bug#23605: /dev/urandom not seeded across reboots

[Ben Woodcroft]

On 28/05/16 11:45, Leo Famulari wrote:

On Sat, May 28, 2016 at 11:11:20AM +1000, Ben Woodcroft wrote:

Hi Leo,

On 28/05/16 11:05, Leo Famulari wrote:

Okay, I finally have some code that works! (attached)

Is your patch incomplete?

What do you mean? Does it not apply to your source tree?


Oh, nevermind, sorry for the noise. Thunderbird was tripping up on the 
strange character and not showing me the full diff.

ben

bug#23260: (wxmaxima) crash: GLib-GIO-ERROR **: Settings schema 'org.gtk.Settings.FileChooser' is not installed

[宋文武]

Danny Milosavljevic  writes:

> I finally got to the bottom of it.
>
> It says:
>
>   (wxmaxima:27910): GLib-GIO-ERROR **: Settings schema 
> 'org.gtk.Settings.FileChooser' is not installed
>
> and it's right. I'm not sure how it's supposed to find them.
>
> On this GuixSD installation I only have a minimal number of packages
> in the operating-system definition of the system profile (and gtk is
> not in it). I have installed gtk into my user's profile but I really
> shouldn't have to, right? (and it still doesn't work)
>
> However, lots of programs use gtk. If they do, they'll sooner or later need 
> the filechooser. However, gtk-3 filechooser needs its settings schema.
>
> Environment variables with "GTK" in the name are:
>
> GTK_DATA_PREFIX=/run/current-system/profile
> GTK_PATH=/gnu/store/mjjkx5fq0gn5bg89pz2gsipjs975m2im-gtk+-3.18.2/lib/gtk-3.0
> GUIX_GTK3_PATH=/home/dannym/.guix-profile/lib/gtk-3.0:/home/dannym/.guix-profile/lib/gtk-3.0
>
> But the schema 'org.gtk.Settings.FileChooser' is not found since it's in:
>
>   
> /gnu/store/mjjkx5fq0gn5bg89pz2gsipjs975m2im-gtk+-3.18.2/share/glib-2.0/schemas
>
> which is installed nowhere. I know I can easily workaround this by
> manually installing it in the system profile - but shouldn't it be
> solved in some better manner?

Yes, as you found, the FileChooser schema must be known by wxmaxima
via GSETTINGS_SCHEMA_DIR or XDG_DATA_DIRS.

There is a `glib-or-gtk-build-system', when use it, all executables
will be wraped with XDG_DATA_DIR, combining from inputs's $out/share
directories.  Currently, applications using gsettnigs can be handled
this way or wrap it manually using `wrap-program'.


Thanks for your report, I fixed this specified issue
in commit de477809d773.

bug#23195: fixed

[宋文武]

fixed in commit de477809d773.

bug#23001: emacs in X has icons missing and throws warnings in tty

[宋文武]

Well, now the gtk+ is linked with gdk-pixbuf+svg, with
adwaita-icon-theme and shared-mime-info (used by gdk-pixbuf at runtime)
all my Emacs toolbar icons are missing (empty), but without any warning.

bug#23605: /dev/urandom not seeded across reboots

[Ludovic Courtès]

Leo Famulari  skribis:

> On Tue, May 24, 2016 at 02:24:59PM +0200, Ludovic Courtès wrote:
>> Leo Famulari  skribis:
>> 
>> > I realized that we don't seem to be saving any of the entropy in the
>> > kernel's random pool [0] across reboots.
>> >
>> > This means that for some period after boot, /dev/urandom may not be safe
>> > to use. From random(4):
>> 
>> Good catch!
>> 
>> Some comments:
>> 
>> > +(define %urandom-seed-activation
>> > +  ;; Activation gexp for the urandom seed
>> > +  #~(begin
>> > +  (use-modules (guix build utils))
>> > +
>> > +  (mkdir-p "/var/run")
>> > +  (close-port (open-file "/var/run/urandom-seed" "a0b"))
>> 
>> Or simply ‘open-output-file’.
>
> I don't see a way to use (open-output-file) in "append" mode as with
> (open-file).  Without that, the file is cleared before it is read in the
> following lines.

You’re right, sorry for the confusion.

Ludo’.

bug#23605: /dev/urandom not seeded across reboots

[Ludovic Courtès]

Leo Famulari  skribis:

> On Wed, May 25, 2016 at 06:54:58PM +0200, Ludovic Courtès wrote:
>> 
>> Yes, it’s:
>> 
>>   (service TYPE VALUE)
>> 
>> but I think there’s no meaningful value for this service, so you could
>> do:
>> 
>>   (service urandom-seed-service-type #f)

[...]

> gnu/services/base.scm:1217:0: In procedure urandom-seed-shepherd-service:
> gnu/services/base.scm:1217:0: Wrong number of arguments to # urandom-seed-shepherd-service ()>

[...]

> +(define (urandom-seed-shepherd-service)

[...]

> +(define urandom-seed-service-type
> +  (service-type (name 'urandom-seed)
> +(extensions
> + (list (service-extension shepherd-root-service-type
> +  urandom-seed-shepherd-service)

Service extension procedures are called with one argument, which is the
service’s value (info "(guix) Service Reference").

Usually, the service’s value is a configuration object, but in this
case, the service’s value doesn’t matter, so you could simply write:

  (define (urandom-seed-shepherd-service _)
…)

> +   ;; Add urandom-seed to the system profile
> +   (service-extension profile-service-type list)

The ‘profile-service-type’ represents the system profile, i.e.,
/run/current-system/profile.  Extending it means adding a package to
it.

But here, IIUC, there’s no package to be added to the profile, so you
should just remove it.

Last round and we’re done!  :-)

Thanks for persevering, and sorry it’s not easier.  Maybe you’ll have
ideas on how to improve the manual and/or the API?

Ludo’.

bug#23094: [PATCHv2] Re: bug#23094: icecat is missing a desktop file

[Ludovic Courtès]

Hi!

I figured there’s already a desktop entry template in the source, and
it’s more complete (it includes translations), hence this patch:

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 7e52534..2baf4d7 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -509,7 +509,23 @@ standards.")
   (format #t "configure flags: ~s~%" flags)
   (zero? (apply system* bash
 (string-append srcdir "/configure")
-flags
+flags)
+ (add-after 'install 'install-desktop-entry
+   (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+(applications (string-append out "/share/applications")))
+   (mkdir-p applications)
+   (copy-file "debian/icecat.desktop.in"
+  "debian/icecat.desktop")
+   (substitute* "debian/icecat.desktop"
+ (("@MOZ_DISPLAY_NAME@")
+  "GNU IceCat")
+ (("^Exec=@MOZ_APP_NAME@")
+  (string-append "Exec=" out "/bin/icecat"))
+ (("@MOZ_APP_NAME@")
+  "icecat"))
+   (install-file "debian/icecat.desktop" applications)
+   #t))
 (home-page "http://www.gnu.org/software/gnuzilla/";)
 (synopsis "Entirely free browser derived from Mozilla Firefox")
 (description

I haven’t been able to test it, so your feedback is welcome!

Thanks,
Ludo’.

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 03:57:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari  skribis:
> > On Wed, May 25, 2016 at 06:54:58PM +0200, Ludovic Courtès wrote:
> Usually, the service’s value is a configuration object, but in this
> case, the service’s value doesn’t matter, so you could simply write:
> 
>   (define (urandom-seed-shepherd-service _)
> …)
> 
> > +   ;; Add urandom-seed to the system profile
> > +   (service-extension profile-service-type list)
> 
> The ‘profile-service-type’ represents the system profile, i.e.,
> /run/current-system/profile.  Extending it means adding a package to
> it.
> 
> But here, IIUC, there’s no package to be added to the profile, so you
> should just remove it.
> 
> Last round and we’re done!  :-)

Please find my latest patch attached. It seems to work for me!
>From 18979451b1af7eebaa354c1753ad4c90af288589 Mon Sep 17 00:00:00 2001
From: Leo Famulari 
Date: Sat, 28 May 2016 13:41:21 -0400
Subject: [PATCH] services: Add urandom-seed-service.

* gnu/services/base.scm (urandom-seed-service): New procedure.
(%random-seed-file, urandom-seed-service-type): New variables.
(%urandom-seed-shepherd-service): New procedure.
* doc/guix.texi (Base Services): Document it.
---
 doc/guix.texi | 10 +
 gnu/services/base.scm | 61 ++-
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index bb75425..34a51a8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7355,6 +7355,16 @@ Return a service that runs the Guix build daemon according to
 Run @var{udev}, which populates the @file{/dev} directory dynamically.
 @end deffn
 
+@deffn {Scheme Procedure} urandom-seed-service @var{#f}
+Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
+when rebooting.
+@end deffn
+
+@deftp {Data Type} %random-seed-file
+This is where some random bytes are saved by @var{urandom-seed-service}
+to seed @file{/dev/urandom} when rebooting.
+@end deftp
+
 @deffn {Scheme Procedure} console-keymap-service @var{files} ...
 @cindex keyboard layout
 Return a service to load console keymaps from @var{files} using
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..032f713 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -93,6 +93,8 @@
 gpm-service-type
 gpm-service
 
+urandom-seed-service
+
 %base-services))
 
 ;;; Commentary:
@@ -422,6 +424,63 @@ stopped before 'kill' is called."
 
 
 ;;;
+;;; Preserve entropy to seed /dev/urandom on boot.
+;;;
+
+(define %random-seed-file
+  "/var/lib/random-seed")
+
+(define %urandom-seed-activation
+  ;; Activation gexp for the urandom seed
+  #~(begin
+  (use-modules (guix build utils))
+
+  (mkdir-p (dirname #$%random-seed-file))
+  (close-port (open-file #$%random-seed-file "a0b"))
+  (chmod #$%random-seed-file #o600)))
+
+(define (urandom-seed-shepherd-service _)
+  "Return a shepherd service for the /dev/urandom seed."
+  (list (shepherd-service
+ (documentation "Preserve entropy across reboots for /dev/urandom.")
+ (provision '(urandom-seed))
+ (requirement '(user-processes))
+ (start #~(lambda _
+;; On boot, write random seed into /dev/urandom.
+(when (file-exists? #$%random-seed-file)
+  (call-with-input-file #$%random-seed-file
+(lambda (seed)
+  (call-with-output-file "/dev/urandom"
+(lambda (urandom)
+  (dump-port seed urandom))
+#t))
+ (stop #~(lambda _
+   ;; During shutdown, write from /dev/urandom into random seed.
+   (let ((buf (make-bytevector 512)))
+ (call-with-input-file "/dev/urandom"
+   (lambda (urandom)
+ (get-bytevector-n! urandom buf 0 512)
+ (call-with-output-file #$%random-seed-file
+   (lambda (seed)
+ (put-bytevector seed buf)))
+ #t)
+ (modules `((rnrs bytevectors)
+(rnrs io ports)
+,@%default-modules)
+
+(define urandom-seed-service-type
+  (service-type (name 'urandom-seed)
+(extensions
+ (list (service-extension shepherd-root-service-type
+  urandom-seed-shepherd-service)
+   (service-extension activation-service-type
+  (const %urandom-seed-activation))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type #f))
+
+
+;;;
 ;;; System-wide environment variables.
 ;;;
 
@@ -1200,7 +1259,6 @@ extra rules from the packages listed in @var{rules}."
   "Return a s

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> Please find my latest patch attached. It seems to work for me!

I forgot to add a copyright line for myself in this version. I'll put it
in for the next patch or when merging.

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> Please find my latest patch attached. It seems to work for me!

I'm currently reconfiguring my GuixSD system with this patch to make
sure bad things don't happen the first time the user halts and the seed
file does not exist. Or something like that. Just to see what happens.

So far, I tested this by generating VM images.

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 02:26:23PM -0400, Leo Famulari wrote:
> On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> > Please find my latest patch attached. It seems to work for me!
> 
> I'm currently reconfiguring my GuixSD system with this patch to make
> sure bad things don't happen the first time the user halts and the seed
> file does not exist. Or something like that. Just to see what happens.

No problems. After reconfiguring, the service is started and there is a
zero-byte file at /var/lib/random-seed.

bug#23605: /dev/urandom not seeded across reboots

[Ludovic Courtès]

Leo Famulari  skribis:

> Please find my latest patch attached. It seems to work for me!

\o/

> From 18979451b1af7eebaa354c1753ad4c90af288589 Mon Sep 17 00:00:00 2001
> From: Leo Famulari 
> Date: Sat, 28 May 2016 13:41:21 -0400
> Subject: [PATCH] services: Add urandom-seed-service.

Add “Fixes .”

> * gnu/services/base.scm (urandom-seed-service): New procedure.
> (%random-seed-file, urandom-seed-service-type): New variables.
> (%urandom-seed-shepherd-service): New procedure.

Mention the addition to ‘%base-services’ too.

> * doc/guix.texi (Base Services): Document it.

[...]

> +@deftp {Data Type} %random-seed-file

Should be:

  @defvr {Scheme Variable} %random-seed-file

> +This is where some random bytes are saved by @var{urandom-seed-service}

s/This is where/This is the name of the file where/

> +to seed @file{/dev/urandom} when rebooting.

Maybe add “It defaults to @file{/var/run/…}.”

OK with these changes.

Thanks a lot!

Ludo’.

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 10:53:08PM +0200, Ludovic Courtès wrote:
> 
> OK with these changes.

Done as a535e12226!

bug#23605: /dev/urandom not seeded across reboots

[Leo Famulari]

On Sat, May 28, 2016 at 08:00:58PM -0400, Leo Famulari wrote:
> On Sat, May 28, 2016 at 10:53:08PM +0200, Ludovic Courtès wrote:
> > 
> > OK with these changes.
> 
> Done as a535e12226!