We are happy to announce GNU Guile release 2.2.1, the first bug-fix release in the new 2.2 stable release series.
This release adds a "sandbox" facility that can run code from untrusted users. It also includes a compiler and runtime change that ensures that attempts to mutate literal constants will always throw an exception. Before this change, the mutation would either succeed, potentially corrupting further use of that constant or other constants sharing structure with it, or cause a segmentation fault if that data happened to be mapped read-only. See the NEWS excerpt that follows for full details. * * * Guile is an implementation of the Scheme programming language. The Guile web page is located at https://gnu.org/software/guile/, and among other things, it contains a copy of the Guile manual and pointers to more resources. Guile can run interactively, as a script interpreter, and as a Scheme compiler to VM bytecode. It is also packaged as a library so that applications can easily incorporate a complete Scheme interpreter/VM. An application can use Guile as an extension language, a clean and powerful configuration language, or as multi-purpose "glue" to connect primitives provided by the application. It is easy to call Scheme code >From C code and vice versa. Applications can add new functions, data types, control structures, and even syntax to Guile, to create a domain-specific language tailored to the task at hand. Guile implements many common Scheme standards, including R5RS, R6RS, and a number of SRFIs. In addition, Guile includes its own module system, full access to POSIX system calls, networking support, multiple threads, dynamic linking, a foreign function call interface, and powerful string processing. Guile 2.2.1 can be installed in parallel with Guile 2.0.x; see https://www.gnu.org/software/guile/manual/html_node/Parallel-Installations.html. * * * Changes in 2.2.1 (since 2.2.0): * Notable changes ** New sandboxed evaluation facility Guile now has a way to execute untrusted code in a safe way. See "Sandboxed Evaluation" in the manual for full details, including some important notes on limitations on the sandbox's ability to prevent resource exhaustion. ** All literal constants are read-only According to the Scheme language definition, it is an error to attempt to mutate a "constant literal". A constant literal is data that is a literal quoted part of a program. For example, all of these are errors: (set-car! '(1 . 2) 42) (append! '(1 2 3) '(4 5 6)) (vector-set! '#(a b c) 1 'B) Guile takes advantage of this provision of Scheme to deduplicate shared structure in constant literals within a compilation unit, and to allocate constant data directly in the compiled object file. If the data needs no relocation at run-time, as is the case for pairs or vectors that only contain immediate values, then the data can actually be shared between different Guile processes, using the operating system's virtual memory facilities. However, in Guile 2.2.0, constants that needed relocation were actually mutable -- though (vector-set! '#(a b c) 1 'B) was an error, Guile wouldn't actually cause an exception to be raised, silently allowing the mutation. This could affect future users of this constant, or indeed of any constant in the compilation unit that shared structure with the original vector. Additionally, attempting to mutate constant literals mapped in the read-only section of files would actually cause a segmentation fault, as the operating system prohibits writes to read-only memory. "Don't do that" isn't a very nice solution :) Both of these problems have been fixed. Any attempt to mutate a constant literal will now raise an exception, whether the constant needs relocation or not. ** Syntax objects are now a distinct type It used to be that syntax objects were represented as a tagged vector. These values could be forged by users to break scoping abstractions, preventing the implementation of sandboxing facilities in Guile. We are as embarrassed about the previous situation as we pleased are about the fact that we've fixed it. Unfortunately, during the 2.2 stable series (or at least during part of it), we need to support files compiled with Guile 2.2.0. These files may contain macros that contain legacy syntax object constants. See the discussion of "allow-legacy-syntax-objects?" in "Syntax Transformer Helpers" in the manual for full details. * Bug fixes *** Fix snarfing with -ggdb3 (#25803) *** Fix spurious snarf warnings for net_db.c *** Output statprof flat display to correct port *** Document guile-2.2 cond-expand feature *** Add --with-bdw-gc for BSDs that use bdw-gc-threaded (see README) *** Documentation typo fixes (#26188) *** Fix SRFI-9 date->string bugs with ~N and ~F (#26261, #26260, #26259) *** SRFI-19 current-time-monotonic returns time of right type (#26329) *** Avoid causing GC when looking up exception handler *** Increment objcode version, in a compatible way *** Fix compile warning in (system base types) *** Only run tests that require fork if it is provided *** Speed up procedure-minimum-arity for fixed arity *** REPL server tests catch ECONNABORTED *** Avoid deprecated argument to setvbuf in (web client) *** Remove non-existent 'open-connection-for-uri' export from (web client) * * * Here are the compressed sources: https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.gz (18MB) https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.xz (10MB) https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.lz (9MB) Here are the GPG detached signatures[*]: https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.gz.sig https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.xz.sig https://ftp.gnu.org/gnu/guile/guile-2.2.1.tar.lz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA256 checksums: f004b2a5e98017df80cd419773f12a77cfc7ba6069195f97d6702e3d6e487a14 guile-2.2.1.tar.gz f21512374a6d553ec45fd6b09c73dd1ddce93315621f3856e72efa9aab811a66 guile-2.2.1.tar.xz 878d9aff3524895ee8161d72577bbfd704cd54486814b764ad272ca0f19d9c36 guile-2.2.1.tar.lz [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify guile-2.2.1.tar.gz.sig If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver keys.gnupg.net --recv-keys FF478FB264DE32EC296725A3DDC0F5358812F8F2 and rerun the 'gpg --verify' command. This release was bootstrapped with the following tools: Autoconf 2.69 Automake 1.15 Libtool 2.4.6 Gnulib v0.1-1157-gb03f418 Makeinfo 6.3 Thanks Sergei Trofimovich, Dale Smith, Freja Nordsiek, Matt Wette, Andrew Moss, and Michael Gran, who all contributed to this release. Happy hacking with Guile, Andy, Ludovic, and Mark -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html.