find these.
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((lib (string-append (assoc-ref %outputs "out") "/lib/")))
- (rename-file (string-append lib "libbrotlicommon-static.a")
- (string-append lib "libbrotlicommon.a"))
- (rename-file (string-append lib "libbrotlidec-static.a")
- (string-append lib "libbrotlidec.a"))
- (rename-file (string-append lib "libbrotlienc-static.a")
- (string-append lib "libbrotlienc.a"))
- #t))))
- #:configure-flags
- (list ;; Defaults to "lib64" on 64-bit archs.
- (string-append "-DCMAKE_INSTALL_LIBDIR="
- (assoc-ref %outputs "out") "/lib"))))
+ (list
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'install 'rename-static-libraries
+ ;; The build tools put a 'static' suffix on the static libraries, but
+ ;; other applications don't know how to find these.
+ (lambda _
+ (let ((lib (string-append #$output "/lib/")))
+ (rename-file (string-append lib "libbrotlicommon-static.a")
+ (string-append lib "libbrotlicommon.a"))
+ (rename-file (string-append lib "libbrotlidec-static.a")
+ (string-append lib "libbrotlidec.a"))
+ (rename-file (string-append lib "libbrotlienc-static.a")
+ (string-append lib "libbrotlienc.a"))))))
+ #:configure-flags
+ #~(list ;; Defaults to "lib64" on 64-bit archs.
+ (string-append "-DCMAKE_INSTALL_LIBDIR=" #$output "/lib"))))
(home-page "https://github.com/google/brotli")
(synopsis "General-purpose lossless compression")
(description "This package provides the reference implementation of Brotli,
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:04 GMT) Full text and rfc822 format available.Message #20 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 5/7] gnu: libidn: Update to 1.42. Date: Mon, 23 Dec 2024 01:01:03 +0900
* gnu/packages/libidn.scm (libidn): Update to 1.42.
Change-Id: I7f65377334d6de889ee0fa08ae941a03c6c4e4ca
---
gnu/packages/libidn.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 80350db495..8b12fa87d8 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -34,14 +34,14 @@ (define-module (gnu packages libidn)
(define-public libidn
(package
(name "libidn")
- (version "1.41")
+ (version "1.42")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libidn/libidn-" version
".tar.gz"))
(sha256
(base32
- "0ic9zlqqppwaqr3i0r8lb8f47rrazzc8d5pfgg8vs6mqciip0kc8"))))
+ "08s7rgg8rnmdrk8zyj6m1rb3j3cs6h44pjv0jckzxr06v3f9khfn"))))
(build-system gnu-build-system)
;; FIXME: No Java and C# libraries are currently built.
(arguments
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:04 GMT) Full text and rfc822 format available.Message #23 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 7/7] gnu: curl: Enable zstd support. Date: Mon, 23 Dec 2024 01:01:05 +0900
* gnu/packages/curl.scm [inputs]: Add zstd:lib.
Change-Id: I48e1099c3a445bcbdeaf16c5a79d956bd1b51307
---
gnu/packages/curl.scm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 8645ce73f8..d0c8c5c2a6 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -151,9 +151,19 @@ (define-public curl
(close port)))))
#~()))))
(native-inputs
- (list nghttp2 perl pkg-config python-minimal-wrapper))
+ (list nghttp2
+ perl
+ pkg-config
+ python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls
+ libidn
+ libpsl
+ libssh2
+ mit-krb5
+ `(,nghttp2 "lib")
+ zlib
+ `(,zstd "lib")))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Sun, 22 Dec 2024 16:03:05 GMT) Full text and rfc822 format available.Message #26 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 75026 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft. Date: Mon, 23 Dec 2024 01:01:04 +0900
* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
gnu/local.mk | 1 -
gnu/packages/curl.scm | 47 ++--
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
3 files changed, 19 insertions(+), 229 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
- (replacement curl/fixed)
+ (version "8.11.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -115,20 +116,20 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(string-append "TFLAGS="
+ job-count " "
+ (if #$(or (system-hurd?)
+ (target-arm32?)
+ (target-aarch64?))
+ "~1474 " ;protocol FAIL
+ "")
+ ;; protocol FAIL
+ "~962 ~963 ~964 ~965 ~966 ~967 "
+ ;; These fail for unknown reasons.
+ "~165 ~1448 ~2046 ~2047"))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel <at> haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(>ls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");
--
2.46.0
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Mon, 23 Dec 2024 19:46:01 GMT) Full text and rfc822 format available.Message #29 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 75026 <at> debbugs.gnu.org Subject: Re: [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl. Date: Mon, 23 Dec 2024 20:45:03 +0100
Hi Maxim, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: > gnu: gnutls: Update to 3.8.8. > gnu: gnutls: Enable zstd compression. > gnu: gnutls: Streamline mips64el conditionals. > gnu: brotli: Update to 1.1.0. > gnu: libidn: Update to 1.42. > gnu: curl: Update to 8.11.1 and ungraft. > gnu: curl: Enable zstd support. ‘core-updates’ is now gone: https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html Instead, this should go on a dedicated branch, with a “request to merge” and a jobset on ci.guix (ideally qa.guix would pick it up but it’s currently out of order). Thanks, Ludo’.
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Tue, 24 Dec 2024 02:17:02 GMT) Full text and rfc822 format available.Message #32 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 75026 <at> debbugs.gnu.org Subject: Re: [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl. Date: Tue, 24 Dec 2024 11:15:11 +0900
Hi Ludovic, Ludovic Courtès <ludo <at> gnu.org> writes: > Hi Maxim, > > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: > >> gnu: gnutls: Update to 3.8.8. >> gnu: gnutls: Enable zstd compression. >> gnu: gnutls: Streamline mips64el conditionals. >> gnu: brotli: Update to 1.1.0. >> gnu: libidn: Update to 1.42. >> gnu: curl: Update to 8.11.1 and ungraft. >> gnu: curl: Enable zstd support. > > ‘core-updates’ is now gone: > > https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html I'm (finally) aware of this :-). But it seemed like useful, when submitting to the trackr for review to have a subject prefix anyway to communicate that this causes a mass rebuild, hopefully avoiding the situation of another committer picking these up and pushing them to the master. > Instead, this should go on a dedicated branch, with a “request to merge” > and a jobset on ci.guix (ideally qa.guix would pick it up but it’s > currently out of order). Understood; do the patches LGTY? -- Thanks, Maxim
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Tue, 24 Dec 2024 14:51:02 GMT) Full text and rfc822 format available.Message #35 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 75026 <at> debbugs.gnu.org Subject: Re: [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8. Date: Tue, 24 Dec 2024 15:50:02 +0100
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> * gnu/packages/tls.scm (gnutls): Update to 3.8.8.
> [source]: Delete patches.
> [arguments]: Mark failing tests via XFAIL_TESTS make flag.
> * gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): De-register it.
>
> Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
[...]
> --- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -Version 3.5.11 added a test to check that the default trust store is readable.
> -It does not exist in the build environment, so pretend everything is fine.
> -
> -diff a/tests/trust-store.c b/tests/trust-store.c
> ---- a/tests/trust-store.c
> -+++ b/tests/trust-store.c
> -@@ -61,7 +61,7 @@
> - } else if (ret < 0) {
> - fail("error loading system trust store: %s\n", gnutls_strerror(ret));
> - } else if (ret == 0) {
> -- fail("no certificates were found in system trust store!\n");
> -+ success("no trust store in the Guix build environment!\n");
[...]
> + #~(list (string-append
> + "XFAIL_TESTS="
> + ;; This test checks that the default trust store is
> + ;; readable; expect it to fail since the trust store
> + ;; doesn't exist in the build environment.
> + "trust-store "
This suggests that the patch above was still useful, after all? (The
patch still applies apparently:
<https://ci.guix.gnu.org/build/6753571/log>.)
Also, lack of the patch might trigger failures in the test suites of
dependents. What does ‘guix build -P1 gnutls’ say?
> + ;; This one fails only inside the build environment, for
> + ;; reasons unknown (see:
> + ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
> + "tls13/compress-cert-neg2 "))
This is weird, would be interesting to investigate, maybe stracing the
test to see why it would fail in the build environment and not outside
of it?
Ludo’.
guix-patches <at> gnu.org:bug#75026; Package guix-patches.
(Tue, 24 Dec 2024 14:53:01 GMT) Full text and rfc822 format available.Message #38 received at 75026 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 75026 <at> debbugs.gnu.org Subject: Re: [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl. Date: Tue, 24 Dec 2024 15:52:02 +0100
Hello, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis: >> ‘core-updates’ is now gone: >> >> https://lists.gnu.org/archive/html/guix-devel/2024-08/msg00195.html > > I'm (finally) aware of this :-). But it seemed like useful, when > submitting to the trackr for review to have a subject prefix anyway to > communicate that this causes a mass rebuild, hopefully avoiding the > situation of another committer picking these up and pushing them to the > master. Makes sense. :-) >> Instead, this should go on a dedicated branch, with a “request to merge” >> and a jobset on ci.guix (ideally qa.guix would pick it up but it’s >> currently out of order). > > Understood; do the patches LGTY? Except for the questions I posted about GnuTLS, it LGTM. Thanks, Ludo’.
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Message #43 received at 75026-done <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 75026-done <at> debbugs.gnu.org Subject: Re: [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8. Date: Wed, 21 May 2025 16:33:35 +0900
Hi Ludovic, Ludovic Courtès <ludo <at> gnu.org> writes: [...] >> + #~(list (string-append >> + "XFAIL_TESTS=" >> + ;; This test checks that the default trust store is >> + ;; readable; expect it to fail since the trust store >> + ;; doesn't exist in the build environment. >> + "trust-store " > > This suggests that the patch above was still useful, after all? (The > patch still applies apparently: > <https://ci.guix.gnu.org/build/6753571/log>.) There was an issue where the certificates added were not trusted by p11-kit, despite being added to something called the 'trust_paths', haha! The trick was to expose them via an 'anchors/' subdirectory. p11-kit special-case this for trusted .pem certificates made available via a directory. > Also, lack of the patch might trigger failures in the test suites of > dependents. What does ‘guix build -P1 gnutls’ say? > >> + ;; This one fails only inside the build environment, for >> + ;; reasons unknown (see: >> + ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>). >> + "tls13/compress-cert-neg2 ")) > > This is weird, would be interesting to investigate, maybe stracing the > test to see why it would fail in the build environment and not outside > of it? That's been resolved via the '--with-zlib=link configuration flag. I'll close this series and submit a fresh one, since the curl updates has been moved to another series. -- Thanks, Maxim
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.