A big thanks to Eelco Dolstra, who designed and implemented Nix.
Transposing functional programming discipline to package management
proved to be inspiring and fruitful.

Thanks to the following people who contributed to GNU Guix through
suggestions, bug reports, patches, internationalization, or general
infrastructure help:

	    Lluís Batlle i Rossell <viric@viric.name>
          Sylvain Beucler <beuc@beuc.net>
	   Carlos Carleos <carleos@uniovi.es>
	   Felipe Castro <fefcas@gmail.com>
	   Daniel Clark <dclark@pobox.com>
	Alexandru Cojocaru <xojoc@gmx.com>
	    Aleix Conchillo Flaqué <aconchillo@gmail.com>
          Malcolm Cook <MEC@stowers.org>
           Thomas Danckaert <thomas.danckaert@gmail.com>
	   Rafael Ferreira <rafael.f.f1@gmail.com>
	Christian Grothoff <christian@grothoff.org>
             Eric Hanchrow <eric.hanchrow@gmail.com>
           Konrad Hinsen <konrad.hinsen@fastmail.net>
          Brandon Invergo <brandon@gnu.org>
           Anders Jonsson <anders.jonsson@norsjovallen.se>
	  Jeffrin Jose <ahiliation@yahoo.co.in>
	          Kete <kete@ninthfloor.org>
           Daniel Kochmański <dkochmanski@hellsgate.pl>
	  Matthew Lien <bluet@bluet.org>
             Dave Love <fx@gnu.org>
            Chris Marusich <cmmarusich@gmail.com>
            Niels Möller <nisse@lysator.liu.se>
          Cyprien Nicolas <cyprien@nicolas.tf>
	   Yutaka Niibe <gniibe@fsij.org>
           Andrei Osipov <andrspv@gmail.com>
                  Petter <petter@mykolab.ch>
             Adam Pribyl <pribyl@lowlevel.cz>
            Pjotr Prins <pjotr.public12@thebird.nl>
  Yakkala Yagnesh Raghava <hi@yagnesh.org>
           Joshua Randall <jcrandall@alum.mit.edu>
      Bruno Félix Rezende Ribeiro <oitofelix@gnu.org>
	    Benno Schulenberg <coordinator@translationproject.org>
           Thomas Schwinge <thomas@codesourcery.com>
        Alexander Shendi <Alexander.Shendi@web.de>
	     Alen Skondro <askondro@gmail.com>
              Jan Synáček <jan.synacek@gmail.com>
	 Matthias Wachs <wachs@net.in.tum.de>
        Christine Lemmer-Webber <cwebber@dustycloud.org>
           Philip Woods <elzairthesorcerer@gmail.com>

GNU Guix also includes non-software works.  Thanks to the following
people who contributed the logo and general artwork and themes:

           Nikita Karetnikov <nikita@karetnikov.org>
           Felipe López <felipe.lopez@openmailbox.org>
ge (<a href='/guix/log/nix/libutil?id=245cb903f163cb6ca3b577fcc9cbd76d2959c60b&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-05-13 16:31:34 +0200'>2024-05-13</span></td><td><a href='/guix/commit/nix/libutil?id=7757fdd491862fa5c33f1f894503346b89898a01'>daemon: Loop over ‘copy_file_range’ upon short writes.</a><span class='msg-avail'>...<span class='msg-tooltip'>Fixes &lt;https://issues.guix.gnu.org/70877&gt;.

* nix/libutil/util.cc (copyFile): Loop over ‘copy_file_range’ instead of
throwing upon short write.

Reported-by: Ricardo Wurmus &lt;rekado@elephly.net&gt;
Change-Id: Id7b8a65ea59006c2d91bc23732309a68665b9ca0
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-03-12 14:07:28 +0100'>2024-03-12</span></td><td><a href='/guix/commit/nix/libutil?id=ff1251de0bc327ec478fc66a562430fbf35aef42'>daemon: Address shortcoming in previous security fix for CVE-2024-27297.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.

Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-03-11 22:12:34 +0100'>2024-03-11</span></td><td><a href='/guix/commit/nix/libutil?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143'>daemon: Protect against FD escape when building fixed-output derivations (CVE...</a><span class='msg-avail'>...<span class='msg-tooltip'>This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck &lt;https://github.com/puckipedia&gt;.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir &lt;picnoir@alternativebit.fr&gt;, Théophane Hufschmitt &lt;theophane.hufschmitt@tweag.io&gt;
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
</span></span></td><td>Ludovic Courtès</td></tr>