;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Federico Beffa ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (test-elpa) #:use-module (guix import elpa) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) #:use-module (ice-9 match)) (define elpa-mock-archive '(1 (ace-window . [(0 9 0) ((avy (0 2 0))) "Quickly switch windows." single ((:url . "https://github.com/abo-abo/ace-window") (:keywords "window" "location"))]) (auctex . [(11 88 6) nil "Integrated environment for *TeX*" tar ((:url . "http://www.gnu.org/software/auctex/"))]))) (define auctex-readme-mock "This is the AUCTeX description.") (define* (elpa-package-info-mock name #:optional (repo "gnu")) "Simulate retrieval of 'archive-contents' file from REPO and extraction of information about package NAME. (Function 'elpa-package-info'.)" (let* ((archive elpa-mock-archive) (info (filter (lambda (p) (eq? (first p) (string->symbol name))) (cdr archive)))) (if (pair? info) (first info) #f))) (define elpa-version->string (@@ (guix import elpa) elpa-version->string)) (define package-source-url (@@ (guix import elpa) package-source-url)) (define ensure-list (@@ (guix import elpa) ensure-list)) (define package-home-page (@@ (guix import elpa) package-home-page)) (define make-elpa-package (@@ (guix import elpa) make-elpa-package)) (test-begin "elpa") (define (eval-test-with-elpa pkg) (mock ;; replace the two fetching functions ((guix import elpa) fetch-elpa-package (lambda* (name #:optional (repo "gnu")) (let ((pkg (elpa-package-info-mock name repo))) (match pkg ((name version reqs synopsis kind . rest) (let* ((name (symbol->string name)) (ver (elpa-version->string version)) (url (package-source-url kind name ver repo))) (make-elpa-package name ver (ensure-list reqs) synopsis kind (package-home-page (first rest)) auctex-readme-mock url))) (_ #f))))) (mock ((guix build download) url-fetch (lambda (url file . _) (call-with-output-file file (lambda (port) (display "fake tarball" port))))) (match (elpa->guix-package pkg) (('package ('name "emacs-auctex") ('version "11.88.6") ('source ('origin ('method 'url-fetch) ('uri ('string-append "https://elpa.gnu.org/packages/auctex-" 'version ".tar")) ('sha256 ('base32 (? string? hash))))) ('build-system 'emacs-build-system) ('home-page "http://www.gnu.org/software/auctex/") ('synopsis "Integrated environment for *TeX*") ('description (? string?)) ('license 'license:gpl3+)) #t) (x (pk 'fail x #f)))))) (test-assert "elpa->guix-package test 1" (eval-test-with-elpa "auctex")) (test-end "elpa") +0100'>2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès 2020-12-08daemon: 'Agent' constructor takes a list of environment variables....* nix/libutil/util.hh (struct Agent)[Agent]: Add 'env' parameter. * nix/libutil/util.cc (Agent::Agent): Honor it. Ludovic Courtès 2020-09-14daemon: Move 'Agent' to libutil....* nix/libstore/build.cc (DerivationGoal::tryBuildHook): Add "offload" to 'args' and pass settings.guixProgram as the first argument to Agent::Agent. (pathNullDevice, commonChildInit, Agent, Agent::Agent) (Agent::~Agent): Move to... * nix/libutil/util.cc: ... here. * nix/libutil/util.hh (struct Agent, commonChildInit): New declarations. Ludovic Courtès