1 files changed, 9 insertions, 3 deletions
diff --git a/src/perform_queries.py b/src/perform_queries.py
index 1d20b13..aae71aa 100755
--- a/src/perform_queries.py
+++ b/src/perform_queries.py
@@ -7,7 +7,7 @@ import unbound
 import psycopg2
 
 # our own module used by several scripts in the project
-from ztdnslib import start_db_connection, get_ztdns_config
+from ztdnslib import start_db_connection, get_ztdns_config, log
 
 class dns_queries:
     def __init__(self, dns_IP, dns_id, services):
@@ -58,6 +58,8 @@ def query_planned_queries(cursor, hour, vpn_id):
     return dnss_to_query
 
 def resolve_call_back(mydata, status, result):
+    global dups
+
     query = mydata
     # debugging
     print("callback called for {}".format(result.qname))
@@ -95,10 +97,11 @@ def resolve_call_back(mydata, status, result):
         # Unique constraint is stopping us from adding duplicates;
         # This is most likey because back-end has been run multiple times
         # during the same hour (bad configuration or admin running manually
-        # after cron)
-        pass
+        # after cron), we'll write to logs about that.
+        dups = True
     # no committing, since auto-commit mode is set on the connection
 
+dups = False
 hour = argv[1]
 vpn_id = argv[2]
 config = get_ztdns_config()
@@ -146,3 +149,6 @@ for thread in threads:
 
 cursor.close()
 connection.close()
+
+if dups:
+    log('results already exist for vpn {}'.format(vpn_id))
diff --git a/doc/build.scm b/doc/build.scm
index 2cd57b4a92..9ab2ca32d2 100644
--- a/doc/build.scm
+++ b/doc/build.scm
@@ -365,7 +365,7 @@ actual file name."
                                                             #:languages
                                                             languages))
                                   (syntax-css-url
-                                   "/static/base/css/code.css"))
+                                   "/themes/initial/css/code.css"))
   "Return a derivation called NAME that processes all the HTML files in INPUT
 to (1) add them a link to SYNTAX-CSS-URL, and (2) highlight the syntax of all
 its <pre class=\"lisp\"> blocks (as produced by 'makeinfo --html')."
@@ -624,7 +624,7 @@ its <pre class=\"lisp\"> blocks (as produced by 'makeinfo --html')."
                         #:key
                         (languages %languages)
                         (manual %manual)
-                        (manual-css-url "/static/base/css/manual.css"))
+                        (manual-css-url "/themes/initial/css/manual.css"))
   "Process all the HTML files in INPUT; add them MANUAL-CSS-URL as a <style>
 link, and add a menu to choose among LANGUAGES.  Use the Guix PO files found
 in SOURCE."
@@ -741,7 +741,7 @@ in SOURCE."
                             (list (menu-dropdown
                                    #:label
                                    `(img (@ (alt "Language")
-                                            (src "/static/base/img/language-picker.svg")))
+                                            (src "/themes/initial/img/language-picker.svg")))
                                    #:items
                                    (language-menu-items file)))
                             #:split-node? split-node?)
@@ -1141,16 +1141,16 @@ must be the Guix top-level source directory, from which PO files are taken."
                     ;; Menu prefetch.
                     (link (@ (rel "prefetch") (href ,(guix-url "menu/index.html"))))
                     ;; Base CSS.
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/elements.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/common.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/messages.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/navbar.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/breadcrumbs.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/buttons.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/footer.css"))))
-
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/page.css"))))
-                    (link (@ (rel "stylesheet") (href ,(guix-url "static/base/css/post.css")))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/elements.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/common.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/messages.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/navbar.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/breadcrumbs.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/buttons.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/footer.css"))))
+
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/page.css"))))
+                    (link (@ (rel "stylesheet") (href ,(guix-url "themes/initial/css/post.css")))))
                    (body
                     (header (@ (class "navbar"))
                             (h1 (a (@ (class "branding")
diff --git a/doc/guix.texi b/doc/guix.texi
index 5d7906f57b..a3ba7164eb 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2728,20 +2728,20 @@ the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
 @code{man cryptsetup}} for more information).
 
 @quotation Warning
-Note that GRUB can unlock LUKS2 devices since version 2.06, but only
-supports the PBKDF2 key derivation function, which is not the default
-for @command{cryptsetup luksFormat}.  You can check which key derivation
-function is being used by a device by running @command{cryptsetup
-luksDump @var{device}}, and looking for the PBKDF field of your
-keyslots.
+While efforts are in progress to extend support to LUKS2, please note
+that Guix only supports devices of type LUKS1 at the moment. You can
+verify that your existing LUKS device is of the right type by running
+@command{cryptsetup luksDump @var{device}}. Alternatively, you can
+create a new LUKS1 device with @command{cryptsetup luksFormat --type
+luks1 @var{device}}.
 @end quotation
 
 Assuming you want to store the root partition on @file{/dev/sda2}, the
-command sequence to format it as a LUKS2 partition would be along these
+command sequence to format it as a LUKS1 partition would be along these
 lines:
 
 @example
-cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup luksFormat --type luks1 /dev/sda2
 cryptsetup open /dev/sda2 my-partition
 mkfs.ext4 -L my-root /dev/mapper/my-partition
 @end example
diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in
index 9dbc3b5678..5e75379b5e 100644
--- a/etc/guix-daemon.service.in
+++ b/etc/guix-daemon.service.in
@@ -9,8 +9,8 @@ Description=Build daemon for GNU Guix
 ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \
     --build-users-group=guixbuild --discover=no
 Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
-StandardOutput=syslog
-StandardError=syslog
+StandardOutput=journal
+StandardError=journal
 
 # Work around a nasty systemd ‘feature’ that kills the entire process tree
 # (including the daemon!) if any child, such as cc1plus, runs out of memory.
diff --git a/etc/guix-publish.service.in b/etc/guix-publish.service.in
index b8fd3b4c03..0d82e73d94 100644
--- a/etc/guix-publish.service.in
+++ b/etc/guix-publish.service.in
@@ -11,8 +11,8 @@ After=guix-daemon.service
 [Service]
 ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix publish --user=nobody --port=8181
 Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
-StandardOutput=syslog
-StandardError=syslog
+StandardOutput=journal
+StandardError=journal
 
 # Despite the name, this is rate-limited: a broken daemon will eventually fail.
 Restart=always
diff --git a/etc/news.scm b/etc/news.scm
index b4e8697bf7..9443475455 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -1,6 +1,6 @@
 ;; GNU Guix news, for use by 'guix pull'.
 ;;
-;; Copyright © 2019-2023 Ludovic Courtès <ludo@gnu.org>
+;; Copyright © 2019-2024 Ludovic Courtès <ludo@gnu.org>
 ;; Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
 ;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835@gmail.com>
 ;; Copyright © 2019, 2020 Konrad Hinsen <konrad.hinsen@fastmail.net>
@@ -103,6 +103,75 @@ configuré et étendu avec des fichiers de configuration de matériel (appelés
          (zh "現可使用 eudev 的硬件配置文件（@dfn{hwdb}）設置及拓展
 @code{udev-service-type}。")))
 
+ (entry (commit "ff1251de0bc327ec478fc66a562430fbf35aef42")
+        (title
+         (en "Daemon vulnerability allowing store corruption has been fixed")
+         (de "Schwachstelle im Daemon behoben, durch die der Store verfälscht werden konnte")
+         (fr "Une faille du démon permettant de corrompre le dépôt a été corrigée"))
+        (body
+         (en "A vulnerability in the build daemon, @command{guix-daemon}, was
+identified and fixed.  The vulnerability would allow unprivileged users to
+corrupt the result of @dfn{fixed-output derivations} such as source code
+tarballs and Git checkouts, which in turn could lead to local privilege
+escalation.
+
+This bug is fixed and Guix System users are advised to upgrade their system,
+with a command along the lines of:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+If you are using Guix on another distro, run @command{info \"(guix) Upgrading
+Guix\"} or visit
+@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to
+learn how to upgrade Guix.
+
+See @uref{https://issues.guix.gnu.org/69728} for more information on this
+issue.")
+         (de "Eine Sicherheitslücke im Erstellungs-Daemon,
+@command{guix-daemon}, wurde gefunden und geschlossen.  Sie hatte es
+unprivilegierten Nutzern ermöglicht, das Ergebnis einer @dfn{Ableitung mit
+fester Ausgabe}, wie Quellcode-Tarballs und Git-Checkouts, zu manipulieren.
+So war eine lokale Rechteausweitung möglich.
+
+Der Fehler ist behoben und wir raten Nutzern von Guix System, ihr System zu
+aktualisieren mit einem Befehl wie:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+Wenn Sie Guix auf einer anderen Distribution verwenden, erfahren Sie mit dem
+Befehl @command{info \"(guix.de) Aktualisieren von Guix\"} oder auf
+@uref{https://guix.gnu.org/manual/devel/de/html_node/Aktualisieren-von-Guix.html},
+wie Sie Guix aktualisieren.
+
+Siehe @uref{https://issues.guix.gnu.org/69728} für mehr Informationen zu dem
+Fehler.")
+         (fr "Une faille de sécurité du démon de compilation,
+@command{guix-daemon}, a été identifiée et corrigée.  La faille permettait à
+un·e utilisateur·rice sans privilège de corrompre le résultat d'une
+@dfn{dérivation à sortie fixe} telle qu'une archive ou un @i{checkout} Git, ce
+qui peut ensuite permettre une élévation locale de privilèges.
+
+Ce problème est corrigé et les utilisateur·rices de Guix System sont invité·es
+à mettre à jour leur système avec une commande telle que :
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+Pour voir comment mettre à jour Guix sur une autre distribution, lancer
+@command{info \"(guix.fr) Mettre à niveau Guix\"} ou visiter
+@uref{https://guix.gnu.org/manual/devel/fr/html_node/Mettre-a-niveau-Guix.html}.
+
+Voir @uref{https://issues.guix.gnu.org/69728} pour plus d'informations sur
+cette anomalie.")))
+
  (entry (commit "10a193596368443f441077525ebbddf787d91e4b")
         (title
           (en "Linux-libre 4.14 removed due to end of upstream support")
diff --git a/etc/teams.scm b/etc/teams.scm
index ac2886a6eb..570793b539 100755
--- a/etc/teams.scm
+++ b/etc/teams.scm
@@ -587,6 +587,10 @@ GLib/GIO, GTK, GStreamer and Webkit."
                        "andreas@enge.fr")
   lxqt science tex)
 
+(define-member (person "Tanguy Le Carrour"
+                       "tanguy@bioneland.org")
+  python home)
+
 (define-member (person "Tobias Geerinckx-Rice"
                        "me@tobias.gr")
   core kernel mentors)
diff --git a/etc/time-travel-manifest.scm b/etc/time-travel-manifest.scm
index 80c4c7c346..039ca89889 100644
--- a/etc/time-travel-manifest.scm
+++ b/etc/time-travel-manifest.scm
@@ -66,21 +66,19 @@
 
 (define %release-commits
   ;; Release commits: the list of version/commit pairs.
+  ;;
+  ;; Note: To merely compute the derivation of these revisions, we need to be
+  ;; able to build their dependencies.  Some of them no longer build from
+  ;; source due to time traps like <https://issues.guix.gnu.org/58650>; those
+  ;; need to be built beforehand in a virtual build machine running "in the
+  ;; past".
   '(("1.4.0" . "8e2f32cee982d42a79e53fc1e9aa7b8ff0514714")
     ("1.3.0" . "a0178d34f582b50e9bdbb0403943129ae5b560ff")
-
-    ;; FIXME: To merely compute the derivation of these revisions, we need to
-    ;; be able to build their dependencies.  However, pre-built binaries are
-    ;; currently missing and some of these no longer build from source due to
-    ;; time bombs like <https://issues.guix.gnu.org/58650>.  Thus, comment
-    ;; them output until we have substitutes for these old things.
-
-    ;; ("1.2.0" . "a099685659b4bfa6b3218f84953cbb7ff9e88063")
-    ;; ("1.1.0" . "d62c9b2671be55ae0305bebfda17b595f33797f2")
-    ;; ("1.0.1" . "d68de958b60426798ed62797ff7c96c327a672ac")
-    ;; ("1.0.0" . "6298c3ffd9654d3231a6f25390b056483e8f407c")
-    ;; ("0.16.0" . "4a0b87f0ec5b6c2dcf82b372dd20ca7ea6acdd9c")
-    ))
+    ("1.2.0" . "a099685659b4bfa6b3218f84953cbb7ff9e88063")
+    ("1.1.0" . "d62c9b2671be55ae0305bebfda17b595f33797f2")
+    ("1.0.1" . "d68de958b60426798ed62797ff7c96c327a672ac")
+    ("1.0.0" . "6298c3ffd9654d3231a6f25390b056483e8f407c")
+    ("0.16.0" . "4a0b87f0ec5b6c2dcf82b372dd20ca7ea6acdd9c")))
 
 (manifest
  (map (match-lambda
diff --git a/gnu/local.mk b/gnu/local.mk
index 5546e33465..2e269faf51 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -426,6 +426,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/lisp-check.scm			\
   %D%/packages/lisp-xyz.scm			\
   %D%/packages/llvm.scm				\
+  %D%/packages/llvm-meta.scm			\
   %D%/packages/lout.scm				\
   %D%/packages/logging.scm			\
   %D%/packages/logo.scm				\
@@ -488,6 +489,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/ntp.scm				\
   %D%/packages/nutrition.scm			\
   %D%/packages/nvi.scm				\
+  %D%/packages/nx.scm				\
   %D%/packages/ocaml.scm			\
   %D%/packages/ocr.scm				\
   %D%/packages/openkinect.scm			\
@@ -1044,6 +1046,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clang-15.0-libc-search-path.patch	\
   %D%/packages/patches/clang-16.0-libc-search-path.patch	\
   %D%/packages/patches/clang-17.0-libc-search-path.patch	\
+  %D%/packages/patches/clang-17.0-link-dsymutil-latomic.patch	\
   %D%/packages/patches/clang-runtime-asan-build-fixes.patch	\
   %D%/packages/patches/clang-runtime-esan-build-fixes.patch	\
   %D%/packages/patches/clang-runtime-9-libsanitizer-mode-field.patch	\
@@ -1520,6 +1523,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/julia-Use-MPFR-4.2.patch	                \
   %D%/packages/patches/libcall-ui-make-it-installable.patch	\
   %D%/packages/patches/libcss-check-format.patch		\
+  %D%/packages/patches/libextractor-tidy-support.patch		\
   %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch	\
   %D%/packages/patches/libgeotiff-fix-tests-with-proj-9.1.1.patch	\
   %D%/packages/patches/libgeotiff-fix-tests-with-proj-9.3.0.patch	\
@@ -1811,7 +1815,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-feedparser-missing-import.patch	\
   %D%/packages/patches/python-louvain-fix-test.patch		\
   %D%/packages/patches/python-random2-getrandbits-test.patch		\
-  %D%/packages/patches/python-poppler-qt5-fix-build.patch	\
   %D%/packages/patches/python-pyreadstat-link-libiconv.patch	\
   %D%/packages/patches/python-pyls-black-41.patch		\
   %D%/packages/patches/python-pypdf-annotate-tests-appropriately.patch	\
@@ -2004,6 +2007,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-latex-decode-fix-test.patch		\
   %D%/packages/patches/ruby-mustache-1.1.1-fix-race-condition-tests.patch \
   %D%/packages/patches/ruby-nokogiri.patch			\
+  %D%/packages/patches/ruby-x25519-automatic-fallback-non-x86_64.patch \
   %D%/packages/patches/rustc-1.54.0-src.patch			\
   %D%/packages/patches/rust-1.64-fix-riscv64-bootstrap.patch	\
   %D%/packages/patches/rust-1.70-fix-rustix-build.patch	\
diff --git a/gnu/packages/bioconductor.scm b/gnu/packages/bioconductor.scm
index 4dc7000250..0aa1635e6a 100644
--- a/gnu/packages/bioconductor.scm
+++ b/gnu/packages/bioconductor.scm