Merge branch 'staging' into core-updates

7 files changed, 422 insertions, 0 deletions

diff --git a/gnu/packages/patches/accountsservice-extensions.patch b/gnu/packages/patches/accountsservice-extensions.patch
new file mode 100644
index 0000000000..2cfab580e3
--- /dev/null
+++ b/gnu/packages/patches/accountsservice-extensions.patch
@@ -0,0 +1,25 @@
+Patch from NixOS retrieved from
+https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/accountsservice/drop-prefix-check-extensions.patch.
+
+diff --git a/src/extensions.c b/src/extensions.c
+index 038dcb2..830465d 100644
+--- a/src/extensions.c
++++ b/src/extensions.c
+@@ -121,16 +121,7 @@ daemon_read_extension_directory (GHashTable  *ifaces,
+                         continue;
+                 }
+ 
+-                /* Ensure it looks like "../../dbus-1/interfaces/${name}" */
+-                const gchar * const prefix = "../../dbus-1/interfaces/";
+-                if (g_str_has_prefix (symlink, prefix) && g_str_equal (symlink + strlen (prefix), name)) {
+-                        daemon_read_extension_file (ifaces, filename);
+-                }
+-                else {
+-                        g_warning ("Found accounts service vendor extension symlink %s, but it must be exactly "
+-                                   "equal to '../../dbus-1/interfaces/%s' for forwards-compatibility reasons.",
+-                                   filename, name);
+-                }
++                daemon_read_extension_file (ifaces, filename);
+         }
+ 
+         g_dir_close (dir);
diff --git a/gnu/packages/patches/gnome-shell-polkit-autocleanup.patch b/gnu/packages/patches/gnome-shell-polkit-autocleanup.patch
new file mode 100644
index 0000000000..08968b83a1
--- /dev/null
+++ b/gnu/packages/patches/gnome-shell-polkit-autocleanup.patch
@@ -0,0 +1,50 @@
+Don't redefine G_DEFINE_AUTOPTR_CLEANUP_FUNC when available in polkit.
+
+Taken from upstream:
+
+  https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/1d0a08b5e25fea7b0e792ec9798e68a7c5606a75
+
+diff --git a/config.h.meson b/config.h.meson
+index b93fda8727..ff355d3062 100644
+--- a/config.h.meson
++++ b/config.h.meson
+@@ -33,3 +33,6 @@
+ 
+ /* Define if fdwalk is available in libc */
+ #mesondefine HAVE_FDWALK
++
++/* Define if polkit defines autocleanup functions */
++#mesondefine HAVE_POLKIT_AUTOCLEANUP
+diff --git a/meson.build b/meson.build
+index 42ec01c566..778a34c6ef 100644
+--- a/meson.build
++++ b/meson.build
+@@ -169,6 +169,13 @@ cdata.set('HAVE_FDWALK',
+           cc.has_function('fdwalk')
+ )
+ 
++polkit_has_autocleanup = cc.compiles(
++  '#define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
++  #include <polkitagent/polkitagent.h>
++  void main(void) { g_autoptr(PolkitAgentListener) agent = NULL; }',
++  dependencies: polkit_dep)
++cdata.set('HAVE_POLKIT_AUTOCLEANUP', polkit_has_autocleanup)
++
+ buildtype = get_option('buildtype')
+ if buildtype != 'plain'
+   all_warnings = [
+diff --git a/src/shell-polkit-authentication-agent.h b/src/shell-polkit-authentication-agent.h
+index 55b46af110..4f14749563 100644
+--- a/src/shell-polkit-authentication-agent.h
++++ b/src/shell-polkit-authentication-agent.h
+@@ -14,8 +14,10 @@
+ 
+ G_BEGIN_DECLS
+ 
++#ifndef HAVE_POLKIT_AUTOCLEANUP
+ /* Polkit doesn't have g_autoptr support, thus we have to manually set the autoptr function here */
+ G_DEFINE_AUTOPTR_CLEANUP_FUNC (PolkitAgentListener, g_object_unref)
++#endif
+ 
+ #define SHELL_TYPE_POLKIT_AUTHENTICATION_AGENT (shell_polkit_authentication_agent_get_type())
+ 
diff --git a/gnu/packages/patches/lightdm-arguments-ordering.patch b/gnu/packages/patches/lightdm-arguments-ordering.patch
new file mode 100644
index 0000000000..c3b513a19a
--- /dev/null
+++ b/gnu/packages/patches/lightdm-arguments-ordering.patch
@@ -0,0 +1,54 @@
+When providing the VNCServer command as 'Xvnc -SecurityTypes None',
+the formatted command line used would look like:
+
+  Xvnc  -SecurityTypes None :1 -auth /var/run/lightdm/root/:1
+
+which is invalid (the display number must appear first).
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265
+
+ src/x-server-local.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/x-server-local.c b/src/x-server-local.c
+index 7c4ab870..6c540d18 100644
+--- a/src/x-server-local.c
++++ b/src/x-server-local.c
+@@ -463,14 +463,20 @@ x_server_local_start (DisplayServer *display_server)
+     l_debug (display_server, "Logging to %s", log_file);
+ 
+     g_autofree gchar *absolute_command = get_absolute_command (priv->command);
++    g_auto(GStrv) tokens = g_strsplit (absolute_command, " ", 2);
++    const gchar* binary = tokens[0];
++    const gchar *extra_options = tokens[1];
++
+     if (!absolute_command)
+     {
+         l_debug (display_server, "Can't launch X server %s, not found in path", priv->command);
+         stopped_cb (priv->x_server_process, X_SERVER_LOCAL (server));
+         return FALSE;
+     }
+-    g_autoptr(GString) command = g_string_new (absolute_command);
++    g_autoptr(GString) command = g_string_new (binary);
+ 
++    /* The display argument must be given first when the X server used
++     * is Xvnc. */
+     g_string_append_printf (command, " :%d", priv->display_number);
+ 
+     if (priv->config_file)
+@@ -513,6 +519,12 @@ x_server_local_start (DisplayServer *display_server)
+     if (X_SERVER_LOCAL_GET_CLASS (server)->add_args)
+         X_SERVER_LOCAL_GET_CLASS (server)->add_args (server, command);
+ 
++    /* Any extra user options provided via the VNCServer 'command'
++     * config option are appended last, so the user can override any
++     * of the above. */
++    if (extra_options)
++        g_string_append_printf (command, " %s", extra_options);
++
+     process_set_command (priv->x_server_process, command->str);
+ 
+     l_debug (display_server, "Launching X Server");
+-- 
+2.36.1
+
diff --git a/gnu/packages/patches/lightdm-vnc-color-depth.patch b/gnu/packages/patches/lightdm-vnc-color-depth.patch
new file mode 100644
index 0000000000..cd69977d6a
--- /dev/null
+++ b/gnu/packages/patches/lightdm-vnc-color-depth.patch
@@ -0,0 +1,81 @@
+There is no longer support for 8 bit color depth in TigerVNC (see:
+https://github.com/TigerVNC/tigervnc/commit/e86d8720ba1e79b486ca29a5c2b27fa25811e6a2);
+using it causes a fatal error.
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265.
+
+diff --git a/data/lightdm.conf b/data/lightdm.conf
+index 0df38429..60e3e8b4 100644
+--- a/data/lightdm.conf
++++ b/data/lightdm.conf
+@@ -160,4 +160,4 @@
+ #listen-address=
+ #width=1024
+ #height=768
+-#depth=8
++#depth=24
+diff --git a/src/x-server-xvnc.c b/src/x-server-xvnc.c
+index 68340d53..27ca4454 100644
+--- a/src/x-server-xvnc.c
++++ b/src/x-server-xvnc.c
+@@ -127,7 +127,7 @@ x_server_xvnc_init (XServerXVNC *server)
+     XServerXVNCPrivate *priv = x_server_xvnc_get_instance_private (server);
+     priv->width = 1024;
+     priv->height = 768;
+-    priv->depth = 8;
++    priv->depth = 24;
+ }
+ 
+ static void
+diff --git a/tests/scripts/vnc-command.conf b/tests/scripts/vnc-command.conf
+index 0f1e25fd..335956d9 100644
+--- a/tests/scripts/vnc-command.conf
++++ b/tests/scripts/vnc-command.conf
+@@ -19,7 +19,7 @@ command=Xvnc -option
+ #?VNC-CLIENT CONNECT
+ 
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=TRUE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=TRUE
+ 
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-guest.conf b/tests/scripts/vnc-guest.conf
+index 431bb244..ce2b97db 100644
+--- a/tests/scripts/vnc-guest.conf
++++ b/tests/scripts/vnc-guest.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+ 
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+ 
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-login.conf b/tests/scripts/vnc-login.conf
+index cdfe17b8..f0d65b7f 100644
+--- a/tests/scripts/vnc-login.conf
++++ b/tests/scripts/vnc-login.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+ 
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+ 
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-open-file-descriptors.conf b/tests/scripts/vnc-open-file-descriptors.conf
+index 753c84dd..e5d35730 100644
+--- a/tests/scripts/vnc-open-file-descriptors.conf
++++ b/tests/scripts/vnc-open-file-descriptors.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+ 
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+ 
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
diff --git a/gnu/packages/patches/lightdm-vncserver-check.patch b/gnu/packages/patches/lightdm-vncserver-check.patch
new file mode 100644
index 0000000000..0e31ff3d68
--- /dev/null
+++ b/gnu/packages/patches/lightdm-vncserver-check.patch
@@ -0,0 +1,66 @@
+Honor the Xvnc command specified in the config instead of using a hard-coded
+default.
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265
+
+diff --git a/src/lightdm.c b/src/lightdm.c
+index 74f9ff2d..0ccfcd78 100644
+--- a/src/lightdm.c
++++ b/src/lightdm.c
+@@ -349,27 +349,42 @@ start_display_manager (void)
+     /* Start the VNC server */
+     if (config_get_boolean (config_get_instance (), "VNCServer", "enabled"))
+     {
+-        g_autofree gchar *path = g_find_program_in_path ("Xvnc");
+-        if (path)
++        /* Validate that a the VNC command is available. */
++        g_autofree gchar *command = config_get_string (config_get_instance (), "VNCServer", "command");
++        if (command)
+         {
+-            vnc_server = vnc_server_new ();
+-            if (config_has_key (config_get_instance (), "VNCServer", "port"))
++            g_auto(GStrv) tokens = g_strsplit (command, " ", 2);
++            if (!g_find_program_in_path (tokens[0]))
+             {
+-                gint port = config_get_integer (config_get_instance (), "VNCServer", "port");
+-                if (port > 0)
+-                    vnc_server_set_port (vnc_server, port);
++                g_warning ("Can't start VNC server; command '%s' not found", tokens[0]);
++                return;
+             }
+-            g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address");
+-            vnc_server_set_listen_address (vnc_server, listen_address);
+-            g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL);
+-
+-            g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server));
+-            vnc_server_start (vnc_server);
+         }
+         else
+-            g_warning ("Can't start VNC server, Xvnc is not in the path");
++        {
++            /* Fallback to 'Xvnc'. */
++            if (!g_find_program_in_path ("Xvnc")) {
++                g_warning ("Can't start VNC server; 'Xvnc' command not found");
++                return;
++            }
++        }
++
++        vnc_server = vnc_server_new ();
++        if (config_has_key (config_get_instance (), "VNCServer", "port"))
++        {
++            gint port = config_get_integer (config_get_instance (), "VNCServer", "port");
++            if (port > 0)
++                vnc_server_set_port (vnc_server, port);
++        }
++        g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address");
++        vnc_server_set_listen_address (vnc_server, listen_address);
++        g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL);
++
++        g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server));
++        vnc_server_start (vnc_server);
+     }
+ }
++
+ static void
+ service_ready_cb (DisplayManagerService *service)
+ {
diff --git a/gnu/packages/patches/mercurial-openssl-compat.patch b/gnu/packages/patches/mercurial-openssl-compat.patch
new file mode 100644
index 0000000000..139356f285
--- /dev/null
+++ b/gnu/packages/patches/mercurial-openssl-compat.patch
@@ -0,0 +1,89 @@
+Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3.
+
+Taken from Debian:
+
+  https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch
+
+--- a/mercurial/sslutil.py
++++ b/mercurial/sslutil.py
+@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname):
+     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
+ 
+     # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+     # We always print a "connection security to %s is disabled..." message when
+     # --insecure is used. So no need to print anything more here.
+     if ui.insecureconnections:
+         minimumprotocol = b'tls1.0'
+         if not ciphers:
+-            ciphers = b'DEFAULT'
++            ciphers = b'DEFAULT:@SECLEVEL=0'
+ 
+     s[b'minimumprotocol'] = minimumprotocol
+     s[b'ciphers'] = ciphers
+ 
+     # Look for fingerprints in [hostsecurity] section. Value is a list
+     # of <alg>:<fingerprint> strings.
+     fingerprints = ui.configlist(
+         b'hostsecurity', b'%s:fingerprints' % bhostname
+@@ -621,17 +621,17 @@ def wrapserversocket(
+ 
+     # Improve forward secrecy.
+     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
+     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+ 
+     # In tests, allow insecure ciphers
+     # Otherwise, use the list of more secure ciphers if found in the ssl module.
+     if exactprotocol:
+-        sslcontext.set_ciphers('DEFAULT')
++        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
+     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
+         # pytype: disable=module-attr
+         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+         # pytype: enable=module-attr
+ 
+     if requireclientcert:
+         sslcontext.verify_mode = ssl.CERT_REQUIRED
+--- a/tests/test-https.t
++++ b/tests/test-https.t
+@@ -356,19 +356,19 @@ Start servers running supported TLS vers
+   $ cat ../hg1.pid >> $DAEMON_PIDS
+   $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
+   > --config devel.serverexactprotocol=tls1.2
+   $ cat ../hg2.pid >> $DAEMON_PIDS
+   $ cd ..
+ 
+ Clients talking same TLS versions work
+ 
+-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
++  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
+   5fed3813f7f5
+-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
++  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
+   5fed3813f7f5
+   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
+   5fed3813f7f5
+ 
+ Clients requiring newer TLS version than what server supports fail
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
+   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+@@ -400,17 +400,17 @@ Clients requiring newer TLS version than
+ 
+   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
+   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+   5fed3813f7f5
+ 
+ The per-host config option overrides the default
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+-  > --config hostsecurity.ciphers=DEFAULT \
++  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
+   > --config hostsecurity.minimumprotocol=tls1.2 \
+   > --config hostsecurity.localhost:minimumprotocol=tls1.0
+   5fed3813f7f5
+ 
+ The per-host config option by itself works
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+   > --config hostsecurity.localhost:minimumprotocol=tls1.2
diff --git a/gnu/packages/patches/scons-test-environment.patch b/gnu/packages/patches/scons-test-environment.patch
new file mode 100644
index 0000000000..be5b61b2d4
--- /dev/null
+++ b/gnu/packages/patches/scons-test-environment.patch
@@ -0,0 +1,57 @@
+Inherit essential environment variables in tests.
+
+Note: it could be better to generalize this in SCons/Platform/posix.py
+instead of just patching the tests.
+
+diff --git a/SCons/ActionTests.py b/SCons/ActionTests.py
+--- a/SCons/ActionTests.py
++++ b/SCons/ActionTests.py
+@@ -98,6 +98,7 @@ outfile2 = test.workpath('outfile2')
+ pipe_file = test.workpath('pipe.out')
+ 
+ scons_env = SCons.Environment.Environment()
++scons_env['ENV']['PATH'] += os.environ['PATH']
+ 
+ # Capture all the stuff the Actions will print,
+ # so it doesn't clutter the output.
+@@ -1090,6 +1091,8 @@ class CommandActionTestCase(unittest.TestCase):
+         except AttributeError:
+             env = Environment()
+ 
++        env = Environment(ENV={'PATH': os.environ['PATH']})
++
+         cmd1 = r'%s %s %s xyzzy' % (_python_, act_py, outfile)
+ 
+         act = SCons.Action.CommandAction(cmd1)
+@@ -1884,7 +1887,7 @@ class ListActionTestCase(unittest.TestCase):
+                     f.write("class2b\n")
+ 
+         act = SCons.Action.ListAction([cmd2, function2, class2a(), class2b])
+-        r = act([], [], Environment(out=outfile))
++        r = act([], [], Environment(out=outfile, ENV={'PATH' : os.getenv('PATH')}))
+         assert isinstance(r.status, class2b), r.status
+         c = test.read(outfile, 'r')
+         assert c == "act.py: 'syzygy'\nfunction2\nclass2a\nclass2b\n", c
+@@ -1948,7 +1951,7 @@ class LazyActionTestCase(unittest.TestCase):
+         a([], [], env=Environment(BAR=f, s=self))
+         assert self.test == 1, self.test
+         cmd = r'%s %s %s lazy' % (_python_, act_py, outfile)
+-        a([], [], env=Environment(BAR=cmd, s=self))
++        a([], [], env=Environment(BAR=cmd, s=self, ENV={'PATH' : os.getenv('PATH')}))
+         c = test.read(outfile, 'r')
+         assert c == "act.py: 'lazy'\n", c
+ 
+diff --git a/SCons/SConfTests.py b/SCons/SConfTests.py
+--- a/SCons/SConfTests.py
++++ b/SCons/SConfTests.py
+@@ -71,7 +71,9 @@ class SConfTestCase(unittest.TestCase):
+         # and we need a new environment, cause references may point to
+         # old modules (well, at least this is safe ...)
+         self.scons_env = self.Environment.Environment()
+-        self.scons_env.AppendENVPath('PATH', os.environ['PATH'])
++        # Inherit the OS environment to get essential variables.
++        inherited_env = os.environ.copy()
++        self.scons_env['ENV'] = inherited_env
+ 
+         # we want to do some autodetection here
+         # this stuff works with