bug#32952: "make check-system" fails to report record-abi-mismatch-error

2018-10-06 Thread Chris Marusich 
Hi Guix,

On commit d71078bc75d149c70dc573a259986f1731145693, "make check-system"
failed for me with the following error message:

--8<---cut here---start->8---
[2] [env] marusich@garuda.local:~/guix
$ make check-system
Compiling Scheme modules...
warning: failed to load '(gnu tests install)':
Backtrace:
   9 (apply-smob/1 #)
In ice-9/boot-9.scm:
705:2  8 (call-with-prompt _ _ #)
In ice-9/eval.scm:
619:8  7 (_ #(#(#)))
619:8  6 (_ #(#(#(#) (#)) #))
   626:19  5 (_ #(#(#(#) (#)) #))
In gnu/tests.scm:
   277:11  4 (all-system-tests)
   273:32  3 (fold-system-tests _ _)
In srfi/srfi-1.scm:
   697:23  2 (filter-map # . #)
In guix/discovery.scm:
   113:22  1 (_ . _)
In unknown file:
   0 (display-error #f # #)

ERROR: In procedure display-error:
Wrong number of arguments to #
make: *** [Makefile:5454: check-system] Error 1
[2] [env] marusich@garuda.local:~/guix
$ 
--8<---cut here---end--->8---

Although it wasn't obvious, this problem was actually caused by a
record-abi-mismatch-error.  When I deleted my $HOME/.cache/guile/ccache
directory, this error went away, and I was able to run the system tests.
However, it took some work to figure this out, since the error reporting
mechanism itself suffered an error.

To figure this out, I added some debug statements (see attached patch).
After I did that, "make check-system" failed with some more information:

--8<---cut here---start->8---
[2] [env] marusich@garuda.local:~/guix
$ make check-system
Compiling Scheme modules...
XXX before

;;; (#)

;;; ((gnu tests install))

;;; ((record-abi-mismatch-error #>))

;;; ((record-abi-mismatch-error #>))
warning: failed to load '(gnu tests install)':

;;; (#)

;;; ((#>))
Backtrace:
   9 (apply-smob/1 #)
In ice-9/boot-9.scm:
705:2  8 (call-with-prompt _ _ #)
In ice-9/eval.scm:
619:8  7 (_ #(#(#)))
619:8  6 (_ #(#(#(#) (#)) #))
   626:19  5 (_ #(#(#(#) (#)) #))
In gnu/tests.scm:
   277:11  4 (all-system-tests)
   273:32  3 (fold-system-tests _ _)
In srfi/srfi-1.scm:
   697:23  2 (filter-map # . #)
In guix/discovery.scm:
   114:22  1 (_ record-abi-mismatch-error #)
In unknown file:
   0 (display-error #f # #)

ERROR: In procedure display-error:
Wrong number of arguments to #
make: *** [Makefile:5454: check-system] Error 1
[2] [env] marusich@garuda.local:~/guix
$ 
--8<---cut here---end--->8---

This output shows two problems.  The first problem is that an ABI
mismatch error was thrown.  The second problem is that display-error
encountered a problem while trying to display that error.

It's the second problem that I can't figure out.  Why does display-error
fail in this case?  For context, note that fold-system-tests in
gnu/tests.scm calls test-modules (in the same file), and that
test-modules calls scheme-modules with #:warn set to
warn-about-load-error.

The procedure warn-about-load-error is defined in guix/ui.scm.  It calls
display-error.  That seems to be where the problem occurs.  Based on the
debug output I added, we can see that in warn-about-load-error, the args
variable refers to the following list:

  (record-abi-mismatch-error #>)

This is strange, since the only place that throws
record-abi-mismatch-error is in guix/records.scm...

--8<---cut here---start->8---
  (define (abi-check type cookie)
"Return syntax that checks that the current \"application binary
interface\" (ABI) for TYPE is equal to COOKIE."
(with-syntax ((current-abi (current-abi-identifier type)))
  #`(unless (eq? current-abi #,cookie)
  ;; The source file where this exception is thrown must be
  ;; recompiled.
  (throw 'record-abi-mismatch-error 'abi-check
 "~a: record ABI mismatch; recompilation needed"
 (list #,type) '()
--8<---cut here---end--->8---

...and based on that code, I expected the args variable to contain many
more elements.  I expected it to look more like this:

--8<---cut here---start->8---
scheme@(guile-user)> (throw 'record-abi-mismatch-error 'abi-check
 "~a: record ABI mismatch; recompilation needed"
 (list 'some-type) '())
Throw to key `record-abi-mismatch-error' with args `(abi-check "~a: record ABI 
mismatch; recompilation needed" (some-type) ())'.

Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]> 
--8<---cut here---end--->8---

I don't understand what happened to all the other arguments.  It looks
like the throw invocation in guix/records.scm was written carefully so
that it would throw exactly the arguments that display-error expects to
receive, but some of the arguments apparently went missing (e.g., the
"~a: record ABI mismatch; recompilati

bug#32954: Cuirass: logs of failing tests are unavailable

2018-10-06 Thread Clément Lassieur 
Hi,

The logs of failing tests are unavailable.

(Which makes it impossible to understand why a huge lot of tests are
failing.)

Clément

bug#32955: Cuirass: Some tests depend on 'guix-current', which makes them resource expensive

2018-10-06 Thread Clément Lassieur 
Hi,

Tests depending on 'guix-current' are expensive in terms of CPU and
storage usage since we need to build (current-guix) and then store a
couple of full system images.

They are built at each evaluation because they depend on 'guix-current'.
(And they all fail.)

test.btrfs-root-os.x86_64-linux
test.encrypted-root-os.x86_64-linux
test.installed-extlinux-os.x86_64-linux
test.separate-home-os.x86_64-linux
test.raid-root-os.x86_64-linux
test.separate-store-os.x86_64-linux
test.iso-image-installer.x86_64-linux
test.installed-os.x86_64-linux

test.btrfs-root-os.i686-linux
test.encrypted-root-os.i686-linux
test.installed-extlinux-os.i686-linux
test.separate-home-os.i686-linux
test.raid-root-os.i686-linux
test.separate-store-os.i686-linux
test.iso-image-installer.i686-linux
test.installed-os.i686-linux

It seems that the reason is explained by that comment in
gnu/tests/install.scm:

;; Since the image has no network access, use the
;; current Guix so the store items we need are in
;; the image and add packages provided.

Is there another way to get those tests to work without depending on
'guix-current'?

Clément

bug#32855: sshuttle /usr/bin/env

2018-10-06 Thread Marius Bakke 
Tobias Geerinckx-Rice  writes:

>> Should those lines should be removed? I tested without, and it 
>> seems to work okay,
>> at least for my particular setup: GuixSD client --> non-GuixSD 
>> server.
>
> Wouldn't that break [any client -> vanilla GuixSD server] cases?

Note that /bin/sh is present even on vanilla GuixSD.


signature.asc
Description: PGP signature

bug#32955: Cuirass: Some tests depend on 'guix-current', which makes them resource expensive

2018-10-06 Thread Clément Lassieur 
Clément Lassieur  writes:

> Hi,
>
> Tests depending on 'guix-current' are expensive in terms of CPU and
> storage usage since we need to build (current-guix) and then store a
> couple of full system images.
>
> They are built at each evaluation because they depend on 'guix-current'.
> (And they all fail.)

I understand that 'guix-current' is only built once at each evaluation,
of course.  And now I wonder: is it the same one that is built for
guix-modular?  In that case it's not really useless.

bug#32855: sshuttle /usr/bin/env

2018-10-06 Thread Tobias Geerinckx-Rice 

Marius,

Marius Bakke wrote:

Note that /bin/sh is present even on vanilla GuixSD.


Thanks. I should probably give this vanilla GuixSD of which you 
speak a try some time :-)


Kind regards,

T G-R

bug#32878: Python-3 CVE-2018-14647

2018-10-06 Thread Marius Bakke 
Leo Famulari  writes:

> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

Reading , this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.

...unfortunately we seem to be using the bundled version :-(

This patch adds a graft for Python:

From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
From: Marius Bakke 
Date: Sat, 6 Oct 2018 16:47:05 +0200
Subject: [PATCH] gnu: python: Fix CVE-2018-14647.

* gnu/packages/patches/python-CVE-2018-14647.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-3/fixed): New variable.
(python-3.6)[replacement]: New field.
(python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
standard inheritance.
---
 gnu/local.mk  |  1 +
 .../patches/python-CVE-2018-14647.patch   | 61 +++
 gnu/packages/python.scm   | 16 +++--
 3 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 61e5913a0..df16f85db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1075,6 +1075,7 @@ dist_patch_DATA =		\
   %D%/packages/patches/python-3-deterministic-build-info.patch	\
   %D%/packages/patches/python-3-search-paths.patch		\
   %D%/packages/patches/python-3-fix-tests.patch			\
+  %D%/packages/patches/python-CVE-2018-14647.patch		\
   %D%/packages/patches/python-axolotl-AES-fix.patch		\
   %D%/packages/patches/python-cairocffi-dlopen-path.patch	\
   %D%/packages/patches/python-fix-tests.patch			\
diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
new file mode 100644
index 0..24f8d2182
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2018-14647.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-14647:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
+https://bugs.python.org/issue34623
+
+Taken from upstream:
+https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
+
+diff --git Include/pyexpat.h Include/pyexpat.h
+index 44259bf6d7..07020b5dc9 100644
+--- Include/pyexpat.h
 Include/pyexpat.h
+@@ -3,7 +3,7 @@
+ 
+ /* note: you must import expat.h before importing this module! */
+ 
+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+ 
+ struct PyExpat_CAPI
+@@ -48,6 +48,8 @@ struct PyExpat_CAPI
+ enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
+ int (*DefaultUnknownEncodingHandler)(
+ void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
++/* might be none for expat < 2.1.0 */
++int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+ /* always add new stuff to the end! */
+ };
+ 
+diff --git Modules/_elementtree.c Modules/_elementtree.c
+index 707ab2912b..53f05f937f 100644
+--- Modules/_elementtree.c
 Modules/_elementtree.c
+@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
+ PyErr_NoMemory();
+ return -1;
+ }
++/* expat < 2.1.0 has no XML_SetHashSalt() */
++if (EXPAT(SetHashSalt) != NULL) {
++EXPAT(SetHashSalt)(self->parser,
++   (unsigned long)_Py_HashSecret.expat.hashsalt);
++}
+ 
+ if (target) {
+ Py_INCREF(target);
+diff --git Modules/pyexpat.c Modules/pyexpat.c
+index 47c3e86c20..aa21d93c11 100644
+--- Modules/pyexpat.c
 Modules/pyexpat.c
+@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
+ capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
+ capi.SetEncoding = XML_SetEncoding;
+ capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
++#if XML_COMBINED_VERSION >= 20100
++capi.SetHashSalt = XML_SetHashSalt;
++#else
++capi.SetHashSalt = NULL;
++#endif
+ 
+ /* export using capsule */
+ capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 4703d95a2..5ee3db6bf 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -357,6 +357,7 @@ data types.")
   (package (inherit python-2)
 (name "python")
 (version "3.6.5")
+(replacement python-3/fixed)
 (source (origin
   (method url-fetch)
   (uri (string-append "https://www.python.org/ftp/python/";
@@ -456,6 +457,14 @@ data types.")
 ;; Current 3.x version.
 (define-public python-3 python-3.6)
 
+(define python-3/fixed
+  (package
+(inherit python-3)
+(source (origin
+  (inherit (package-source python-3))

bug#32957: Python uses a bundled expat

2018-10-06 Thread Marius Bakke 
Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.


signature.asc
Description: PGP signature

bug#32878: Python-3 CVE-2018-14647

2018-10-06 Thread Marius Bakke 
Marius Bakke  writes:

> This patch adds a graft for Python:
>
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke 
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
> ---
>  gnu/local.mk  |  1 +
>  .../patches/python-CVE-2018-14647.patch   | 61 +++
>  gnu/packages/python.scm   | 16 +++--
>  3 files changed, 74 insertions(+), 4 deletions(-)
>  create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 61e5913a0..df16f85db 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1075,6 +1075,7 @@ dist_patch_DATA =   
> \
>%D%/packages/patches/python-3-deterministic-build-info.patch   \
>%D%/packages/patches/python-3-search-paths.patch   \
>%D%/packages/patches/python-3-fix-tests.patch  \
> +  %D%/packages/patches/python-CVE-2018-14647.patch   \
>%D%/packages/patches/python-axolotl-AES-fix.patch  \
>%D%/packages/patches/python-cairocffi-dlopen-path.patch\
>%D%/packages/patches/python-fix-tests.patch\
> diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch 
> b/gnu/packages/patches/python-CVE-2018-14647.patch
> new file mode 100644
> index 0..24f8d2182
> --- /dev/null
> +++ b/gnu/packages/patches/python-CVE-2018-14647.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2018-14647:
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
> +https://bugs.python.org/issue34623
> +
> +Taken from upstream:
> +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
> +
> +diff --git Include/pyexpat.h Include/pyexpat.h
> +index 44259bf6d7..07020b5dc9 100644
> +--- Include/pyexpat.h
>  Include/pyexpat.h
> +@@ -3,7 +3,7 @@
> + 
> + /* note: you must import expat.h before importing this module! */
> + 
> +-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
> ++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
> + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
> + 
> + struct PyExpat_CAPI
> +@@ -48,6 +48,8 @@ struct PyExpat_CAPI
> + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char 
> *encoding);
> + int (*DefaultUnknownEncodingHandler)(
> + void *encodingHandlerData, const XML_Char *name, XML_Encoding 
> *info);
> ++/* might be none for expat < 2.1.0 */
> ++int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
> + /* always add new stuff to the end! */
> + };
> + 
> +diff --git Modules/_elementtree.c Modules/_elementtree.c
> +index 707ab2912b..53f05f937f 100644
> +--- Modules/_elementtree.c
>  Modules/_elementtree.c
> +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject 
> *self, PyObject *html,
> + PyErr_NoMemory();
> + return -1;
> + }
> ++/* expat < 2.1.0 has no XML_SetHashSalt() */
> ++if (EXPAT(SetHashSalt) != NULL) {
> ++EXPAT(SetHashSalt)(self->parser,
> ++   (unsigned long)_Py_HashSecret.expat.hashsalt);
> ++}
> + 
> + if (target) {
> + Py_INCREF(target);
> +diff --git Modules/pyexpat.c Modules/pyexpat.c
> +index 47c3e86c20..aa21d93c11 100644
> +--- Modules/pyexpat.c
>  Modules/pyexpat.c
> +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
> + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
> + capi.SetEncoding = XML_SetEncoding;
> + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
> ++#if XML_COMBINED_VERSION >= 20100
> ++capi.SetHashSalt = XML_SetHashSalt;
> ++#else
> ++capi.SetHashSalt = NULL;
> ++#endif
> + 
> + /* export using capsule */
> + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
> diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
> index 4703d95a2..5ee3db6bf 100644
> --- a/gnu/packages/python.scm
> +++ b/gnu/packages/python.scm
> @@ -357,6 +357,7 @@ data types.")
>(package (inherit python-2)
>  (name "python")
>  (version "3.6.5")
> +(replacement python-3/fixed)
>  (source (origin
>(method url-fetch)
>(uri (string-append "https://www.python.org/ftp/python/";
> @@ -456,6 +457,14 @@ data types.")
>  ;; Current 3.x version.
>  (define-public python-3 python-3.6)
>  
> +(define python-3/fixed
> +  (package
> +(inherit python-3)
> +(source (origin
> +  (inherit (package-source python-3))
> +  (patches (append (origin-patches (package-source python-3))
> +

bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

2018-10-06 Thread Marius Bakke 
Leo Famulari  writes:

> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Here is a patch that should fix these:

From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
From: Marius Bakke 
Date: Sat, 6 Oct 2018 18:50:47 +0200
Subject: [PATCH] gnu: python2: Add upstream security fixes.

This addresses CVE-2018-{1060,1061,14647,1000802}.

* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
---
 gnu/local.mk  |  4 ++
 .../patches/python2-CVE-2018-1000802.patch| 47 ++
 .../patches/python2-CVE-2018-1060.patch   | 20 ++
 .../patches/python2-CVE-2018-1061.patch   | 20 ++
 .../patches/python2-CVE-2018-14647.patch  | 61 +++
 gnu/packages/python.scm   | 15 -
 6 files changed, 166 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1000802.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1060.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1061.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-14647.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index df16f85db..e77f21db5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1067,6 +1067,10 @@ dist_patch_DATA =		\
   %D%/packages/patches/pygpgme-disable-problematic-tests.patch  \
   %D%/packages/patches/pyqt-configure.patch			\
   %D%/packages/patches/pyqt-public-sip.patch			\
+  %D%/packages/patches/python2-CVE-2018-1060.patch		\
+  %D%/packages/patches/python2-CVE-2018-1061.patch		\
+  %D%/packages/patches/python2-CVE-2018-14647.patch		\
+  %D%/packages/patches/python2-CVE-2018-1000802.patch		\
   %D%/packages/patches/python-2-deterministic-build-info.patch	\
   %D%/packages/patches/python-2.7-adjust-tests.patch		\
   %D%/packages/patches/python-2.7-search-paths.patch		\
diff --git a/gnu/packages/patches/python2-CVE-2018-1000802.patch b/gnu/packages/patches/python2-CVE-2018-1000802.patch
new file mode 100644
index 0..0d5bc77c8
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1000802.patch
@@ -0,0 +1,47 @@
+Fix CVE-2018-1000802:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
+
+Taken from upstream commit (sans NEWS):
+https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435
+
+diff --git a/Lib/shutil.py b/Lib/shutil.py
+index 3462f7c5e9..0ab1a06f52 100644
+--- a/Lib/shutil.py
 b/Lib/shutil.py
+@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
+ 
+ return archive_name
+ 
+-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
+ # XXX see if we want to keep an external call here
+ if verbose:
+ zipoptions = "-r"
+ else:
+ zipoptions = "-rq"
+-from distutils.errors import DistutilsExecError
+-from distutils.spawn import spawn
++cmd = ["zip", zipoptions, zip_filename, base_dir]
++if logger is not None:
++logger.info(' '.join(cmd))
++if dry_run:
++return
++import subprocess
+ try:
+-spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
+-except DistutilsExecError:
++subprocess.check_call(cmd)
++except subprocess.CalledProcessError:
+ # XXX really should distinguish between "couldn't find
+ # external 'zip' command" and "zip failed".
+ raise ExecError, \
+@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
+ zipfile = None
+ 
+ if zipfile is None:
+-_call_external_zip(base_dir, zip_filename, verbose, dry_run)
++_call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
+ else:
+ if logger is not None:
+ logger.info("creating '%s' and adding '%s' to it",
diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/packages/patches/python2-CVE-2018-1060.patch
new file mode 100644
index 0..5eb7ccfbc
---

bug#32949: Go 1.11 keeps references to bootstrap Go, many other packages

2018-10-06 Thread Gábor Boskovits 
Hello Leo,

I have found a possible source of the references.
In the package output, in the pkg/obj/go-build directory there are a huge
amount of
test logs, and the bootstrap go is stat-ed during these tests.
See for example the file pkg/obj/go-build/f7/f749...

I'm not very much into go, but I believe, that these should not be needed.

Gábor Boskovits  ezt írta (időpont: 2018. okt. 5., P,
20:08):

> Hello Leo,
>
> Leo Famulari  ezt írta (időpont: 2018. okt. 5., P,
> 19:02):
>
>> We should figure out what's happening here and clean it up as a
>> prerequisite to switching our default Go to 1.11.
>>
>> Go 1.11:
>>
>> $ guix gc --references
>> /gnu/store/4d3gc2qjfi7n87ljs7mbn9y9zplj5spw-go-1.11.1
>> /gnu/store/2b2md66fbzyspsmd5dj6zkj9hilac40r-tzdata-2018e
>> /gnu/store/2vggh6ka830b73vaw6mc8krqwk59fw9m-sed-4.5
>> /gnu/store/4d3gc2qjfi7n87ljs7mbn9y9zplj5spw-go-1.11.1
>> /gnu/store/5rxdjbk8h0bh1hbaan8y8ib13va2bcmw-net-base-5.3
>> /gnu/store/63gkgnixg6xj3m9cgl25ib2zxl51ngw0-coreutils-8.29
>> /gnu/store/6zz27h4l21b8f2mifrk9sidvib9cns2i-perl-5.26.1
>> /gnu/store/b5x786d3h552j2zp4ppvlz9dkbiqy2ng-ld-wrapper-0
>> /gnu/store/cyw1s5q7s7ql0vwkf34rzjb0cr6w1qnp-findutils-4.6.0
>> /gnu/store/dk23rrx1nycghfqr32qpcn261pl0gyp4-xz-5.2.3
>> /gnu/store/fbalwbm4yqldbfvcpaa2plhk4z7vszlz-gawk-4.2.1
>> /gnu/store/hxj9mdzhbjxmfj536crfscc0fhwwz4vy-tar-1.30
>> /gnu/store/i69323v107s0jj1l2vflwji1md537agi-grep-3.1
>> /gnu/store/iwfrjby868bx7fcc6mfl2z098j21ky5k-diffutils-3.6
>> /gnu/store/kc3xgspiq86ry6spyw874qk6pbxfpjx2-gzip-1.9
>> /gnu/store/l4lr0f5cjd0nbsaaf8b5dmcw1a1yypr3-glibc-2.27
>> /gnu/store/mkpys23vssbw4qnmg465s2swmnp49sk3-go-1.4.3
>> /gnu/store/nx21fqlb8jixwhbs83xlfp9a3h5p3g9a-make-4.2.1
>> /gnu/store/pp0bakrbyv9xmp1kyv2114l19s11b74z-gcc-6.4.0-lib
>> /gnu/store/q98l02i6wjw3v0x8vbp42ng8wwwxrb4g-patch-2.7.6
>> /gnu/store/qhxgdgyiyq2ilvh17fqfw0njpqlg4gsc-file-5.32
>> /gnu/store/qvwvwbfz2hmjm0spz92sn1w3r5r8l2f8-bzip2-1.0.6
>> /gnu/store/rbrandv7anzjxqkr40d7fkanzssslk4b-bash-minimal-4.4.19
>> /gnu/store/srmqh29dpm50j8kj1pbqg2rgh053wgyp-binutils-2.30
>> /gnu/store/vjxqhnn5vf223prpkq6yk3vcjlvqdx15-pkg-config-0.29.2
>> /gnu/store/zd7wa5llagjg5iqjh2ri2c25j1gpzjz1-which-2.21
>> /gnu/store/zrhwhlqqk51qslbddk4cip2z2p3fpvxd-gcc-5.5.0
>>
>>
> Last time I have seen this kind of thing it was because our strip phase in
> gnu-build-system strips only some directories, and
> the package had binaries in a directory not on that list, so there
> remained references. Could you check if this is the case here?
> I was trying to check this myself, but I am having problems with my
> network, and the go downloads fail.
>
>
>> Go 1.9:
>>
>> $ guix gc --references
>> /gnu/store/j8gs5gh6fkhby3lcajyl07n93rv90i31-go-1.9.7
>> /gnu/store/2b2md66fbzyspsmd5dj6zkj9hilac40r-tzdata-2018e
>> /gnu/store/5rxdjbk8h0bh1hbaan8y8ib13va2bcmw-net-base-5.3
>> /gnu/store/63gkgnixg6xj3m9cgl25ib2zxl51ngw0-coreutils-8.29
>> /gnu/store/6zz27h4l21b8f2mifrk9sidvib9cns2i-perl-5.26.1
>> /gnu/store/j8gs5gh6fkhby3lcajyl07n93rv90i31-go-1.9.7
>> /gnu/store/l4lr0f5cjd0nbsaaf8b5dmcw1a1yypr3-glibc-2.27
>> /gnu/store/pp0bakrbyv9xmp1kyv2114l19s11b74z-gcc-6.4.0-lib
>> /gnu/store/rbrandv7anzjxqkr40d7fkanzssslk4b-bash-minimal-4.4.19
>> /gnu/store/vla5j7pbkpcp39lsdfsmz7m9azn48lr4-gcc-5.5.0-lib
>> /gnu/store/zrhwhlqqk51qslbddk4cip2z2p3fpvxd-gcc-5.5.0
>>
>
> Best regards,
> g_bor
>

Best regards,
g_bor

bug#32960: icedtea not reproducible

2018-10-06 Thread Danny Milosavljevic 
< 
---
> 
diff -r 
/gnu/store/jz27ll2yb5cf2ihkjw58sx92gpw2pana-icedtea-3.7.0-doc/share/doc/icedtea/jre/api/security/smartcardio/spec/serialized-form.html
 
/gnu/store/jz27ll2yb5cf2ihkjw58sx92gpw2pana-icedtea-3.7.0-doc-check/share/doc/icedtea/jre/api/security/smartcardio/spec/serialized-form.html


pgpKl7R1aQCbn.pgp
Description: OpenPGP digital signature