guix - Wojtek's customized Guix

about summary refs log tree commit diff

#!/bin/sh
# Create the build system.

set -e -x

# Generate stubs for translations.
langs=`find po/doc -type f -name 'guix-manual*.po' \
        | sed -e 's,.*/guix-manual\.,,;s,\.po$,,'`
for lang in ${langs}; do
    if [ ! -e "doc/guix.${lang}.texi" ]; then
	echo "@setfilename guix.${lang}.info" > "doc/guix.${lang}.texi"
	echo "@include version-${lang}.texi" >> "doc/guix.${lang}.texi"
	# Ensure .po file is newer.
	touch "po/doc/guix-manual.${lang}.po"
    fi
done
langs=`find po/doc -type f -name 'guix-cookbook*.po' \
        | sed -e 's,.*/guix-cookbook\.,,;s,\.po$,,'`
for lang in ${langs}; do
    if [ ! -e "doc/guix-cookbook.${lang}.texi" ]; then
	echo "@setfilename guix-cookbook.${lang}.info" > "doc/guix-cookbook.${lang}.texi"
	# Ensure .po file is newer.
	touch "po/doc/guix-cookbook.${lang}.po"
    fi
done

autoreconf -vfi

# Replace Automake's build-aux/mdate-sh with build-aux/mdate-from-git, our
# own, reproducible version.
chmod +w build-aux/mdate-sh
rm -f build-aux/mdate-sh
ln -s mdate-from-git.scm build-aux/mdate-sh

tcoming in previous security fix for CVE-2024-27297.Ludovic Courtès This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 2024-03-11daemon: Protect against FD escape when building fixed-output derivations ↵Ludovic Courtès (CVE-2024-27297). This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 2023-01-09daemon: Improve error message for wrong hash sizes.Ludovic Courtès * nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. 2022-12-18daemon: Make "opening file" error messages distinguishable.Ludovic Courtès * nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise.