Re: 02/02: gnu: libzip: Update to 1.3.0 (fixes CVE-2017-14107).

2017-09-14 Thread Mark H Weaver 
Hi Efraim,

efr...@flashner.co.il (Efraim Flashner) writes:

> efraim pushed a commit to branch master
> in repository guix.
>
> commit 98df3a88b5e323087db6097094f119fa4663f6d3
> Author: Efraim Flashner 
> Date:   Wed Sep 6 14:19:50 2017 +0300
>
> gnu: libzip: Update to 1.3.0 (fixes CVE-2017-14107).

Unfortunately, this new version of libzip fails its test suite on both
armhf and i686, whereas the previous version (1.2.0) passed on all
hydra-supported platforms:

  https://hydra.gnu.org/build/2256187
  https://hydra.gnu.org/build/2255715
  https://hydra.gnu.org/job/gnu/master/libzip-1.2.0.armhf-linux
  https://hydra.gnu.org/job/gnu/master/libzip-1.2.0.i686-linux

Could you take a look?

   Mark

Re: [WIP][PATCH] download: Don't report the progress too fast

2017-09-14 Thread 宋文武 
l...@gnu.org (Ludovic Courtès) writes:

> [...]
>> Date: Fri, 8 Sep 2017 22:49:03 +0800
>> Subject: [PATCH] download: Report the progress asynchronously in another
>>  thread.
>>
>> * guix/utils.scm (): New record type.
>> (call-with-progress-reporter): New procedure.
>> * guix/build/download.scm (dump-port*, progress-reporter/file): New
>> procedures.
>> (ftp-fetch, http-fetch): Use them.
>> (progress-proc): Remove procedure.
>> * guix/scripts/substitute.scm (progress-report-port): Rewrite in terms of
>> .
>> (process-substitution): Adjust accordingly.
>
> Impressive!
>
> I have a couple of concerns though:
>
>   1. Using a thread “just” for progress reporting seems quite
>  heavyweight, though maybe that’s OK.

Yes..
>
>   2. As per POSIX, we cannot mix ‘fork’ and threads, so programs that
>  use ‘primitive-fork’ should not also use threads.  One such program
>  is (guix scripts substitute), via ‘decompressed-port’.  Guile
>  rightfully emits a warning when a multithreaded program calls
>  ‘primitive-fork’:
>
>https://git.savannah.gnu.org/cgit/guile.git/tree/libguile/posix.c#n1224

Oh, thanks for pointing it out!
>
>3. “Atomic boxes” are a Guile 2.2 feature, but we still support 2.0.
>
> To address these, I would use ‘abort-to-prompt’ & co., possibly with
> “suspendable ports”, but this is a 2.2 feature.  (It may be that we
> should use Fibers directly.)

Sure, I’d like to try fibers.  When we can drop the support of Guile
2.0?  (I guess one sign is that 2.2 is in the debian stable.)

>
> Tricky!  Not sure what to do here.
>
> Thoughts?

How about replace the use of thread from ‘progress-reporter/file’ by a
‘rate-limited’ render procedure, and then change the elapsed time to
ETA, which is okay without updating in seconds?

File permissions on git fetched packages.

2017-09-14 Thread Mathieu Othacehe 

Hi Guix,

I'm trying to package a specific version of libgit2, fetched from a git
repo. I noticed that when cloned in /gnu/store/xxx-git-checkout, all
files have 444 permissions, because /gnu/store is mounted read-only I guess.

The problem is when /gnu/store/xxx-git-checkout/tests/resources/ are
copied to /tmp and tests are run, they fail when trying to write on read
only files.

Any idea on how to overcome this issue and preserve file permissions on
git fetched packages ?

Thanks,

Mathieu