mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2025-01-18 13:36:36 +01:00
Merge remote-tracking branch 'origin/version-1.2.0' into master
Conflicts: gnu/packages/bioinformatics.scm The python-pysam package fixed in master was kept instead of the update done in the version-1.2.0 branch.
This commit is contained in:
commit
129b9b16d9
18 changed files with 431 additions and 91 deletions
|
@ -134,7 +134,6 @@
|
|||
(eval . (put 'call-with-progress-reporter 'scheme-indent-function 1))
|
||||
(eval . (put 'with-repository 'scheme-indent-function 2))
|
||||
(eval . (put 'with-temporary-git-repository 'scheme-indent-function 2))
|
||||
(eval . (put 'with-temporary-git-worktree 'scheme-indent-function 2))
|
||||
(eval . (put 'with-environment-variables 'scheme-indent-function 1))
|
||||
(eval . (put 'with-fresh-gnupg-setup 'scheme-indent-function 1))
|
||||
|
||||
|
|
23
Makefile.am
23
Makefile.am
|
@ -562,7 +562,7 @@ dist_zshcompletion_DATA = etc/completion/zsh/_guix
|
|||
dist_fishcompletion_DATA = etc/completion/fish/guix.fish
|
||||
|
||||
# SELinux policy
|
||||
nodist_selinux_policy_DATA = etc/guix-daemon.cil.in
|
||||
nodist_selinux_policy_DATA = etc/guix-daemon.cil
|
||||
|
||||
EXTRA_DIST += \
|
||||
HACKING \
|
||||
|
@ -570,6 +570,7 @@ EXTRA_DIST += \
|
|||
TODO \
|
||||
CODE-OF-CONDUCT \
|
||||
.dir-locals.el \
|
||||
.guix-authorizations \
|
||||
.guix-channel \
|
||||
scripts/guix.in \
|
||||
etc/guix-install.sh \
|
||||
|
@ -710,7 +711,7 @@ AM_DISTCHECK_CONFIGURE_FLAGS = \
|
|||
ac_cv_guix_test_root="$(GUIX_TEST_ROOT)"
|
||||
|
||||
# Name of the 'guix' package shipped in the binary tarball.
|
||||
GUIX_FOR_BINARY_TARBALL = guile3.0-guix
|
||||
GUIX_FOR_BINARY_TARBALL = guix
|
||||
|
||||
# The self-contained tarball.
|
||||
guix-binary.%.tar.xz:
|
||||
|
@ -730,8 +731,8 @@ distcheck-hook: assert-binaries-available assert-final-inputs-self-contained
|
|||
|
||||
EXTRA_DIST += $(top_srcdir)/.version
|
||||
BUILT_SOURCES += $(top_srcdir)/.version
|
||||
$(top_srcdir)/.version:
|
||||
echo $(VERSION) > "$@-t" && mv "$@-t" "$@"
|
||||
$(top_srcdir)/.version: config.status
|
||||
$(AM_V_GEN)echo $(VERSION) > "$@-t" && mv "$@-t" "$@"
|
||||
|
||||
gen-tarball-version:
|
||||
echo $(VERSION) > "$(distdir)/.tarball-version"
|
||||
|
@ -826,9 +827,10 @@ release: dist-with-updated-version
|
|||
$(MKDIR_P) "$(releasedir)"
|
||||
rm -f "$(releasedir)"/*
|
||||
mv $(SOURCE_TARBALLS) "$(releasedir)"
|
||||
$(top_builddir)/pre-inst-env "$(GUILE)" \
|
||||
$(top_srcdir)/build-aux/update-guix-package.scm \
|
||||
"`git rev-parse HEAD`" "$(PACKAGE_VERSION)"
|
||||
GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT=yes \
|
||||
$(top_builddir)/pre-inst-env "$(GUILE)" \
|
||||
$(top_srcdir)/build-aux/update-guix-package.scm \
|
||||
"`git rev-parse HEAD`" "$(PACKAGE_VERSION)"
|
||||
git add $(top_srcdir)/gnu/packages/package-management.scm
|
||||
git commit -m "gnu: guix: Update to $(PACKAGE_VERSION)."
|
||||
$(top_builddir)/pre-inst-env guix build $(GUIX_FOR_BINARY_TARBALL) \
|
||||
|
@ -840,9 +842,10 @@ release: dist-with-updated-version
|
|||
mv "guix-binary.$$system.tar.xz" \
|
||||
"$(releasedir)/guix-binary-$(PACKAGE_VERSION).$$system.tar.xz" ; \
|
||||
done
|
||||
$(top_builddir)/pre-inst-env "$(GUILE)" \
|
||||
$(top_srcdir)/build-aux/update-guix-package.scm \
|
||||
"`git rev-parse HEAD`"
|
||||
GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT=yes \
|
||||
$(top_builddir)/pre-inst-env "$(GUILE)" \
|
||||
$(top_srcdir)/build-aux/update-guix-package.scm \
|
||||
"`git rev-parse HEAD`"
|
||||
git add $(top_srcdir)/gnu/packages/package-management.scm
|
||||
git commit -m "gnu: guix: Update to `git rev-parse HEAD | cut -c1-7`."
|
||||
$(top_builddir)/pre-inst-env guix build guix \
|
||||
|
|
4
NEWS
4
NEWS
|
@ -60,6 +60,8 @@ Please send Guix bug reports to bug-guix@gnu.org.
|
|||
*** ‘swap-devices’ field of ‘operating-system’ can contains UUIDs and labels
|
||||
*** Graphical installer uses UUIDs for unencrypted swap partitions
|
||||
*** Graphical installer now supports NTFS file systems
|
||||
*** File systems UUIDs and labels now recognized for F2FS and NTFS
|
||||
*** Root file system can now be on NFS
|
||||
*** New services
|
||||
|
||||
autossh, ganeti, gmnisrv, guix-build-coordinator,
|
||||
|
@ -96,6 +98,8 @@ simulated-wifi, udev-rules, unattended-upgrade, webssh, zram
|
|||
(<https://issues.guix.gnu.org/35394>)
|
||||
*** ‘guix system reconfigure’ now starts services not currently running
|
||||
(<https://bugs.gnu.org/43720>)
|
||||
*** Desktop environments now detect newly installed applications
|
||||
(<https://bugs.gnu.org/35594>)
|
||||
*** Offloading and copying small items is now much faster
|
||||
(<https://issues.guix.gnu.org/43340>)
|
||||
*** GCC switched back to C_INCLUDE_PATH & co. from CPATH
|
||||
|
|
|
@ -44,9 +44,6 @@
|
|||
(define %top-srcdir
|
||||
(string-append (current-source-directory) "/.."))
|
||||
|
||||
(define version-controlled?
|
||||
(git-predicate %top-srcdir))
|
||||
|
||||
(define (package-definition-location)
|
||||
"Return the source properties of the definition of the 'guix' package."
|
||||
(call-with-input-file (location-file (package-location guix))
|
||||
|
@ -114,8 +111,9 @@ (define (git-add-worktree directory commit)
|
|||
"Create a new git worktree at DIRECTORY, detached on commit COMMIT."
|
||||
(invoke "git" "worktree" "add" "--detach" directory commit))
|
||||
|
||||
(define-syntax-rule (with-temporary-git-worktree commit body ...)
|
||||
"Execute BODY in the context of a temporary git worktree created from COMMIT."
|
||||
(define (call-with-temporary-git-worktree commit proc)
|
||||
"Execute PROC in the context of a temporary git worktree created from
|
||||
COMMIT. PROC receives the temporary directory file name as an argument."
|
||||
(call-with-temporary-directory
|
||||
(lambda (tmp-directory)
|
||||
(dynamic-wind
|
||||
|
@ -123,12 +121,12 @@ (define-syntax-rule (with-temporary-git-worktree commit body ...)
|
|||
#t)
|
||||
(lambda ()
|
||||
(git-add-worktree tmp-directory commit)
|
||||
(with-directory-excursion tmp-directory body ...))
|
||||
(proc tmp-directory))
|
||||
(lambda ()
|
||||
(invoke "git" "worktree" "remove" "--force" tmp-directory))))))
|
||||
|
||||
(define %savannah-guix-git-repo-push-url-regexp
|
||||
"git.(savannah|sv).gnu.org/srv/git/guix.git \\(push\\)")
|
||||
"git.(savannah|sv).gnu.org:?/srv/git/guix.git \\(push\\)")
|
||||
|
||||
(define-syntax-rule (with-input-pipe-to-string prog arg ...)
|
||||
(let* ((input-pipe (open-pipe* OPEN_READ prog arg ...))
|
||||
|
@ -156,27 +154,60 @@ (define (commit-already-pushed? remote commit)
|
|||
"git" "branch" "-r" "--contains" commit
|
||||
(string-append remote "/master")))))
|
||||
|
||||
(define (keep-source-in-store store source)
|
||||
"Add SOURCE to the store under the name that the 'guix' package expects."
|
||||
|
||||
;; Add SOURCE to the store, but this time under the real name used in the
|
||||
;; 'origin'. This allows us to build the package without having to make a
|
||||
;; real checkout; thus, it also works when working on a private branch.
|
||||
(reload-module
|
||||
(resolve-module '(gnu packages package-management)))
|
||||
|
||||
(let* ((source (add-to-store store
|
||||
(origin-file-name (package-source guix))
|
||||
#t "sha256" source
|
||||
#:select? (git-predicate source)))
|
||||
(root (store-path-package-name source)))
|
||||
|
||||
;; Add an indirect GC root for SOURCE in the current directory.
|
||||
(false-if-exception (delete-file root))
|
||||
(symlink source root)
|
||||
(add-indirect-root store
|
||||
(string-append (getcwd) "/" root))
|
||||
|
||||
(info (G_ "source code kept in ~a (GC root: ~a)~%")
|
||||
source root)))
|
||||
|
||||
|
||||
(define (main . args)
|
||||
(match args
|
||||
((commit version)
|
||||
(with-directory-excursion %top-srcdir
|
||||
(or (getenv "GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT")
|
||||
(commit-already-pushed? (find-origin-remote) commit)
|
||||
(let ((remote (find-origin-remote)))
|
||||
(unless remote
|
||||
(leave (G_ "Failed to find the origin git remote.~%")))
|
||||
(commit-already-pushed? remote commit))
|
||||
(leave (G_ "Commit ~a is not pushed upstream. Aborting.~%") commit))
|
||||
(let* ((hash (with-temporary-git-worktree commit
|
||||
(nix-base32-string->bytevector
|
||||
(string-trim-both
|
||||
(with-output-to-string
|
||||
(lambda ()
|
||||
(guix-hash "-rx" ".")))))))
|
||||
(location (package-definition-location))
|
||||
(old-hash (content-hash-value
|
||||
(origin-hash (package-source guix)))))
|
||||
(edit-expression location
|
||||
(update-definition commit hash
|
||||
#:old-hash old-hash
|
||||
#:version version)))))
|
||||
(call-with-temporary-git-worktree commit
|
||||
(lambda (tmp-directory)
|
||||
(let* ((hash (nix-base32-string->bytevector
|
||||
(string-trim-both
|
||||
(with-output-to-string
|
||||
(lambda ()
|
||||
(guix-hash "-rx" tmp-directory))))))
|
||||
(location (package-definition-location))
|
||||
(old-hash (content-hash-value
|
||||
(origin-hash (package-source guix)))))
|
||||
(edit-expression location
|
||||
(update-definition commit hash
|
||||
#:old-hash old-hash
|
||||
#:version version))
|
||||
;; When GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT is set, the sources are
|
||||
;; added to the store. This is used as part of 'make release'.
|
||||
(when (getenv "GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT")
|
||||
(with-store store
|
||||
(keep-source-in-store store tmp-directory))))))))
|
||||
((commit)
|
||||
;; Automatically deduce the version and revision numbers.
|
||||
(main commit #f))))
|
||||
|
|
|
@ -1368,11 +1368,6 @@ commit that others can't refer to, a check is made that the commit used
|
|||
has already been pushed to the Savannah-hosted Guix git repository.
|
||||
|
||||
This check can be disabled, @emph{at your own peril}, by setting the
|
||||
@code{GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT} environment variable.
|
||||
|
||||
To build the resulting 'guix' package when using a private commit, the
|
||||
following command can be used:
|
||||
|
||||
@example
|
||||
./pre-inst-env guix build guix --with-git-url=guix=$PWD
|
||||
@end example
|
||||
@code{GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT} environment variable. When
|
||||
this variable is set, the updated package source is also added to the
|
||||
store. This is used as part of the release process of Guix.
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
; -*- lisp -*-
|
||||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;; Copyright © 2020 Daniel Brooks <db48x@db48x.net>
|
||||
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -21,6 +23,18 @@
|
|||
;; Intermediate Language (CIL). It refers to types that must be defined in
|
||||
;; the system's base policy.
|
||||
|
||||
;; If you, like me, need advice about fixing an SELinux policy, I recommend
|
||||
;; reading https://danwalsh.livejournal.com/55324.html
|
||||
|
||||
;; In particular, you can run semanage permissive -a guix_daemon.guix_daemon_t
|
||||
;; to allow guix-daemon to do whatever it wants. SELinux will still check its
|
||||
;; permissions, and when it doesn't have permission it will still send an
|
||||
;; audit message to your system logs. This lets you know what permissions it
|
||||
;; ought to have. Use ausearch --raw to find the permissions violations, then
|
||||
;; pipe that to audit2allow to generate an updated policy. You'll still need
|
||||
;; to translate that policy into CIL in order to update this file, but that's
|
||||
;; fairly straight-forward. Annoying, but easy.
|
||||
|
||||
(block guix_daemon
|
||||
;; Require existing types
|
||||
(typeattributeset cil_gen_require init_t)
|
||||
|
@ -34,14 +48,19 @@
|
|||
(roletype object_r guix_daemon_t)
|
||||
(type guix_daemon_conf_t)
|
||||
(roletype object_r guix_daemon_conf_t)
|
||||
(typeattributeset file_type guix_daemon_conf_t)
|
||||
(type guix_daemon_exec_t)
|
||||
(roletype object_r guix_daemon_exec_t)
|
||||
(typeattributeset file_type guix_daemon_exec_t)
|
||||
(type guix_daemon_socket_t)
|
||||
(roletype object_r guix_daemon_socket_t)
|
||||
(typeattributeset file_type guix_daemon_socket_t)
|
||||
(type guix_store_content_t)
|
||||
(roletype object_r guix_store_content_t)
|
||||
(typeattributeset file_type guix_store_content_t)
|
||||
(type guix_profiles_t)
|
||||
(roletype object_r guix_profiles_t)
|
||||
(typeattributeset file_type guix_profiles_t)
|
||||
|
||||
;; These types are domains, thereby allowing process rules
|
||||
(typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
|
||||
|
@ -55,6 +74,30 @@
|
|||
(typetransition guix_store_content_t guix_daemon_exec_t
|
||||
process guix_daemon_t)
|
||||
|
||||
(roletype system_r guix_daemon_t)
|
||||
|
||||
;; allow init_t to read and execute guix files
|
||||
(allow init_t
|
||||
guix_profiles_t
|
||||
(lnk_file (read)))
|
||||
(allow init_t
|
||||
guix_daemon_exec_t
|
||||
(file (execute)))
|
||||
(allow init_t
|
||||
guix_daemon_t
|
||||
(process (transition)))
|
||||
(allow init_t
|
||||
guix_store_content_t
|
||||
(lnk_file (read)))
|
||||
(allow init_t
|
||||
guix_store_content_t
|
||||
(file (open read execute)))
|
||||
|
||||
;; guix-daemon needs to know the names of users
|
||||
(allow guix_daemon_t
|
||||
passwd_file_t
|
||||
(file (getattr open read)))
|
||||
|
||||
;; Permit communication with NSCD
|
||||
(allow guix_daemon_t
|
||||
nscd_var_run_t
|
||||
|
@ -71,25 +114,44 @@
|
|||
(allow guix_daemon_t
|
||||
nscd_t
|
||||
(unix_stream_socket (connectto)))
|
||||
(allow guix_daemon_t nscd_t
|
||||
(nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
|
||||
|
||||
;; permit downloading packages via HTTP(s)
|
||||
(allow guix_daemon_t http_port_t
|
||||
(tcp_socket (name_connect)))
|
||||
(allow guix_daemon_t ftp_port_t
|
||||
(tcp_socket (name_connect)))
|
||||
(allow guix_daemon_t ephemeral_port_t
|
||||
(tcp_socket (name_connect)))
|
||||
|
||||
;; Permit logging and temp file access
|
||||
(allow guix_daemon_t
|
||||
tmp_t
|
||||
(lnk_file (setattr unlink)))
|
||||
(lnk_file (create rename setattr unlink)))
|
||||
(allow guix_daemon_t
|
||||
tmp_t
|
||||
(dir (create
|
||||
rmdir
|
||||
(file (link rename create execute execute_no_trans write unlink setattr map relabelto)))
|
||||
(allow guix_daemon_t
|
||||
tmp_t
|
||||
(fifo_file (open read write create getattr ioctl setattr unlink)))
|
||||
(allow guix_daemon_t
|
||||
tmp_t
|
||||
(dir (create rename
|
||||
rmdir relabelto
|
||||
add_name remove_name
|
||||
open read write
|
||||
getattr setattr
|
||||
search)))
|
||||
(allow guix_daemon_t
|
||||
tmp_t
|
||||
(sock_file (create getattr setattr unlink write)))
|
||||
(allow guix_daemon_t
|
||||
var_log_t
|
||||
(file (create getattr open write)))
|
||||
(allow guix_daemon_t
|
||||
var_log_t
|
||||
(dir (getattr write add_name)))
|
||||
(dir (getattr create write add_name)))
|
||||
(allow guix_daemon_t
|
||||
var_run_t
|
||||
(lnk_file (read)))
|
||||
|
@ -100,10 +162,10 @@
|
|||
;; Spawning processes, execute helpers
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(process (fork)))
|
||||
(process (fork execmem setrlimit setpgid setsched)))
|
||||
(allow guix_daemon_t
|
||||
guix_daemon_exec_t
|
||||
(file (execute execute_no_trans read open)))
|
||||
(file (execute execute_no_trans read open entrypoint map)))
|
||||
|
||||
;; TODO: unknown
|
||||
(allow guix_daemon_t
|
||||
|
@ -119,38 +181,51 @@
|
|||
;; Build isolation
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(file (mounton)))
|
||||
(file (ioctl mounton)))
|
||||
(allow guix_store_content_t
|
||||
fs_t
|
||||
(filesystem (associate)))
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(dir (mounton)))
|
||||
(dir (read mounton)))
|
||||
(allow guix_daemon_t
|
||||
guix_daemon_t
|
||||
(capability (net_admin
|
||||
fsetid fowner
|
||||
chown setuid setgid
|
||||
dac_override dac_read_search
|
||||
sys_chroot)))
|
||||
sys_chroot
|
||||
sys_admin)))
|
||||
(allow guix_daemon_t
|
||||
fs_t
|
||||
(filesystem (unmount)))
|
||||
(allow guix_daemon_t
|
||||
devpts_t
|
||||
(dir (search)))
|
||||
(allow guix_daemon_t
|
||||
devpts_t
|
||||
(filesystem (mount)))
|
||||
(allow guix_daemon_t
|
||||
devpts_t
|
||||
(chr_file (setattr getattr)))
|
||||
(chr_file (ioctl open read write setattr getattr)))
|
||||
(allow guix_daemon_t
|
||||
tmpfs_t
|
||||
(filesystem (mount)))
|
||||
(filesystem (getattr mount)))
|
||||
(allow guix_daemon_t
|
||||
tmpfs_t
|
||||
(dir (getattr)))
|
||||
(file (create open read unlink write)))
|
||||
(allow guix_daemon_t
|
||||
tmpfs_t
|
||||
(dir (getattr add_name remove_name write)))
|
||||
(allow guix_daemon_t
|
||||
proc_t
|
||||
(filesystem (mount)))
|
||||
(file (getattr open read)))
|
||||
(allow guix_daemon_t
|
||||
proc_t
|
||||
(dir (read)))
|
||||
(allow guix_daemon_t
|
||||
proc_t
|
||||
(filesystem (associate mount)))
|
||||
(allow guix_daemon_t
|
||||
null_device_t
|
||||
(chr_file (getattr open read write)))
|
||||
|
@ -179,7 +254,7 @@
|
|||
search rename
|
||||
add_name remove_name
|
||||
open write
|
||||
rmdir)))
|
||||
rmdir relabelfrom)))
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(file (create
|
||||
|
@ -189,7 +264,7 @@
|
|||
link unlink
|
||||
map
|
||||
rename
|
||||
open read write)))
|
||||
open read write relabelfrom)))
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(lnk_file (create
|
||||
|
@ -197,17 +272,23 @@
|
|||
link unlink
|
||||
read
|
||||
rename)))
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(fifo_file (create getattr open read unlink write)))
|
||||
(allow guix_daemon_t
|
||||
guix_store_content_t
|
||||
(sock_file (create getattr unlink write)))
|
||||
|
||||
;; Access to configuration files and directories
|
||||
(allow guix_daemon_t
|
||||
guix_daemon_conf_t
|
||||
(dir (search
|
||||
(dir (search create
|
||||
setattr getattr
|
||||
add_name remove_name
|
||||
open read write)))
|
||||
(allow guix_daemon_t
|
||||
guix_daemon_conf_t
|
||||
(file (create
|
||||
(file (create rename
|
||||
lock
|
||||
map
|
||||
getattr setattr
|
||||
|
@ -216,11 +297,17 @@
|
|||
(allow guix_daemon_t
|
||||
guix_daemon_conf_t
|
||||
(lnk_file (create getattr rename unlink)))
|
||||
(allow guix_daemon_t net_conf_t
|
||||
(file (getattr open read)))
|
||||
(allow guix_daemon_t net_conf_t
|
||||
(lnk_file (read)))
|
||||
(allow guix_daemon_t NetworkManager_var_run_t
|
||||
(dir (search)))
|
||||
|
||||
;; Access to profiles
|
||||
(allow guix_daemon_t
|
||||
guix_profiles_t
|
||||
(dir (getattr setattr read open)))
|
||||
(dir (search getattr setattr read write open create add_name)))
|
||||
(allow guix_daemon_t
|
||||
guix_profiles_t
|
||||
(lnk_file (read getattr)))
|
||||
|
@ -233,8 +320,22 @@
|
|||
(allow guix_daemon_t
|
||||
user_home_t
|
||||
(dir (search)))
|
||||
(allow guix_daemon_t
|
||||
cache_home_t
|
||||
(dir (search)))
|
||||
|
||||
;; self upgrades
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(dir (add_name write)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(netlink_route_socket (bind create getattr nlmsg_read read write)))
|
||||
|
||||
;; Socket operations
|
||||
(allow guix_daemon_t
|
||||
guix_daemon_socket_t
|
||||
(sock_file (unlink)))
|
||||
(allow guix_daemon_t
|
||||
init_t
|
||||
(fd (use)))
|
||||
|
@ -253,12 +354,53 @@
|
|||
read write
|
||||
connect bind accept
|
||||
getopt setopt)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
|
||||
(allow guix_daemon_t
|
||||
unreserved_port_t
|
||||
(tcp_socket (name_bind name_connect accept listen)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(udp_socket (connect getattr bind getopt setopt)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(fifo_file (write read)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(udp_socket (ioctl create)))
|
||||
(allow guix_daemon_t
|
||||
self
|
||||
(unix_stream_socket (connectto)))
|
||||
|
||||
(allow guix_daemon_t
|
||||
node_t
|
||||
(tcp_socket (node_bind)))
|
||||
(allow guix_daemon_t
|
||||
node_t
|
||||
(udp_socket (node_bind)))
|
||||
(allow guix_daemon_t
|
||||
port_t
|
||||
(tcp_socket (name_connect)))
|
||||
(allow guix_daemon_t
|
||||
rtp_media_port_t
|
||||
(udp_socket (name_bind)))
|
||||
(allow guix_daemon_t
|
||||
vnc_port_t
|
||||
(tcp_socket (name_bind)))
|
||||
|
||||
;; I guess sometimes it needs random numbers
|
||||
(allow guix_daemon_t
|
||||
random_device_t
|
||||
(chr_file (read)))
|
||||
|
||||
;; guix system vm
|
||||
(allow guix_daemon_t
|
||||
kvm_device_t
|
||||
(chr_file (ioctl open read write)))
|
||||
(allow guix_daemon_t
|
||||
kernel_t
|
||||
(system (ipc_info)))
|
||||
|
||||
;; Label file system
|
||||
(filecon "@guix_sysconfdir@/guix(/.*)?"
|
||||
|
@ -277,5 +419,7 @@
|
|||
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||
(filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
|
||||
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||
(filecon "@storedir@/[a-z0-9]+-guix-daemon"
|
||||
file (system_u object_r guix_daemon_exec_t (low low)))
|
||||
(filecon "@guix_localstatedir@/guix/daemon-socket/socket"
|
||||
any (system_u object_r guix_daemon_socket_t (low low))))
|
||||
|
|
|
@ -1054,6 +1054,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/ghostscript-no-header-id.patch \
|
||||
%D%/packages/patches/ghostscript-no-header-uuid.patch \
|
||||
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
|
||||
%D%/packages/patches/glib-appinfo-watch.patch \
|
||||
%D%/packages/patches/glib-tests-timer.patch \
|
||||
%D%/packages/patches/glibc-CVE-2018-11236.patch \
|
||||
%D%/packages/patches/glibc-CVE-2018-11237.patch \
|
||||
|
|
|
@ -181,6 +181,7 @@ (define glib
|
|||
(package
|
||||
(name "glib")
|
||||
(version "2.62.6")
|
||||
(replacement glib-with-gio-patch)
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "mirror://gnome/sources/"
|
||||
|
@ -387,11 +388,20 @@ (define pattern+procs
|
|||
(home-page "https://developer.gnome.org/glib/")
|
||||
(license license:lgpl2.1+)))
|
||||
|
||||
(define glib-with-gio-patch
|
||||
;; GLib with a fix for <https://bugs.gnu.org/35594>.
|
||||
;; TODO: Fold into 'glib' above in the next rebuild cycle.
|
||||
(package
|
||||
(inherit glib)
|
||||
(source (origin
|
||||
(inherit (package-source glib))
|
||||
(patches (cons (search-patch "glib-appinfo-watch.patch")
|
||||
(origin-patches (package-source glib))))))))
|
||||
|
||||
(define-public glib-with-documentation
|
||||
;; glib's doc must be built in a separate package since it requires gtk-doc,
|
||||
;; which in turn depends on glib.
|
||||
(package
|
||||
(inherit glib)
|
||||
(package/inherit glib
|
||||
(properties (alist-delete 'hidden? (package-properties glib)))
|
||||
(outputs (cons "doc" (package-outputs glib))) ; 20 MiB of GTK-Doc reference
|
||||
(native-inputs
|
||||
|
|
|
@ -130,9 +130,9 @@ (define-public guix
|
|||
;; Latest version of Guix, which may or may not correspond to a release.
|
||||
;; Note: the 'update-guix-package.scm' script expects this definition to
|
||||
;; start precisely like this.
|
||||
(let ((version "1.1.0")
|
||||
(commit "5e7cf66fb35780f930ad0bc5fe21ac330df4411d")
|
||||
(revision 32))
|
||||
(let ((version "1.2.0rc1")
|
||||
(commit "3ba6ffd0dd092ae879d014e4971989f231eaa56d")
|
||||
(revision 1))
|
||||
(package
|
||||
(name "guix")
|
||||
|
||||
|
@ -148,7 +148,7 @@ (define-public guix
|
|||
(commit commit)))
|
||||
(sha256
|
||||
(base32
|
||||
"15clfjp845gvl0p6qw0b1gdibqfq20zwzr6dbxvq8l9fgzj1kb6b"))
|
||||
"1wa67gdipmzqr400hp0cw5ih0rlfvj345h65rqbk9s4g3bkg38hm"))
|
||||
(file-name (string-append "guix-" version "-checkout"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
|
@ -336,7 +336,13 @@ (define code
|
|||
(let ((bash (assoc-ref inputs "bash")))
|
||||
(substitute* (string-append out "/bin/guix")
|
||||
(("^#!.*/bash") (string-append "#! " bash "/bin/bash")))))
|
||||
#t))))))
|
||||
#t)))
|
||||
|
||||
;; The 'guix' executable has 'OUT/libexec/guix/guile' has
|
||||
;; its shebang; that should remain unchanged, thus remove
|
||||
;; the 'patch-shebangs' phase, which would otherwise
|
||||
;; change it to 'GUILE/bin/guile'.
|
||||
(delete 'patch-shebangs))))
|
||||
(native-inputs `(("pkg-config" ,pkg-config)
|
||||
|
||||
;; Guile libraries are needed here for
|
||||
|
|
92
gnu/packages/patches/glib-appinfo-watch.patch
Normal file
92
gnu/packages/patches/glib-appinfo-watch.patch
Normal file
|
@ -0,0 +1,92 @@
|
|||
This patch lets GLib's GDesktopAppInfo API watch and notice changes
|
||||
to the Guix user and system profiles. That way, the list of available
|
||||
applications shown by the desktop environment is immediately updated
|
||||
when the user runs "guix install", "guix remove", or "guix system
|
||||
reconfigure" (see <https://issues.guix.gnu.org/35594>).
|
||||
|
||||
It does so by monitoring /var/guix/profiles (for changes to the system
|
||||
profile) and /var/guix/profiles/per-user/USER (for changes to the user
|
||||
profile) and crawling their share/applications sub-directory when
|
||||
changes happen.
|
||||
|
||||
diff --git a/gio/gdesktopappinfo.c b/gio/gdesktopappinfo.c
|
||||
index f1e2fdd..095c110 100644
|
||||
--- a/gio/gdesktopappinfo.c
|
||||
+++ b/gio/gdesktopappinfo.c
|
||||
@@ -148,6 +148,7 @@ typedef struct
|
||||
gchar *alternatively_watching;
|
||||
gboolean is_config;
|
||||
gboolean is_setup;
|
||||
+ gchar *guix_profile_watch_dir;
|
||||
GFileMonitor *monitor;
|
||||
GHashTable *app_names;
|
||||
GHashTable *mime_tweaks;
|
||||
@@ -180,6 +181,7 @@ desktop_file_dir_unref (DesktopFileDir *dir)
|
||||
{
|
||||
desktop_file_dir_reset (dir);
|
||||
g_free (dir->path);
|
||||
+ g_free (dir->guix_profile_watch_dir);
|
||||
g_free (dir);
|
||||
}
|
||||
}
|
||||
@@ -204,6 +206,13 @@ desktop_file_dir_get_alternative_dir (DesktopFileDir *dir)
|
||||
{
|
||||
gchar *parent;
|
||||
|
||||
+ /* If DIR is a profile, watch the specified directory--e.g.,
|
||||
+ * /var/guix/profiles/per-user/$USER/ for the user profile. Do not watch
|
||||
+ * ~/.guix-profile or /run/current-system/profile because GFileMonitor does
|
||||
+ * not pass IN_DONT_FOLLOW and thus cannot notice any change. */
|
||||
+ if (dir->guix_profile_watch_dir != NULL)
|
||||
+ return g_strdup (dir->guix_profile_watch_dir);
|
||||
+
|
||||
/* If the directory itself exists then we need no alternative. */
|
||||
if (g_access (dir->path, R_OK | X_OK) == 0)
|
||||
return NULL;
|
||||
@@ -249,11 +258,11 @@ desktop_file_dir_changed (GFileMonitor *monitor,
|
||||
*
|
||||
* If this is a notification for a parent directory (because the
|
||||
* desktop directory didn't exist) then we shouldn't fire the signal
|
||||
- * unless something actually changed.
|
||||
+ * unless something actually changed or it's in /var/guix/profiles.
|
||||
*/
|
||||
g_mutex_lock (&desktop_file_dir_lock);
|
||||
|
||||
- if (dir->alternatively_watching)
|
||||
+ if (dir->alternatively_watching && dir->guix_profile_watch_dir == NULL)
|
||||
{
|
||||
gchar *alternative_dir;
|
||||
|
||||
@@ -1555,6 +1564,32 @@ desktop_file_dirs_lock (void)
|
||||
for (i = 0; dirs[i]; i++)
|
||||
g_ptr_array_add (desktop_file_dirs, desktop_file_dir_new (dirs[i]));
|
||||
|
||||
+ {
|
||||
+ /* Monitor the system and user profile under /var/guix/profiles and
|
||||
+ * treat modifications to them as if they were modifications to their
|
||||
+ * /share sub-directory. */
|
||||
+ const gchar *user;
|
||||
+ DesktopFileDir *system_profile_dir, *user_profile_dir;
|
||||
+
|
||||
+ system_profile_dir =
|
||||
+ desktop_file_dir_new ("/var/guix/profiles/system/profile/share");
|
||||
+ system_profile_dir->guix_profile_watch_dir = g_strdup ("/var/guix/profiles");
|
||||
+ g_ptr_array_add (desktop_file_dirs, desktop_file_dir_ref (system_profile_dir));
|
||||
+
|
||||
+ user = g_get_user_name ();
|
||||
+ if (user != NULL)
|
||||
+ {
|
||||
+ gchar *profile_dir, *user_data_dir;
|
||||
+
|
||||
+ profile_dir = g_build_filename ("/var/guix/profiles/per-user", user, NULL);
|
||||
+ user_data_dir = g_build_filename (profile_dir, "guix-profile", "share", NULL);
|
||||
+ user_profile_dir = desktop_file_dir_new (user_data_dir);
|
||||
+ user_profile_dir->guix_profile_watch_dir = profile_dir;
|
||||
+ g_ptr_array_add (desktop_file_dirs, desktop_file_dir_ref (user_profile_dir));
|
||||
+ g_free (user_data_dir);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* The list of directories will never change after this, unless
|
||||
* g_get_user_config_dir() changes due to %G_TEST_OPTION_ISOLATE_DIRS. */
|
||||
desktop_file_dirs_config_dir = user_config_dir;
|
|
@ -26,7 +26,7 @@
|
|||
;;; Copyright © 2018 Tomáš Čech <sleep_walker@gnu.org>
|
||||
;;; Copyright © 2018, 2019 Nicolas Goaziou <mail@nicolasgoaziou.fr>
|
||||
;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
|
||||
;;; Copyright © 2018 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||
;;; Copyright © 2018, 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||
;;; Copyright © 2019 Vagrant Cascadian <vagrant@debian.org>
|
||||
;;; Copyright © 2019 Brendan Tildesley <mail@brendan.scot>
|
||||
;;; Copyright © 2019 Pierre Langlois <pierre.langlois@gmx.com>
|
||||
|
@ -2893,21 +2893,30 @@ (define-public python-flask-basicauth
|
|||
(name "python-flask-basicauth")
|
||||
(version "0.2.0")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (pypi-uri "Flask-BasicAuth" version))
|
||||
(sha256
|
||||
(base32
|
||||
"1zq1spkjr4sjdnalpp8wl242kdqyk6fhbnhr8hi4r4f0km4bspnz"))))
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (pypi-uri "Flask-BasicAuth" version))
|
||||
(sha256
|
||||
(base32
|
||||
"1zq1spkjr4sjdnalpp8wl242kdqyk6fhbnhr8hi4r4f0km4bspnz"))))
|
||||
(build-system python-build-system)
|
||||
(arguments
|
||||
`(#:phases (modify-phases %standard-phases
|
||||
(add-after 'unpack 'fix-imports
|
||||
(lambda _
|
||||
(substitute* '("docs/index.rst"
|
||||
"docs/conf.py"
|
||||
"flask_basicauth.py"
|
||||
"test_basicauth.py")
|
||||
(("flask\\.ext\\.basicauth")
|
||||
"flask_basicauth"))
|
||||
#t)))))
|
||||
(propagated-inputs
|
||||
`(("python-flask" ,python-flask)))
|
||||
(home-page
|
||||
"https://github.com/jpvanhal/flask-basicauth")
|
||||
(synopsis
|
||||
"HTTP basic access authentication for Flask")
|
||||
(home-page "https://github.com/jpvanhal/flask-basicauth")
|
||||
(synopsis "HTTP basic access authentication for Flask")
|
||||
(description
|
||||
"This package provides HTTP basic access authentication for Flask.")
|
||||
"This package provides HTTP basic access authentication for Flask.")
|
||||
(license license:bsd-3)))
|
||||
|
||||
(define-public python-flask-htpasswd
|
||||
|
|
|
@ -106,6 +106,12 @@ (define-module (gnu services base)
|
|||
agetty-service-type
|
||||
|
||||
mingetty-configuration
|
||||
mingetty-configuration-tty
|
||||
mingetty-configuration-auto-login
|
||||
mingetty-configuration-login-program
|
||||
mingetty-configuration-login-pause?
|
||||
mingetty-configuration-clear-on-logout?
|
||||
mingetty-configuration-mingetty
|
||||
mingetty-configuration?
|
||||
mingetty-service
|
||||
mingetty-service-type
|
||||
|
@ -285,8 +291,19 @@ (define (root-file-system-service)
|
|||
(define (file-system->shepherd-service-name file-system)
|
||||
"Return the symbol that denotes the service mounting and unmounting
|
||||
FILE-SYSTEM."
|
||||
(symbol-append 'file-system-
|
||||
(string->symbol (file-system-mount-point file-system))))
|
||||
(define valid-characters
|
||||
;; Valid store characters; see 'checkStoreName' in the daemon.
|
||||
(string->char-set
|
||||
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+-._?="))
|
||||
|
||||
(define mount-point
|
||||
(string-map (lambda (chr)
|
||||
(if (char-set-contains? valid-characters chr)
|
||||
chr
|
||||
#\-))
|
||||
(file-system-mount-point file-system)))
|
||||
|
||||
(symbol-append 'file-system- (string->symbol mount-point)))
|
||||
|
||||
(define (mapped-device->shepherd-service-name md)
|
||||
"Return the symbol that denotes the shepherd service of MD, a <mapped-device>."
|
||||
|
|
|
@ -51,7 +51,9 @@ (define-module (guix scripts build)
|
|||
#:use-module ((guix progress) #:select (current-terminal-columns))
|
||||
#:use-module ((guix build syscalls) #:select (terminal-columns))
|
||||
#:use-module (guix transformations)
|
||||
#:export (%standard-build-options
|
||||
#:export (log-url
|
||||
|
||||
%standard-build-options
|
||||
set-build-options-from-command-line
|
||||
set-build-options-from-command-line*
|
||||
show-build-options-help
|
||||
|
|
|
@ -59,11 +59,16 @@ (define-module (guix scripts pack)
|
|||
#:use-module (srfi srfi-37)
|
||||
#:use-module (ice-9 match)
|
||||
#:export (compressor?
|
||||
compressor-name
|
||||
compressor-extenstion
|
||||
compressor-command
|
||||
%compressors
|
||||
lookup-compressor
|
||||
self-contained-tarball
|
||||
docker-image
|
||||
squashfs-image
|
||||
|
||||
%formats
|
||||
guix-pack))
|
||||
|
||||
;; Type of a compression tool.
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
;;; Copyright © 2015 David Thompson <davet@gnu.org>
|
||||
;;; Copyright © 2020 by Amar M. Singh <nly@disroot.org>
|
||||
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -250,6 +251,21 @@ (define %nix-cache-info
|
|||
("WantMassQuery" . 0)
|
||||
("Priority" . 100)))
|
||||
|
||||
;;; A common buffer size value used for the TCP socket SO_SNDBUF option and
|
||||
;;; the gzip compressor buffer size.
|
||||
(define %default-buffer-size
|
||||
(* 208 1024))
|
||||
|
||||
(define %default-socket-options
|
||||
;; List of options passed to 'setsockopt' when transmitting files.
|
||||
(list (list SO_SNDBUF %default-buffer-size)))
|
||||
|
||||
(define* (configure-socket socket #:key (level SOL_SOCKET)
|
||||
(options %default-socket-options))
|
||||
"Apply multiple option tuples in OPTIONS to SOCKET, using LEVEL."
|
||||
(for-each (cut apply setsockopt socket level <>)
|
||||
options))
|
||||
|
||||
(define (signed-string s)
|
||||
"Sign the hash of the string S with the daemon's key. Return a canonical
|
||||
sexp for the signature."
|
||||
|
@ -569,7 +585,7 @@ (define nar
|
|||
(lambda (port)
|
||||
(write-file item port))
|
||||
#:level (compression-level compression)
|
||||
#:buffer-size (* 128 1024))
|
||||
#:buffer-size %default-buffer-size)
|
||||
(rename-file (string-append nar ".tmp") nar))
|
||||
('lzip
|
||||
;; Note: the file port gets closed along with the lzip port.
|
||||
|
@ -866,7 +882,7 @@ (define (nar-response-port response compression)
|
|||
;; 'make-gzip-output-port' wants a file port.
|
||||
(make-gzip-output-port (response-port response)
|
||||
#:level level
|
||||
#:buffer-size (* 64 1024)))
|
||||
#:buffer-size %default-buffer-size))
|
||||
(($ <compression> 'lzip level)
|
||||
(make-lzip-output-port (response-port response)
|
||||
#:level level))
|
||||
|
@ -891,8 +907,7 @@ (define (http-write server client response body)
|
|||
client))
|
||||
(port (begin
|
||||
(force-output client)
|
||||
(setsockopt client SOL_SOCKET
|
||||
SO_SNDBUF (* 128 1024))
|
||||
(configure-socket client)
|
||||
(nar-response-port response compression))))
|
||||
;; XXX: Given our ugly workaround for <http://bugs.gnu.org/21093> in
|
||||
;; 'render-nar', BODY here is just the file name of the store item.
|
||||
|
@ -922,7 +937,7 @@ (define (http-write server client response body)
|
|||
size)
|
||||
client))
|
||||
(output (response-port response)))
|
||||
(setsockopt client SOL_SOCKET SO_SNDBUF (* 128 1024))
|
||||
(configure-socket client)
|
||||
(if (file-port? output)
|
||||
(sendfile output input size)
|
||||
(dump-port input output))
|
||||
|
@ -1067,7 +1082,8 @@ (define* (run-publish-server socket store
|
|||
(define (open-server-socket address)
|
||||
"Return a TCP socket bound to ADDRESS, a socket address."
|
||||
(let ((sock (socket (sockaddr:fam address) SOCK_STREAM 0)))
|
||||
(setsockopt sock SOL_SOCKET SO_REUSEADDR 1)
|
||||
(configure-socket sock #:options (cons (list SO_REUSEADDR 1)
|
||||
%default-socket-options))
|
||||
(bind sock address)
|
||||
sock))
|
||||
|
||||
|
|
|
@ -385,7 +385,7 @@ (define previous
|
|||
(and=> (relative-generation profile -1)
|
||||
(cut generation-file-name profile <>)))
|
||||
|
||||
(when previous
|
||||
(and previous
|
||||
(let ((old-channels (profile-channels previous))
|
||||
(new-channels (profile-channels profile)))
|
||||
;; Find the channels present in both PROFILE and PREVIOUS, and print
|
||||
|
|
|
@ -400,6 +400,12 @@ (define (available-translations directory domain)
|
|||
(find-files directory
|
||||
"\\.[a-z]{2}(_[A-Z]{2})?\\.po$")))
|
||||
|
||||
(define parallel-jobs
|
||||
;; Limit thread creation by 'n-par-for-each'. Going beyond can
|
||||
;; lead libgc 8.0.4 to abort with:
|
||||
;; mmap(PROT_NONE) failed
|
||||
(min (parallel-job-count) 4))
|
||||
|
||||
(mkdir #$output)
|
||||
(copy-recursively #$documentation "."
|
||||
#:log (%make-void-port "w"))
|
||||
|
@ -415,14 +421,14 @@ (define (available-translations directory domain)
|
|||
(setenv "LC_ALL" "en_US.UTF-8")
|
||||
(setlocale LC_ALL "en_US.UTF-8")
|
||||
|
||||
(n-par-for-each (parallel-job-count)
|
||||
(n-par-for-each parallel-jobs
|
||||
(match-lambda
|
||||
((language . po)
|
||||
(translate-texi "guix" po language
|
||||
#:extras '("contributing"))))
|
||||
(available-translations "." "guix-manual"))
|
||||
|
||||
(n-par-for-each (parallel-job-count)
|
||||
(n-par-for-each parallel-jobs
|
||||
(match-lambda
|
||||
((language . po)
|
||||
(translate-texi "guix-cookbook" po language)))
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2012, 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2012, 2015, 2016, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
|
@ -174,7 +174,7 @@ (define-module (test-build-utils)
|
|||
(let ((script-file-name (string-append directory "/foo")))
|
||||
(call-with-output-file script-file-name
|
||||
(lambda (port)
|
||||
(format port script-contents)))
|
||||
(display script-contents port)))
|
||||
(chmod script-file-name #o777)
|
||||
(wrap-script script-file-name
|
||||
`("GUIX_FOO" prefix ("/some/path"
|
||||
|
|
Loading…
Reference in a new issue