03/11: vm-image.tmpl: Do not leak local checkout URL.

Tue, 21 Oct 2025 09:40:13 -0700 

guix_mirror_bot pushed a commit to branch master
in repository guix.

commit 4641d4bb8eab7d05b4915d20361d1902e1499d33
Author: Rutherther <[email protected]>
AuthorDate: Sun Sep 21 21:20:09 2025 +0200

    vm-image.tmpl: Do not leak local checkout URL.
    
    Follow up of 94c9e53fa4 that made similar change, but in
    gnu/system/install.scm.
    
    Change local checkout url for the default channel url to ensure release 
images
    will not leak local checkout url.
    
    * gnu/system/examples/vm-image.tmpl: Change channel of
    ‘guix’ package to inherit from ‘%default-guix-channel’.
    
    Change-Id: I1c633b44cfa067cae1d2948e7e7ef6922995c27d
    Signed-off-by: Ludovic Courtès <[email protected]>
---
 gnu/system/examples/vm-image.tmpl | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/gnu/system/examples/vm-image.tmpl 
b/gnu/system/examples/vm-image.tmpl
index 205ae73a9f..d3e70642b9 100644
--- a/gnu/system/examples/vm-image.tmpl
+++ b/gnu/system/examples/vm-image.tmpl
@@ -5,7 +5,12 @@
 ;;   guix system reconfigure /etc/config.scm
 ;;
 
-(use-modules (gnu) (guix) (srfi srfi-1))
+(use-modules (gnu)
+             (guix)
+             (srfi srfi-1)
+             (ice-9 match)
+             (guix channels)
+             (gnu system image))
 (use-service-modules desktop mcron networking spice ssh xorg sddm)
 (use-package-modules bootloaders fonts
                      package-management xdisorg xorg)
@@ -25,6 +30,15 @@ Run '\x1b[1;37minfo guix\x1b[0m' to browse documentation.
 accounts.\x1b[0m
 "))
 
+(define (guix-package-commit guix)
+  ;; Extract the commit of the GUIX package.
+  (match (package-source guix)
+    ((? channel? source)
+     (channel-commit source))
+    (_
+     (apply (lambda* (#:key commit #:allow-other-keys) commit)
+            (package-arguments guix)))))
+
 (operating-system
   (host-name "gnu")
   (timezone "Etc/UTC")
@@ -123,7 +137,14 @@ root ALL=(ALL) ALL
                      (guix-service-type config =>
                                         (guix-configuration
                                          (inherit config)
-                                         (guix (current-guix))))))))
+                                         (guix
+                                          (let ((guix (current-guix)))
+                                            (package
+                                              (inherit guix)
+                                              ;; Do not leak the local 
checkout URL.
+                                              (source (channel
+                                                        (inherit 
%default-guix-channel)
+                                                        (commit 
(guix-package-commit guix)))))))))))))
 
   ;; Allow resolution of '.local' host names with mDNS.
   (name-service-switch %mdns-host-lookup-nss))

Reply via email to