diff options
author | Marius Bakke <marius@gnu.org> | 2022-08-30 18:58:57 +0200 |
---|---|---|
committer | Marius Bakke <marius@gnu.org> | 2022-08-30 18:58:57 +0200 |
commit | 827b4117daa7a7f5cdd84e0211c3acb778e9246b (patch) | |
tree | 6ca042081f2e98c599bb3121af025ca35bdc0431 /gnu/packages/patches | |
parent | 1cf37370937665f21b4fb01daeffbf90c671611e (diff) | |
parent | db2444ad824ab529fd9e850dbae42359009ac4a2 (diff) | |
download | guix-827b4117daa7a7f5cdd84e0211c3acb778e9246b.tar.gz guix-827b4117daa7a7f5cdd84e0211c3acb778e9246b.zip |
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
5 files changed, 315 insertions, 0 deletions
diff --git a/gnu/packages/patches/accountsservice-extensions.patch b/gnu/packages/patches/accountsservice-extensions.patch new file mode 100644 index 0000000000..2cfab580e3 --- /dev/null +++ b/gnu/packages/patches/accountsservice-extensions.patch @@ -0,0 +1,25 @@ +Patch from NixOS retrieved from +https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/accountsservice/drop-prefix-check-extensions.patch. + +diff --git a/src/extensions.c b/src/extensions.c +index 038dcb2..830465d 100644 +--- a/src/extensions.c ++++ b/src/extensions.c +@@ -121,16 +121,7 @@ daemon_read_extension_directory (GHashTable *ifaces, + continue; + } + +- /* Ensure it looks like "../../dbus-1/interfaces/${name}" */ +- const gchar * const prefix = "../../dbus-1/interfaces/"; +- if (g_str_has_prefix (symlink, prefix) && g_str_equal (symlink + strlen (prefix), name)) { +- daemon_read_extension_file (ifaces, filename); +- } +- else { +- g_warning ("Found accounts service vendor extension symlink %s, but it must be exactly " +- "equal to '../../dbus-1/interfaces/%s' for forwards-compatibility reasons.", +- filename, name); +- } ++ daemon_read_extension_file (ifaces, filename); + } + + g_dir_close (dir); diff --git a/gnu/packages/patches/lightdm-arguments-ordering.patch b/gnu/packages/patches/lightdm-arguments-ordering.patch new file mode 100644 index 0000000000..c3b513a19a --- /dev/null +++ b/gnu/packages/patches/lightdm-arguments-ordering.patch @@ -0,0 +1,54 @@ +When providing the VNCServer command as 'Xvnc -SecurityTypes None', +the formatted command line used would look like: + + Xvnc -SecurityTypes None :1 -auth /var/run/lightdm/root/:1 + +which is invalid (the display number must appear first). + +Submitted upstream at: https://github.com/canonical/lightdm/pull/265 + + src/x-server-local.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/x-server-local.c b/src/x-server-local.c +index 7c4ab870..6c540d18 100644 +--- a/src/x-server-local.c ++++ b/src/x-server-local.c +@@ -463,14 +463,20 @@ x_server_local_start (DisplayServer *display_server) + l_debug (display_server, "Logging to %s", log_file); + + g_autofree gchar *absolute_command = get_absolute_command (priv->command); ++ g_auto(GStrv) tokens = g_strsplit (absolute_command, " ", 2); ++ const gchar* binary = tokens[0]; ++ const gchar *extra_options = tokens[1]; ++ + if (!absolute_command) + { + l_debug (display_server, "Can't launch X server %s, not found in path", priv->command); + stopped_cb (priv->x_server_process, X_SERVER_LOCAL (server)); + return FALSE; + } +- g_autoptr(GString) command = g_string_new (absolute_command); ++ g_autoptr(GString) command = g_string_new (binary); + ++ /* The display argument must be given first when the X server used ++ * is Xvnc. */ + g_string_append_printf (command, " :%d", priv->display_number); + + if (priv->config_file) +@@ -513,6 +519,12 @@ x_server_local_start (DisplayServer *display_server) + if (X_SERVER_LOCAL_GET_CLASS (server)->add_args) + X_SERVER_LOCAL_GET_CLASS (server)->add_args (server, command); + ++ /* Any extra user options provided via the VNCServer 'command' ++ * config option are appended last, so the user can override any ++ * of the above. */ ++ if (extra_options) ++ g_string_append_printf (command, " %s", extra_options); ++ + process_set_command (priv->x_server_process, command->str); + + l_debug (display_server, "Launching X Server"); +-- +2.36.1 + diff --git a/gnu/packages/patches/lightdm-vnc-color-depth.patch b/gnu/packages/patches/lightdm-vnc-color-depth.patch new file mode 100644 index 0000000000..cd69977d6a --- /dev/null +++ b/gnu/packages/patches/lightdm-vnc-color-depth.patch @@ -0,0 +1,81 @@ +There is no longer support for 8 bit color depth in TigerVNC (see: +https://github.com/TigerVNC/tigervnc/commit/e86d8720ba1e79b486ca29a5c2b27fa25811e6a2); +using it causes a fatal error. + +Submitted upstream at: https://github.com/canonical/lightdm/pull/265. + +diff --git a/data/lightdm.conf b/data/lightdm.conf +index 0df38429..60e3e8b4 100644 +--- a/data/lightdm.conf ++++ b/data/lightdm.conf +@@ -160,4 +160,4 @@ + #listen-address= + #width=1024 + #height=768 +-#depth=8 ++#depth=24 +diff --git a/src/x-server-xvnc.c b/src/x-server-xvnc.c +index 68340d53..27ca4454 100644 +--- a/src/x-server-xvnc.c ++++ b/src/x-server-xvnc.c +@@ -127,7 +127,7 @@ x_server_xvnc_init (XServerXVNC *server) + XServerXVNCPrivate *priv = x_server_xvnc_get_instance_private (server); + priv->width = 1024; + priv->height = 768; +- priv->depth = 8; ++ priv->depth = 24; + } + + static void +diff --git a/tests/scripts/vnc-command.conf b/tests/scripts/vnc-command.conf +index 0f1e25fd..335956d9 100644 +--- a/tests/scripts/vnc-command.conf ++++ b/tests/scripts/vnc-command.conf +@@ -19,7 +19,7 @@ command=Xvnc -option + #?VNC-CLIENT CONNECT + + # Xvnc server starts +-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=TRUE ++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=TRUE + + # Daemon connects when X server is ready + #?*XVNC-0 INDICATE-READY +diff --git a/tests/scripts/vnc-guest.conf b/tests/scripts/vnc-guest.conf +index 431bb244..ce2b97db 100644 +--- a/tests/scripts/vnc-guest.conf ++++ b/tests/scripts/vnc-guest.conf +@@ -21,7 +21,7 @@ user-session=default + #?VNC-CLIENT CONNECT + + # Xvnc server starts +-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE ++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE + + # Daemon connects when X server is ready + #?*XVNC-0 INDICATE-READY +diff --git a/tests/scripts/vnc-login.conf b/tests/scripts/vnc-login.conf +index cdfe17b8..f0d65b7f 100644 +--- a/tests/scripts/vnc-login.conf ++++ b/tests/scripts/vnc-login.conf +@@ -21,7 +21,7 @@ user-session=default + #?VNC-CLIENT CONNECT + + # Xvnc server starts +-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE ++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE + + # Daemon connects when X server is ready + #?*XVNC-0 INDICATE-READY +diff --git a/tests/scripts/vnc-open-file-descriptors.conf b/tests/scripts/vnc-open-file-descriptors.conf +index 753c84dd..e5d35730 100644 +--- a/tests/scripts/vnc-open-file-descriptors.conf ++++ b/tests/scripts/vnc-open-file-descriptors.conf +@@ -21,7 +21,7 @@ user-session=default + #?VNC-CLIENT CONNECT + + # Xvnc server starts +-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE ++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE + + # Daemon connects when X server is ready + #?*XVNC-0 INDICATE-READY diff --git a/gnu/packages/patches/lightdm-vncserver-check.patch b/gnu/packages/patches/lightdm-vncserver-check.patch new file mode 100644 index 0000000000..0e31ff3d68 --- /dev/null +++ b/gnu/packages/patches/lightdm-vncserver-check.patch @@ -0,0 +1,66 @@ +Honor the Xvnc command specified in the config instead of using a hard-coded +default. + +Submitted upstream at: https://github.com/canonical/lightdm/pull/265 + +diff --git a/src/lightdm.c b/src/lightdm.c +index 74f9ff2d..0ccfcd78 100644 +--- a/src/lightdm.c ++++ b/src/lightdm.c +@@ -349,27 +349,42 @@ start_display_manager (void) + /* Start the VNC server */ + if (config_get_boolean (config_get_instance (), "VNCServer", "enabled")) + { +- g_autofree gchar *path = g_find_program_in_path ("Xvnc"); +- if (path) ++ /* Validate that a the VNC command is available. */ ++ g_autofree gchar *command = config_get_string (config_get_instance (), "VNCServer", "command"); ++ if (command) + { +- vnc_server = vnc_server_new (); +- if (config_has_key (config_get_instance (), "VNCServer", "port")) ++ g_auto(GStrv) tokens = g_strsplit (command, " ", 2); ++ if (!g_find_program_in_path (tokens[0])) + { +- gint port = config_get_integer (config_get_instance (), "VNCServer", "port"); +- if (port > 0) +- vnc_server_set_port (vnc_server, port); ++ g_warning ("Can't start VNC server; command '%s' not found", tokens[0]); ++ return; + } +- g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address"); +- vnc_server_set_listen_address (vnc_server, listen_address); +- g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL); +- +- g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server)); +- vnc_server_start (vnc_server); + } + else +- g_warning ("Can't start VNC server, Xvnc is not in the path"); ++ { ++ /* Fallback to 'Xvnc'. */ ++ if (!g_find_program_in_path ("Xvnc")) { ++ g_warning ("Can't start VNC server; 'Xvnc' command not found"); ++ return; ++ } ++ } ++ ++ vnc_server = vnc_server_new (); ++ if (config_has_key (config_get_instance (), "VNCServer", "port")) ++ { ++ gint port = config_get_integer (config_get_instance (), "VNCServer", "port"); ++ if (port > 0) ++ vnc_server_set_port (vnc_server, port); ++ } ++ g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address"); ++ vnc_server_set_listen_address (vnc_server, listen_address); ++ g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL); ++ ++ g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server)); ++ vnc_server_start (vnc_server); + } + } ++ + static void + service_ready_cb (DisplayManagerService *service) + { diff --git a/gnu/packages/patches/mercurial-openssl-compat.patch b/gnu/packages/patches/mercurial-openssl-compat.patch new file mode 100644 index 0000000000..139356f285 --- /dev/null +++ b/gnu/packages/patches/mercurial-openssl-compat.patch @@ -0,0 +1,89 @@ +Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3. + +Taken from Debian: + + https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch + +--- a/mercurial/sslutil.py ++++ b/mercurial/sslutil.py +@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname): + ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) + + # If --insecure is used, we allow the use of TLS 1.0 despite config options. + # We always print a "connection security to %s is disabled..." message when + # --insecure is used. So no need to print anything more here. + if ui.insecureconnections: + minimumprotocol = b'tls1.0' + if not ciphers: +- ciphers = b'DEFAULT' ++ ciphers = b'DEFAULT:@SECLEVEL=0' + + s[b'minimumprotocol'] = minimumprotocol + s[b'ciphers'] = ciphers + + # Look for fingerprints in [hostsecurity] section. Value is a list + # of <alg>:<fingerprint> strings. + fingerprints = ui.configlist( + b'hostsecurity', b'%s:fingerprints' % bhostname +@@ -621,17 +621,17 @@ def wrapserversocket( + + # Improve forward secrecy. + sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) + sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) + + # In tests, allow insecure ciphers + # Otherwise, use the list of more secure ciphers if found in the ssl module. + if exactprotocol: +- sslcontext.set_ciphers('DEFAULT') ++ sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0') + elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): + sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) + # pytype: disable=module-attr + sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) + # pytype: enable=module-attr + + if requireclientcert: + sslcontext.verify_mode = ssl.CERT_REQUIRED +--- a/tests/test-https.t ++++ b/tests/test-https.t +@@ -356,19 +356,19 @@ Start servers running supported TLS vers + $ cat ../hg1.pid >> $DAEMON_PIDS + $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ + > --config devel.serverexactprotocol=tls1.2 + $ cat ../hg2.pid >> $DAEMON_PIDS + $ cd .. + + Clients talking same TLS versions work + +- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/ ++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/ + 5fed3813f7f5 +- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/ ++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/ + 5fed3813f7f5 + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ + 5fed3813f7f5 + + Clients requiring newer TLS version than what server supports fail + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ + (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) +@@ -400,17 +400,17 @@ Clients requiring newer TLS version than + + $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ + warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering + 5fed3813f7f5 + + The per-host config option overrides the default + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ +- > --config hostsecurity.ciphers=DEFAULT \ ++ > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \ + > --config hostsecurity.minimumprotocol=tls1.2 \ + > --config hostsecurity.localhost:minimumprotocol=tls1.0 + 5fed3813f7f5 + + The per-host config option by itself works + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ + > --config hostsecurity.localhost:minimumprotocol=tls1.2 |