Merge branch 'master' into emacs-team

8 files changed, 89 insertions, 30 deletions

diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in
index 9dbc3b5678..5e75379b5e 100644
--- a/etc/guix-daemon.service.in
+++ b/etc/guix-daemon.service.in
@@ -9,8 +9,8 @@ Description=Build daemon for GNU Guix
 ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \
     --build-users-group=guixbuild --discover=no
 Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
-StandardOutput=syslog
-StandardError=syslog
+StandardOutput=journal
+StandardError=journal
 
 # Work around a nasty systemd ‘feature’ that kills the entire process tree
 # (including the daemon!) if any child, such as cc1plus, runs out of memory.
diff --git a/etc/guix-publish.service.in b/etc/guix-publish.service.in
index b8fd3b4c03..0d82e73d94 100644
--- a/etc/guix-publish.service.in
+++ b/etc/guix-publish.service.in
@@ -11,8 +11,8 @@ After=guix-daemon.service
 [Service]
 ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix publish --user=nobody --port=8181
 Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
-StandardOutput=syslog
-StandardError=syslog
+StandardOutput=journal
+StandardError=journal
 
 # Despite the name, this is rate-limited: a broken daemon will eventually fail.
 Restart=always
diff --git a/etc/news.scm b/etc/news.scm
index 3e8c88499f..ab7fa4c0d5 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -1,6 +1,6 @@
 ;; GNU Guix news, for use by 'guix pull'.
 ;;
-;; Copyright © 2019-2023 Ludovic Courtès <ludo@gnu.org>
+;; Copyright © 2019-2024 Ludovic Courtès <ludo@gnu.org>
 ;; Copyright © 2019–2021 Tobias Geerinckx-Rice <me@tobias.gr>
 ;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835@gmail.com>
 ;; Copyright © 2019, 2020 Konrad Hinsen <konrad.hinsen@fastmail.net>
@@ -28,6 +28,75 @@
 (channel-news
  (version 0)
 
+ (entry (commit "ff1251de0bc327ec478fc66a562430fbf35aef42")
+        (title
+         (en "Daemon vulnerability allowing store corruption has been fixed")
+         (de "Schwachstelle im Daemon behoben, durch die der Store verfälscht werden konnte")
+         (fr "Une faille du démon permettant de corrompre le dépôt a été corrigée"))
+        (body
+         (en "A vulnerability in the build daemon, @command{guix-daemon}, was
+identified and fixed.  The vulnerability would allow unprivileged users to
+corrupt the result of @dfn{fixed-output derivations} such as source code
+tarballs and Git checkouts, which in turn could lead to local privilege
+escalation.
+
+This bug is fixed and Guix System users are advised to upgrade their system,
+with a command along the lines of:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+If you are using Guix on another distro, run @command{info \"(guix) Upgrading
+Guix\"} or visit
+@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to
+learn how to upgrade Guix.
+
+See @uref{https://issues.guix.gnu.org/69728} for more information on this
+issue.")
+         (de "Eine Sicherheitslücke im Erstellungs-Daemon,
+@command{guix-daemon}, wurde gefunden und geschlossen.  Sie hatte es
+unprivilegierten Nutzern ermöglicht, das Ergebnis einer @dfn{Ableitung mit
+fester Ausgabe}, wie Quellcode-Tarballs und Git-Checkouts, zu manipulieren.
+So war eine lokale Rechteausweitung möglich.
+
+Der Fehler ist behoben und wir raten Nutzern von Guix System, ihr System zu
+aktualisieren mit einem Befehl wie:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+Wenn Sie Guix auf einer anderen Distribution verwenden, erfahren Sie mit dem
+Befehl @command{info \"(guix.de) Aktualisieren von Guix\"} oder auf
+@uref{https://guix.gnu.org/manual/devel/de/html_node/Aktualisieren-von-Guix.html},
+wie Sie Guix aktualisieren.
+
+Siehe @uref{https://issues.guix.gnu.org/69728} für mehr Informationen zu dem
+Fehler.")
+         (fr "Une faille de sécurité du démon de compilation,
+@command{guix-daemon}, a été identifiée et corrigée.  La faille permettait à
+un·e utilisateur·rice sans privilège de corrompre le résultat d'une
+@dfn{dérivation à sortie fixe} telle qu'une archive ou un @i{checkout} Git, ce
+qui peut ensuite permettre une élévation locale de privilèges.
+
+Ce problème est corrigé et les utilisateur·rices de Guix System sont invité·es
+à mettre à jour leur système avec une commande telle que :
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+Pour voir comment mettre à jour Guix sur une autre distribution, lancer
+@command{info \"(guix.fr) Mettre à niveau Guix\"} ou visiter
+@uref{https://guix.gnu.org/manual/devel/fr/html_node/Mettre-a-niveau-Guix.html}.
+
+Voir @uref{https://issues.guix.gnu.org/69728} pour plus d'informations sur
+cette anomalie.")))
+
  (entry (commit "10a193596368443f441077525ebbddf787d91e4b")
         (title
           (en "Linux-libre 4.14 removed due to end of upstream support")
diff --git a/etc/teams.scm b/etc/teams.scm
index ac2886a6eb..570793b539 100755
--- a/etc/teams.scm
+++ b/etc/teams.scm
@@ -587,6 +587,10 @@ GLib/GIO, GTK, GStreamer and Webkit."
                        "andreas@enge.fr")
   lxqt science tex)
 
+(define-member (person "Tanguy Le Carrour"
+                       "tanguy@bioneland.org")
+  python home)
+
 (define-member (person "Tobias Geerinckx-Rice"
                        "me@tobias.gr")
   core kernel mentors)
diff --git a/etc/teams/qt/common.scm b/etc/teams/qt/common.scm
index 8e11ac220b..4735b408d0 100644
--- a/etc/teams/qt/common.scm
+++ b/etc/teams/qt/common.scm
@@ -16,10 +16,6 @@
 ;;; You should have received a copy of the GNU General Public License
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
-;;; This file returns a manifest of packages related to linux-libre.
-;;; Simplistically, it selects packages whose names begin with "linux-libre".
-;;; It is used to assist continuous integration of the kernel packages.
-
 (use-modules (guix packages)
              (guix profiles)
              (guix utils)
diff --git a/etc/teams/qt/qt-manifest.scm b/etc/teams/qt/qt-manifest.scm
index 0d8fa95bfe..22078530a7 100644
--- a/etc/teams/qt/qt-manifest.scm
+++ b/etc/teams/qt/qt-manifest.scm
@@ -16,10 +16,6 @@
 ;;; You should have received a copy of the GNU General Public License
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
-;;; This file returns a manifest of packages related to linux-libre.
-;;; Simplistically, it selects packages whose names begin with "linux-libre".
-;;; It is used to assist continuous integration of the kernel packages.
-
 (load "common.scm")
 
 ;;; Commentary:
diff --git a/etc/teams/qt/qt5-manifest.scm b/etc/teams/qt/qt5-manifest.scm
index 34fdf479bf..2b25888d4b 100644
--- a/etc/teams/qt/qt5-manifest.scm
+++ b/etc/teams/qt/qt5-manifest.scm
@@ -16,10 +16,6 @@
 ;;; You should have received a copy of the GNU General Public License
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
-;;; This file returns a manifest of packages related to linux-libre.
-;;; Simplistically, it selects packages whose names begin with "linux-libre".
-;;; It is used to assist continuous integration of the kernel packages.
-
 (load "common.scm")
 
 ;;; Commentary:
diff --git a/etc/time-travel-manifest.scm b/etc/time-travel-manifest.scm
index 80c4c7c346..039ca89889 100644
--- a/etc/time-travel-manifest.scm
+++ b/etc/time-travel-manifest.scm
@@ -66,21 +66,19 @@
 
 (define %release-commits
   ;; Release commits: the list of version/commit pairs.
+  ;;
+  ;; Note: To merely compute the derivation of these revisions, we need to be
+  ;; able to build their dependencies.  Some of them no longer build from
+  ;; source due to time traps like <https://issues.guix.gnu.org/58650>; those
+  ;; need to be built beforehand in a virtual build machine running "in the
+  ;; past".
   '(("1.4.0" . "8e2f32cee982d42a79e53fc1e9aa7b8ff0514714")
     ("1.3.0" . "a0178d34f582b50e9bdbb0403943129ae5b560ff")
-
-    ;; FIXME: To merely compute the derivation of these revisions, we need to
-    ;; be able to build their dependencies.  However, pre-built binaries are
-    ;; currently missing and some of these no longer build from source due to
-    ;; time bombs like <https://issues.guix.gnu.org/58650>.  Thus, comment
-    ;; them output until we have substitutes for these old things.
-
-    ;; ("1.2.0" . "a099685659b4bfa6b3218f84953cbb7ff9e88063")
-    ;; ("1.1.0" . "d62c9b2671be55ae0305bebfda17b595f33797f2")
-    ;; ("1.0.1" . "d68de958b60426798ed62797ff7c96c327a672ac")
-    ;; ("1.0.0" . "6298c3ffd9654d3231a6f25390b056483e8f407c")
-    ;; ("0.16.0" . "4a0b87f0ec5b6c2dcf82b372dd20ca7ea6acdd9c")
-    ))
+    ("1.2.0" . "a099685659b4bfa6b3218f84953cbb7ff9e88063")
+    ("1.1.0" . "d62c9b2671be55ae0305bebfda17b595f33797f2")
+    ("1.0.1" . "d68de958b60426798ed62797ff7c96c327a672ac")
+    ("1.0.0" . "6298c3ffd9654d3231a6f25390b056483e8f407c")
+    ("0.16.0" . "4a0b87f0ec5b6c2dcf82b372dd20ca7ea6acdd9c")))
 
 (manifest
  (map (match-lambda