bug#65832: [PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.

[Janneke Nieuwenhuizen]

Janneke Nieuwenhuizen writes:

Hi!

> Title says it all...

[..]

After discussing with the security team, pushed to master as

1ef4974be94d75d935d98399dcda44199a1fca47

Greetings,
Janneke

-- 
Janneke Nieuwenhuizen   | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

bug#65832: [PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.

[Janneke Nieuwenhuizen]

Title says it all...

So, i've started using direnv with envrc.el, really great!

...which meant that on top op `guix shell' pestering me with its
shell-authorized-directories, I had to also type `direnv allow' all day.

Anyway, I found that direnv has a whitelist, prefix even; so I looked
into what guix shell might have and found that using

--8<---cut here---start->8---
echo '-allow-all- > ~/.config/guix/shell-authorized-directories
--8<---cut here---end--->8---

acts like an undocumented whitelist prefix for /.

Find a fix attached.

Greetings,
Janneke

>From 5b7af1342f4f0d91df9de960877889d40b8c5d64 Mon Sep 17 00:00:00 2001
Message-ID: <5b7af1342f4f0d91df9de960877889d40b8c5d64.1694206063.git.jann...@gnu.org>
From: Janneke Nieuwenhuizen 
Date: Wed, 6 Sep 2023 10:52:17 +0200
Subject: [PATCH] guix: shell: Don't whitelist / by typo in
 `shell-authorized-directories'.

Fixes 

* guix/scripts/shell.scm (authorized-shell-directory?): After warning,
continue LOOP to return valid query result for DIRECTORY.
---
 guix/scripts/shell.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/guix/scripts/shell.scm b/guix/scripts/shell.scm
index d67152cef7..83888eee1d 100644
--- a/guix/scripts/shell.scm
+++ b/guix/scripts/shell.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2021-2023 Ludovic Courtès 
+;;; Copyright © 2023 Janneke Nieuwenhuizen 
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -232,7 +233,8 @@ (define (authorized-shell-directory? directory)
(port-line port)
(port-column port
 (warning loc (G_ "ignoring invalid file name: '~a'~%")
- line))
+ line)
+(loop))
 (const #f)))
 
 (define (options-with-caching opts)

base-commit: 4dd33fc62899134606f36f92594cf160b972f685
-- 
2.41.0


-- 
Janneke Nieuwenhuizen   | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

bug#65740: No fallback to SWH for .guix-channel dependencies

[Ludovic Courtès]

Hi,

Simon Tournier  skribis:

> The main reason is because the channel bimsb contains the file
> .guix-channel which reads,
>
> (channel
>  (version 0)
>  (dependencies
>   (channel
>(name guix-past)
>(url "https://gitlab.inria.fr/guix-hpc/guix-past;))
>   (channel
>(name guix-science)
>(url "https://github.com/guix-science/guix-science.git;
>
> And Guix is not able to fallback to SWH for these channels.

Yes, but that’s expected: we’re not specifying any commit, only the URL,
so there cannot be any sort of fallback.

> Corollary, even if it was able, what is the correct revision of
> the guix-past or guix-science channels?
>
> This report is about two bugs:
>
>  1. transparent fallback to SWH for .guix-channel dependencies
>
>  2. pin all channels when running “guix describe”, even the ones from
>.guix-channel dependencies.

#1 happens, but only when channels are pinned (returned by ‘guix
#describe’).

Re #2, I don’t think there’s such a bug, is there?  In the example
below, ‘guix describe’ shows 4 channels (including dependencies), not 2:

--8<---cut here---start->8---
$ ./pre-inst-env guix time-machine -C <(echo '(cons (channel (name (quote 
bimsb)) (url "https://github.com/BIMSBbioinfo/guix-bimsb.git;)) 
%default-channels)') -- describe -f channels

[...]

(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git;)
(branch "master")
(commit
  "4dd33fc62899134606f36f92594cf160b972f685")
(introduction
  (make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
  "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"
  (channel
(name 'bimsb)
(url "https://github.com/BIMSBbioinfo/guix-bimsb.git;)
(branch "master")
(commit
  "240a599f77dab7dcb8d2ed091b90056e58a46c51"))
  (channel
(name 'guix-science)
(url "https://github.com/guix-science/guix-science.git;)
(branch "master")
(commit
  "1ad5192cff0d7b34a2f74592c6896f901d1c9ccd"))
  (channel
(name 'guix-past)
(url "https://gitlab.inria.fr/guix-hpc/guix-past;)
(branch "master")
(commit
  "1e25b23faa6b1716deaf7e1782becb5da6855942")))
--8<---cut here---end--->8---

Thanks,
Ludo’.

bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor

[Ludovic Courtès]

Hello!

Ricardo Wurmus  skribis:

> I don’t know.  I’m on holidays now, but I’ve opened yet another ticket
> to get a definitive answer to my more elaborate variant of “WTF?”.

Did you eventually get feedback from them?

If not, we can start looking for a way to move public-facing services
elsewhere.  (It may not be trivial because bayfront, which is the other
node we’ve traditionally used for that, is super busy these days.)

Thanks again for your support…

Ludo’.

bug#62784: drascula, lure, lure-de, lure-es, lure-fr, lure-it, sky: non-commercial license

[Liliana Marie Prikler]

Am Mittwoch, dem 12.04.2023 um 11:35 +0200 schrieb Liliana Marie
Prikler:
> Hi Denis,
> 
> [...] We have been aware of this for about half a year now (see the
> thread in guix-devel following [1]), but as other FSDG-abiding
> distributions still include these games (or at least did back then)
> we postponed their removal.

We now ship none of these games as well as a fully bootstrapped
scummvm-based game.  This ought to make everyone happy.

Cheers

bug#65720: Guile-Git-managed checkouts grow way too much

[Ludovic Courtès]

Hi!

Simon Tournier  skribis:

> On Tue, 05 Sep 2023 at 16:18, Ludovic Courtès  wrote:
>
>> It would also be pretty bad for closure size:
>>
>> --8<---cut here---start->8---
>> $ guix size guile-git | tail -1
>> total: 106.6 MiB
>> $ guix size guile-git git-minimal | tail -1
>> total: 169.8 MiB
>> --8<---cut here---end--->8---
>>
>> It’s also not clear concretely how we’d add that dependency.  Try
>> invoking ‘git’ from $PATH and print a warning if it doesn’t work?
>> But then, what about applications like Cuirass and hpcguix-web?
>
> I think we can rely on something like,
>
> guix shell -C git-minimal -- git gc

We’re talking about the implementation of a cache (meant to speed up
operations), that would actually fill said cache plus do a whole bunch
of expensive operations?  Nah.  :-)

Ludo’.

bug#65720: Guile-Git-managed checkouts grow way too much

[Ludovic Courtès]

Hello!

Josselin Poiret  skribis:

> Right, although I wouldn't necessarily say that the former doesn't have
> a proper API, but rather that it has a Unix-oriented API.  That leads to
> performance issues on e.g. Windows but on Linux I'm not sure there's
> much of a difference.

[...]

> We could consider replacing the guile-git dependency with another
> library built directly on top of git-minimal, and have this be a
> dependency of Guix.  Not ideal though, and not really scalable either:
> we can't just add every VCS as direct dependencies.

I cannot imagine a viable implementation of things like ‘commit-closure’
and ‘commit-relation’ from (guix git) done by shelling out to ‘git’.
I’m quite confident this would be slow and brittle.

It looks like there’s no option other than carrying the two
implementations.

~~~

Years ago, Andy Wingo sketched a plan for GNU hackers to implement Git
in pure Scheme.  That was on April 1st though, so people mistakenly
assumed it was a joke and the project was never carried out.

I digress, but I wonder: is there not even a viable Haskell or OCaml
implementation of Git?

Thanks,
Ludo’.

bug#65306: [shepherd] ntpd throws shepherd out of the loop

[Ludovic Courtès]

Timotej Lazar  skribis:

> Ludovic Courtès  [2023-09-02 22:44:03+0200]:
>> Liliana, Timotej: could you try the Guix patch I posted at
>> ?
>
> That patch works for my aarch64 board. I encounter the same issue on an
> x86_64 system without a functional RTC, but at least now I know how to
> apply a workaround. Thanks!

Right.  I’ve committed a variant of this patch (will push shortly).

Thanks for testing!

Ludo’.

bug#65769: greetd-wlgreet-sway-session result is blinking cursor

[paren--- via Bug reports for GNU Guix]

chris  writes:
> I support any conclusion from Josselin and unmatched-paren and want to add 
> these observations,
>  * wlgreet *does require* the greeter lock file
>  * wlgreet *does not require* elogind/logind 
>  * not-advanced users like me may want to use wlgreet without elogind

I'm not using elogind, either; just seatd.  And yet it works still...

  -- (

bug#65769: greetd-wlgreet-sway-session result is blinking cursor

[chris]

Josselin sent this message intended for the thread and I think they are okay 
with re-pasting here,

> Usually elogind is responsible (through a PAM module) for creating this 
> runtime directory.  If you're not using elogind, you'll need to create this 
> directory yourself somehow.  I don't really think this is a bug per-se, as 
> running without elogind is advanced stuff and its consequences should be 
> understood by the user.

I support any conclusion from Josselin and unmatched-paren and want to add 
these observations,
 * wlgreet *does require* the greeter lock file
 * wlgreet *does not require* elogind/logind 
 * not-advanced users like me may want to use wlgreet without elogind

bug#65769: greetd-wlgreet-sway-session result is blinking cursor

[paren--- via Bug reports for GNU Guix]

chris  writes:
>> The greeter works after creating /run/user/986/wayland-1.lock and changing 
>> the
>> owner of /run/user/986 and /run/user/986/wayland-1.lock to "greeter".

wut.  I don't remember ever having to do anything like that...

> My system config is here
>
>   
> https://raw.githubusercontent.com/iambumblehead/guix-home/main/guix.system.scm

Thanks!  Now I know it's not malconfiguration; your config is
essentially the same as mine.

bug#63726: time-machine without options does not get the latest commit

[Ludovic Courtès]

Simon Tournier  skribis:

> On Thu, 25 May 2023 at 23:03, Ludovic Courtès  wrote:
>
>>> Now, what I am missing.  The manual says:
>>>
>>>As for ‘guix pull’, the absence of any options means that the latest
>>> commit on the master branch will be used.  The command
>>>
>>>  guix time-machine -- build hello
>>>
>>>will thus build the package ‘hello’ as defined in the master branch,
>>> which is in general a newer revision of Guix than you have installed.
>>> Time travel works in both directions!
>
> [...]
>
>> Should we fix the doc or should we fix the code?…
>
> All seems fixed so let close it?

Yes, done!

bug#65769: greetd-wlgreet-sway-session result is blinking cursor

[chris]

On  9月08日 金, ( wrote:
> I believe that may have been moi :)  This is really odd.  I seem to be
> the only person who has ever managed to make it work (though there's a
> bit of a reporting bias there in that people who do manage probably
> won't bring it up...)
> 
> It would be great if anyone trying to use it could possibly reply here
> with a link, attachment, or copy of the config.scm they use (whether
> it's working for them or not; both are useful.)
> 
> I'll start:
> 
>   https://git.sr.ht/~unmatched-paren/conf/tree/root/item/system.scm
> 
>   -- (

Thanks for replying to my issue :)

A "solution" is discussed earlier in the thread 
https://issues.guix.gnu.org/65769#4

> The greeter works after creating /run/user/986/wayland-1.lock and changing 
> the owner of /run/user/986 and /run/user/986/wayland-1.lock to "greeter".

My system config is here

  https://raw.githubusercontent.com/iambumblehead/guix-home/main/guix.system.scm

bug#65769: greetd-wlgreet-sway-session result is blinking cursor

[paren--- via Bug reports for GNU Guix]

chris  writes:
> In irc, I messaged the user who created greetd-wlgreet-sway-session and it 
> seems
> other users have encountered the blinking cursor and no one knows of a
> solution. If possible, I would like help troubleshoot and resolve the issue.

I believe that may have been moi :)  This is really odd.  I seem to be
the only person who has ever managed to make it work (though there's a
bit of a reporting bias there in that people who do manage probably
won't bring it up...)

It would be great if anyone trying to use it could possibly reply here
with a link, attachment, or copy of the config.scm they use (whether
it's working for them or not; both are useful.)

I'll start:

  https://git.sr.ht/~unmatched-paren/conf/tree/root/item/system.scm

  -- (